TLS Certificates on Adyen services
April 9, 2024 09:21
Adyen presents TLS certificates in order to authenticate when merchants establish secure connections to Adyen's API endpoints as well as when Adyen's outbound endpoints send webhook notifications. Your integration connects to Adyen's services securely over HTTPS connection.
Adyen routinely maintains the TLS certificates for services under its domains.
Certificate pinning
Certificate pinning is the process of associating (or hard coding) an endpoint with their expected certificate or public key.
By default, Adyen does not recommend pinning on Adyen's certificates since this may impact connectivity to Adyen's systems at the moment a new certificate is released on the LIVE or TEST environment. Certificate pinning is done on the merchant’s side of the integration, outside of the Adyen platform. Therefore, merchants' certificate pinning policies are not visible to Adyen.Â
Likely certificate changes won't affect merchant integrations. Only merchants that do (custom) certificate pinning on the certificates presented by Adyen’s endpoints may need to update their custom list of allowed certificates to accept the new certificate.
If you require to pin on certificates due to your internal policies, please make sure to limit the pinning to the root certificate only. Merchants who pin the entire or partial certificate chain (leaf certificate, intermediate certificate and root certificate) run a high risk of breaking their integration.
You can find the latest Root CAs at the DigiCert website. Similarly, for the Root CA, Adyen may decide at any moment in time (with or without prior communication) to change the Root CA. In case the Root CA isn’t trusted, this may impact a merchant's connectivity to Adyen’s systems.
Merchants who (intend to) perform certificate pinning can request for the leaf certificate to be shared with them before scheduled certificate change dates.
Certificate changes
In practice and for various reasons, Adyen may decide to roll a new certificate at different moments in time (with or without prior communication).
During certificate changes, Adyen will renew TLS server or client certificates. Once the change is verified to be successful, Adyen will no longer use the previous certificate to authenticate its endpoints.
Merchants who perform certificate pinning run a high risk of breaking their integration.
Endpoints and certificates used by Adyen
Server certificates used on Adyen's API endpoints
Adyen’s servers present these certificates in order to authenticate when merchants establish secure connections to our API endpoints.
Endpoint | New intermediate | New root |
|---|---|---|
checkoutcert-live-eu.adyen.com | Thawte TLS RSA CA G1 | DigiCert Global Root G2 |
checkoutcert-live-us.adyen.com | Thawte TLS RSA CA G1 | DigiCert Global Root G2 |
checkoutcert-live-au.adyen.com | Thawte TLS RSA CA G1 | DigiCert Global Root G2 |
pal-live.adyen.com | Thawte TLS RSA CA G1 GeoTrust TLS ECC CA G1 | DigiCert Global Root G2 DigiCert Global Root G3 |
*.pal-live.adyenpayments.com | Thawte TLS RSA CA G1 GeoTrust TLS ECC CA G1 | DigiCert Global Root G2 DigiCert Global Root G3 |
*.adyen.com | GeoTrust TLS RSA CA G1 GeoTrust TLS ECC CA G1 | DigiCert Global Root G2 DigiCert Global Root G3 |
*.adyenpayments.com | GeoTrust Global TLS RSA4096 SHA256 2022 CA1 GeoTrust TLS ECC CA G1 | DigiCert Global Root CA DigiCert Global Root G3 |
Client certificates used on Adyen's domains
Adyen’s notification service presents this client certificate when sending out notification webhooks from our platform to merchants’ systems.
Endpoint | Legacy intermediate | Legacy root | New intermediate | New root |
|---|---|---|---|---|
signed-test.adyen.com | GeoTrust Global TLS RSA4096 SHA256 2022 CA1 | DigiCert Global Root CA | GeoTrust TLS RSA CA G1 | DigiCert Global Root G2 |
signed.adyen.com | GeoTrust Global TLS RSA4096 SHA256 2022 CA1 | DigiCert Global Root CA | GeoTrust TLS RSA CA G1 | DigiCert Global Root G2 |