Official X-Cart comments on PayPal service upgrades (switch to SHA-256 scheduled for 9/30/2015)

Ksenia Emelyanova
Ksenia Emelyanova
, Marketing manager at X‑Cart
Company News

There are many merchants using PayPal to accept payments in their store. Being a reliable and trusted provider of such a sensitive service, PayPal do their best to guarantee the top-notch security to their users. That’s the reason why we all feel so comfortable using PayPal for local and international payments. But sometimes the security upgrades require actions from the users too – at least, making sure nothing is broken after another update. This is exactly what is happening now, so you might have already received an email titled “IMMEDIATE ATTENTION REQUIRED: PayPal service upgrades” with the content below:

As we have previously communicated to you, PayPal is upgrading the certificate for to SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.

They advise that you consult with people responsible for your PayPal integration. In case of X-Cart, we’re these people, so I’m here with the official comments of X-Cart team.

Alexander Dyatchkov, head of X-Cart Hosting and Support, comments:

All this buzz is actually about the necessity of having a root CA certificate of G5 format on your server. If old G2 format is installed on your server currently, you should replace it with G5. In other words, this is a server-side issue, not related to the code of X-Cart 4, X-Cart 5, WordPress itself or WordPress Shopping Cart plugins, Drupal or whatever software your website is powered by.

Again, you do not need to do anything with your X-Cart store, apply any patches or tweaks. All the changes, if any, are to be on the server side.


  • In case you are using VeriSign certificate, find out if root CA certificate of G5 format is installed on your server:

    • if your website is hosted with us, rest assured, the proper SSL is used on our machines

    • If you host your X-Cart with another hosting provider, contact them to find out, what certificate is installed

  • Check the type of your SSL certificate with this tool

    • If the Signature algorithm value is SHA256withRSA, SHA384withRSA etc, you’re all set

    • If it shows type SHA-1 (Signature algorithm =SHA1withDSA), you should urgently reissue SSL of SHA-2 type. If it can not be reissued, you may purchase a new certificate with us

If you need any help or have any questions, please do not hesitate to contact our support team.