SSL Cert G2 to G5 for PayPal IPN

Question

We have several Rackspace Windows servers (2008 R2), each running 4/5 e-commerce websites, each with their own SSL certificates from Go Daddy.

We accept PayPal payments on these websites and use IPN to get notified when a transaction happens.

Google Chrome (as of now) has no problem with our certificates, and we get a nice green padlock shown. However PayPal now requires two things:

1. SHA-256
2. G5 Root Certificate

...as shown here: https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1766&viewlocale=en_US&direct=en

I think that all our certificates are SHA-256, but I don't know how to move to using G5 (rather than G2).

An example certificate can be found here: http://www.crusadergifts.co.uk/ (go to Account > Signin to hit a HTTPS URL).

In the certificate hierarchy on the server (in IIS) I can see this for one of our certificates:

• Go Daddy Class 2 Certification Authority
• ...Go Daddy Root Certificate Authority - G2
• ......Go Daddy Secure Certificate Authority - G2
• .........[The name of our certificate in IIS]

When I go go:

1. mmc
2. File > Add/remove snap-in
3. Certificates (Local Computer)
4. Trusted Root Certification Authorities
5. Certificates

I can see both:

• Go Daddy Class 2 Certification Authority
• VeriSign Class 3 Public Primary Certification Authority - G5

So my question is... How do I move my certificates over from G2 to G5 so that PayPal accepts them as valid certificates..??

Answer 1

PayPal is requiring the discontinue use of the VeriSign G2 Root Certificate. That is not the same as the GoDaddy G2 root.

If there is a requirement to use the Verisign root then you have to get a Verisign issued certificate. Your current certificate is issued by GoDaddy not Verisign. You can't chain a GoDaddy cert to a Verisign root.