Certificate replacement for 'pal-live.adyen.com' and wildcard certificates on February 7th, 2023

Adyen will replace TLS certificates for services under domains 'pal-live.adyen.com', '*.adyen.com' and '*.adyenpayments.com' on February 7th, 2023.

1) What are the 'pal-live.adyen.com' and wildcard ('*.adyen.com' and '*.adyenpayments.com') certificates?

Adyen’s servers present these certificates in order to authenticate when merchants establish secure connections to our API endpoints.

2) What is happening with this change?

During this change, Adyen will renew the TLS certificate. Once the change is verified to be successful, Adyen will no longer use the currently used certificate to authenticate its server endpoints. 

3) Will I be affected by this certificate change?

Likely this change does not affect your integration. Only merchants that do (custom) certificate pinning on the server certificates presented by Adyen’s APIs may need to update their custom list of allowed certificates to accept the new certificate.

4) How can I know if I am doing certificate pinning?

Certificate pinning is done on the merchant’s side of the integration, outside of the Adyen platform. Therefore, merchants' certificate pinning policies are not visible to Adyen. In case you are unsure, please check with your technical team, service administrator, or system integrator.

Merchants who do not perform certificate pinning, do not require to take action.

5) Can I have the certificate before the change?

Merchants who perform certificate pinning can request for these certificates to be shared with them specifically before the change date. Note that the same trust chain will be used in our TEST environment for *.adyen.com as of Wednesday, January 18th and therefore it can be used to validate your integration.

6) What is Adyen's recommendation on certificate pinning?

By default, Adyen does not recommend pinning on Adyen's certificates since this may impact connectivity to Adyen's systems at the moment a new certificate is released on the LIVE or TEST environment. In practice and for various reasons, Adyen may decide to roll a new certificate at different moments in time (with or without prior communication).

If you use a custom certificate trust store, your system will have to trust the public Root Certificate Authority (CA): DigiCert Global Root CA. You can find the latest Root CA at DigiCert website or DigiCert Global Root CA (direct link to CRT).

Similarly, for the Root CA, Adyen may decide at any moment in time (with or without prior communication) to change the Root CA. In case the Root CA isn’t trusted, this may impact a merchant's connectivity to Adyen’s systems.