Secure communications for web sites and web services rely on files known as certificates to establish and authenticate secure connections. These certificates contain cryptographic elements that are generated using algorithms with names like SHA-1 or SHA-256.
Certificates have most commonly been generated using SHA-1 for digital signature elements, but this algorithm is getting old and isn’t seen to be as secure as most of the online industry would like. As a result, there is a major shift underway to move to certificates which use the newer SHA-256 algorithm.
This move may impact some Sage Pay integrations. In some cases, older integrations may require some changes to work properly once the certificate change has been completed.
To avoid any disruption to your service you must verify that your systems are ready for this change by May 31st 2016.
Before the changes are made on the Sage Pay systems you can follow these below steps to upgrade from SHA-1 to the stronger version SHA-256. By completing these steps you will be in the best position possible to avoid any potential problems you may encounter.
Check your environment.
You must ensure that your environment supports SHA-256 certificates. The below guidelines will provide all of the information that you will need to upgrade.
Windows 2000 Server and some versions of Windows XP may be incompatible with SHA-256 (SHA-2).
For more information have a look at this Windows PKI blog on SHA-256. Windows can also assist with patches and recommendations on upgrading your environment.
How do i know if this impacts me?
We are making changes to the Test environment on the 31/03/2016 prior to any Live changes to allow you to verify your integration will not be impacted.
If you see these or similar error messages during your testing against the migrated Test environment, you will need to update your integration prior to the migration of our Live environment to SHA-256 certificates.
“Unable to find valid certification path to requested target”
“SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled”
“alert handshake failure”
“Problem with the SSL CA cert (path? access rights?)”
If you encounter difficulties
The clearest way to determine whether your system already supports the upcoming requirements is to have a web developer or system administrator run a test of your integration against our Test environment after 31/03/2016. A failure in testing indicates you should review all the above steps and upgrade your system’s environment.
If your integration is hosted by a third party, you should contact your hosting provider and have them perform the appropriate testing to ensure compatibility with these new certificates.
My system supports SHA-256, do I need to do anything?
No, if your system already supports this there is no action that you need to take at this point to upgrade.