Skip to main content
Published: December 19 2013, 9:50:00 AMUpdated: November 28 2020, 1:03:24 PM

Background

As eBay originally announced in September 2012:

To ensure continued safety and security for the eBay community and adhere to NIST and CA/Browser Forum standards, eBay Marketplaces will be migrating from 1024-bit to 2048-bit SSL (Secure Sockets Layer) certificates by December 22, 2013 for https://api.ebay.com and https://svcs.ebay.com.  Per these industry guidelines and baselines, as of December 31, 2013 all public Certificate Authority 1024-bit SSL server certificates will be deprecated and revoked across the industry.

To provide the highest ubiquity for legacy mobile clients, browsers, and SDK versions, eBay Marketplaces has chosen a certificate trust chain which uses the exact same Symantec/VeriSign G2 1024-bit SHA-1 root that we currently use for api.ebay.com and svcs.ebay.com. It is also already used by PayPal for api.paypal.com and api-t3.paypal.com.

Therefore, any client which can handle 2048-bit certificates, follows standards in regards to certificate trust chaining, and currently interacts with our Symantec/VeriSign G2 root should experience no issues connecting to our updated certificate chain following this migration.

Please note that we announced and released 2048-bit certificates in the Sandbox (api.sandbox.ebay.com) in September 2012, to enable developers to begin testing early. On December 9, 2013, we updated the root chain in the Sandbox to accommodate additional legacy clients.

To Prepare For This Change

eBay Marketplaces will be using the following Symantec/VeriSign certificate trust chain:

(1) api.ebay.com or svcs.ebay.com SSL cert --> (2) G3 Intermediate cert --> (3) G5 Intermediate cert

Specifics on each segment of the chain:

1.       VeriSign Trust Network-issued 2048-bit SHA-1 standard server SSL certificate

2.     VeriSign Class 3 Secure Server CA - G3, 2048-bit SHA-1 Intermediate chaining certificate (Serial Number: 6e cc 7a a5 a7 03 20 09 b8 ce bc f4 e9 52 d4 91)

3.     VeriSign Class 3 Public Primary Certification Authority - G5, 2048-bit SHA-1 Intermediate chaining certificate (Serial Number: 7a 4f 2e 57 c5 67 34 8a 7b 20 58 46 9d 47 ac 45)

It is anticipated the client-side browser / OS / SDK framework will trust and chain to the following Symantec/VeriSign Root certificate, which is the same Root certificate we are using currently:

 

VeriSign Class 3 Public Primary Certification Authority - G2, 1024-bit SHA-1 Root certificate (Serial Number: 7d d9 fe 07 cf a8 1e b7 10 79 67 fb a7 89 34 c6)

If the VeriSign G2 Root is not trusted currently by your application or browser, please use the link below to download this public Root certificate and take steps to import and trust it in your application:

http://www.verisign.com/repository/roots/root-certificates/PCA-3G2.pem (as found on http://www.symantec.com/page.jsp?id=roots)

Testing Recommendations

Client-side application / browser / OS checks:

·         Ensure trust for the VeriSign G2 Root listed above.  If you are currently transacting properly via SSL with api.ebay.com or svcs.ebay.com, this should already be in place.

·         Ensure compatibility with 2048-bit SSL certificates, as post-December 31, 2013 the entire public SSL industry will only support 2048-bit or higher certificates.

·         Test against https://api.sandbox.ebay.com before December 22, 2013.

·         Ensure client-side SSL validation checks aren't being bypassed and verify via log output that SSL negotiation worked flawlessly.

References

·         NIST: http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

·         Symantec: http://www.symantec.com/connect/blogs/deadline-upgrade-2048-bit-ssl-certificates-sooner-you-might-think

How well did this answer your question?
Answers others found helpful