TLS Certificates on Adyen services

January 11, 2024 13:13

Adyen presents TLS certificates in order to authenticate when merchants establish secure connections to Adyen's API endpoints as well as when Adyen's outbound endpoints send webhook notifications. Your integration connects to Adyen's services securely over HTTPS connection.

Adyen routinely maintains the TLS certificates for services under its domains.

Certificate pinning

Certificate pinning is the process of associating (or hard coding) an endpoint with their expected certificate or public key.

By default, Adyen does not recommend pinning on Adyen's certificates since this may impact connectivity to Adyen's systems at the moment a new certificate is released on the LIVE or TEST environment. Certificate pinning is done on the merchant’s side of the integration, outside of the Adyen platform. Therefore, merchants' certificate pinning policies are not visible to Adyen. 

Likely certificate changes won't affect merchant integrations. Only merchants that do (custom) certificate pinning on the certificates presented by Adyen’s endpoints may need to update their custom list of allowed certificates to accept the new certificate.

If you require to pin on certificates due to your internal policies, please make sure to limit the pinning to the root certificate only. Merchants who pin the entire or partial certificate chain (leaf certificate, intermediate certificate and root certificate) run a high risk of breaking their integration.

You can find the latest Root CAs at the DigiCert website. Similarly, for the Root CA, Adyen may decide at any moment in time (with or without prior communication) to change the Root CA. In case the Root CA isn’t trusted, this may impact a merchant's connectivity to Adyen’s systems.

Merchants who (intend to) perform certificate pinning can request for the leaf certificate to be shared with them before scheduled certificate change dates.

Certificate changes

In practice and for various reasons, Adyen may decide to roll a new certificate at different moments in time (with or without prior communication).

During certificate changes, Adyen will renew TLS server or client certificates. Once the change is verified to be successful, Adyen will no longer use the previous certificate to authenticate its endpoints.

Merchants who perform certificate pinning run a high risk of breaking their integration.

Endpoints and certificates used by Adyen

Server certificates used on Adyen's API endpoints

Adyen’s servers present these certificates in order to authenticate when merchants establish secure connections to our API endpoints.

Endpoint

New intermediate

New root

checkoutcert-live-eu.adyen.com

Thawte TLS RSA CA G1

DigiCert Global Root G2

checkoutcert-live-us.adyen.com

Thawte TLS RSA CA G1

DigiCert Global Root G2

checkoutcert-live-au.adyen.com

Thawte TLS RSA CA G1

DigiCert Global Root G2

pal-live.adyen.com

Thawte TLS RSA CA G1

DigiCert Global Root G2

*.pal-live.adyenpayments.com

Thawte TLS RSA CA G1

DigiCert Global Root G2

*.adyen.com

GeoTrust TLS RSA CA G1

DigiCert Global Root G2

*.adyenpayments.com

GeoTrust Global TLS RSA4096 SHA256 2022 CA1

DigiCert Global Root CA

Client certificates used on Adyen's domains

Adyen’s notification service presents this client certificate when sending out notification webhooks from our platform to merchants’ systems.

Endpoint

Legacy intermediate

Legacy root

New intermediate

New root

signed-test.adyen.com

GeoTrust Global TLS RSA4096 SHA256 2022 CA1

DigiCert Global Root CA

GeoTrust TLS RSA CA G1

DigiCert Global Root G2

signed.adyen.com

GeoTrust Global TLS RSA4096 SHA256 2022 CA1

DigiCert Global Root CA

GeoTrust TLS RSA CA G1

DigiCert Global Root G2