How To Use the PayPal API with Certificate Authentication

I have struggled to find good documentation for authenticating with paypal via a certificate. I have found a few blog posts, but none of these had definitive answers on how to implement it. I’m going to be explaining how to get things setup on Windows with .NET code. However, most of the content in here will be useful for any platform, with some minor tweaks.

Convert cert_key_pem.txt to p12

Using OpenSSL, convert to the key you received from PayPal to pkcs12 format. Keep track of the password that you choose for later reference.

openssl pkcs12 -export -in cert_key_pem.txt -out cert_key.p12

Install p12

Note: I’m going to install it via command line and give permissions to “NETWORK SERVICE” so that IIS can access the certificate.  This will probably be different for OSX and Linux and also may vary depending on your programming language of choice for communicating with paypal.

First, change directories to where you saved your .p12 file.

Then you can either, try installing the cert from the directory you saved the .p12 in. Note: if you don’t have WinHttpCertCfg installed, you can get it here. It comes preinstalled on Windows Server, but if you’re testing on your developer machine, you’ll need to download it.

Make sure you are running your command prompt/powershell as an administrator during this step:

“C:\Program Files (x86)\Windows Resource Kits\Tools\WinHttpCertCfg” -i cert_key.p12 -p P@ssw0rd -c LOCAL_MACHINE\my -a “NETWORK SERVICE”

Or, if that gives you issues, you can change directories to “C:\Program Files (x86)\Windows Resource Kits\Tools\” so that you can run WinHttpCertCfg.exe in its folder.

.\winhttpcertcfg -i C:/path/to/key/cert_key.p12 -p P@ssw0rd -c LOCAL_MACHINE\my -a “NETWORK SERVICE”

At this point, you should get a message indicating that you’re certificate was imported.

If you’re not programming in C# for .NET, you can ignore the rest of this section. At this point, you’re certificate is installed and ready for use.

The Code

Where you are creating your HttpWebRequest, you can add your certificate information onto the request like:

var request = (HttpWebRequest) WebRequest.Create(WebConfigurationManager.AppSettings[“PayPalDataUrl”]);
var certPath = GetCertificatePath();
var certPassword = GetCertificatePassword();

var cert = new X509Certificate2(certPath, certPassword, X509KeyStorageFlags.MachineKeySet);


This will add the certificate to be used as authentication and you would add the rest of the request like you would with signature authentication.

At this point, you should be ready to use this certificate to authenticate your paypal express checkout order with paypal.

I plan to improve this document as I remember snags that I went through to get this working for my site. If you have any questions, or feedback, I will gladly like to hear it.

    • morne
    • February 27th, 2014

    I can’t purchace anything on blackberry world via paypal because it says authentication failed evrytime,I can’t buy anyting,pls help I don’t know wat to do anymore…thanx a million

  1. Converting to .p12 doesn’t work because there is no key in file provided by PP. — here’s the error:
    unable to load private key
    22860:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:648:Expecting: ANY PRIVATE KEY
    unable to write ‘random state’

  1. November 1st, 2013
  2. December 5th, 2013
    Trackback from : Charles Ayoub News Portal

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: