PayPal API Certificate

Question

Ok, I've never seen this ever when coding againts and sending 3rd party SOAP API calls but looks like PayPal requires their bigger clients to use the X509 certificate in order to send API calls rather than just sending over a standard API signature like most APIs require you to do.

Am I the only one who thinks this is kinda strange or not stadnard?

http://en.wikipedia.org/wiki/X.509

I don't get how this relates to an API call. I see an example code that they gave me in C# implementing the ICertificatePolicy interface in .NET...but it's just foreign to me and how this relates to the fact that they still give you an API signature too in the PayPal sandbox regardless. So why would I need to read a physical file Certificate AND use an API Signature? I guess I don't see the link between the Certificate and the PayPal SOAP API.

Answer 1

You're dealing with people's money, and while I'm unaware of the specifics on how the certificate's work, basically it's ensuring that payments sent from your application are more secure.

A simple API key would be easier to spoof, and allow fraud more easily I assume.

Answer 2

This is a common thing among larger names when dealing with connections that demand a more secure "handshake" and thats all it is used for.

This file is made from a Root Certificate and usually a .pem, .p12, .pfx here is an example using python and cURL, it is very simple to do and if you have any trouble with the X.509 file, I would get in contact with whoever you buy your root certificate from or just search google on how to export the file you need ( I personally always end up with a .p12 file ).

Here is the python code

        c = pycurl.Curl()
        c.setopt(pycurl.URL, FirstDataAPI_URL)
        c.setopt(pycurl.HTTPHEADER, ["Accept:"])
        c.setopt(pycurl.POST, 1)
        c.setopt(pycurl.POSTFIELDS, urllib.urlencode(FirstDataAPI_PostData))
        b = StringIO.StringIO()
        c.setopt(pycurl.WRITEFUNCTION, b.write)
        c.setopt(pycurl.FOLLOWLOCATION, 1)
        c.setopt(pycurl.MAXREDIRS, 5)
        #c.setopt(pycurl.SSLCERT, '/home/***/***/***/ssl/digitalID.p12')
        c.setopt(pycurl.SSLCERT, '/home/***/***/***/ssl/productionDigitalId.p12')
        c.setopt(pycurl.SSLCERTTYPE, 'p12')
        c.setopt(pycurl.SSLCERTPASSWD, '******')
        c.perform()

For use with SOAP I would look for a setting that allows you to set a Certificate file and you will be set.

Just as a side note, this just goes to show that Paypal has not updated their API in quite a few years ... most API's I work on that require a X509 cert are extremely outdated and I haven't seen this used in an API that was writing in the last 2 years.