Archive for Paypal

Requesting an API Certificate

May 29, 2008 at 8:36 pm · Filed under Paypal

Follow these steps to acquire your API Credentials using API Certificate as your authentication mechanism.

Step 1: Generate Certificate

1. To create an API certificate, you must have a PayPal Business or Premier Account. Login into your existing Business or Premier PayPal Account, or create a new PayPal Business or Premier Account.
2. Click the Profile tab in the My Account sub-menu. Profile tab in the My Account sub-menu
3. From the Profile Summary page, click API Access under the Account Information header.

Profile Summary
4. From the API Set-up page, click Request API Credentials in the right-hand box. Setting up PayPal API Credentials and Permissions
5. On the Request API Credentials page,

  1. Click the button next to Request API certificate.
  2. Click Agree and Submit.

Request API Credentials
6. The Download or Remove API Certificate page displays your API credentials and allows you to download your API certificate. Download or Remove API Certificate
7. Save the values for API Username and Password.
8. Click the Download Certificate button. You are prompted to download a file called cert_key_pem.txt. This file is your live API Certificate.

9. Rename this file to something more familiar, such as paypal_live_cert.pem. It is not necessary to keep the .txt file extension. Be sure to remember where you save the file.

Step 2: Encrypt Your Certificate
Note: This step is only required if you use the PayPal SDK for Java, the PayPal SDK for .NET, or the PayPal SDK for Classic ASP. Users of the PayPal SDK for PHP do not need to perform this step. Perform this step for both your Sandbox certificate and your live certificate.

The certificate you download from PayPal is in PEM format. It contains both your public certificate and the associated private key. Although the PEM certificate is not human readable, the file is not encrypted. PayPal SDKs for Java, .NET, and Classic ASP require the additional step of encrypting the certificate into PKCS12 format.

The steps below require using the OpenSSL encryption tool. Unix users will likely already have this tool available with their operating system, but Windows users need to download OpenSSL. Accept the defaults to install OpenSSL.

After you have downloaded and installed OpenSSL, follow these steps to encrypt your certificate into PKCS12 format:

1. Open a command prompt. To open a command prompt in Windows, select Start > Programs > Accessories > Command Prompt.
2. Make sure OpenSSL is in your path. If it is not in your path, add it to your path.
To add OpenSSL to your Windows path:

  1. From the desktop, right-click My Computer and click Properties.
  2. In the System Properties window, click on the Advanced tab.
  3. In the Advanced section, click the Environment Variables button.

    Environment Variables

  4. In the Environment Variables window, highlight the PATH variable in the Systems Variable section and click Edit.

    Environment Variables

  5. Modify the PATH variable to add the location of OpenSSL. If you have accepted the defaults while installing OpenSSL, add ;C:\OpenSSL\bin to the path. For example, if your existing path is set to 
    C:\Program Files;C:\Winnt;C:\Winnt\System32

    you must change the path to the following:

    C:\Program Files;C:\Winnt;C:\Winnt\System32;C:\OpenSSL\bin

3. Change directories to the location of the certificate you want to encrypt. For example, in Windows, if your certificate is located in C:\Project\cert, use the following command:

cd C:\Project\cert

4. Execute the following command (default filename cert_key_pem.txt used):

openssl pkcs12 -export -in cert_key_pem.txt -inkey
cert_key_pem.txt -out paypal_cert.p12

5. Enter an encryption password at the Enter Export Password: prompt. Write this value down. This is your Private Key Password.
Enter Export Password

6. The above command creates a file named paypal_cert.p12. Rename this file to whatever you like. Make note of the location of your file. This is your Encrypted API Certificate.

You have now successfully encrypted your API Certificate.

Step 3: Install the certificate
Note: This step is only required if you use the PayPal SDK for .NET or Classic ASP.

If you use the .NET platform and develop with the PayPal SDK for .NET, you need to take a few more steps before your certificate can be used. You must import the certificate into the Windows Certificate Store and grant access to your private key to the user executing your web application. This is a Windows requirement, not a PayPal requirement.

Microsoft provides a utility that accomplishes these tasks in a single command. This utility is called the Windows HTTP Services Certificate Configuration Tool, or WinHttpCertCfg.exe. It is freely available as part of the Windows Server 2003 Resource Kit. You need Administrator rights to use this utility.

Once you have downloaded this utility, open a command prompt and enter the following command, making the appropriate replacements described below:

WinHttpCertCfg -i paypal_cert.p12 -p privateKeyPassword -c
LOCAL_MACHINE\my -a username
  • Replace paypal_cert.p12 with the name of PKCS12 Encrypted API Certificate you generated in the previous step.
  • Replace privateKeyPassword with the Private Key Password you used to encrypt the certificate in the previous step.
  • Replace username with the name of the user executing your application.
    • For an ASP.NET application, this value is ASPNET.
    • Under Windows IIS 5 (default configuration), this value is IWAM_<MACHINE NAME>, where <MACHINE NAME> is the appropriate computer name.
    • Under Windows IIS 6 (default configuration), this value is “NETWORK SERVICE” (make sure to include the quotation marks).

Leave a Comment