Amazon Pay TLS/SSL certificates
What is TLS/SSL?
Transport Security Layer ("TLS") and Secure Sockets Layer ("SSL") are protocols designed to ensure that data can be securely transported between a web server and a browser using cryptographic algorithms. TLS/SSL ensures that the data transmitted comes from the source it claims to be coming from and has not been modified or read by a 3rd party during the transmission. For additional details on versions of TLS/SSL that we support, see TLS/SSL frequently asked questions.
HTTP versus HTTPS
When a URL address contains HTTPS, the 'S' stands for secure, it indicates data is being transmitted securely. The difference between HTTP and HTTPS is that in HTTPS the data is transferred on top of SSL protocols and inherits all of its security.
TLS/SSL certificates
TLS/SSL uses certificates to secure and protect transmitted data. A certificate contains information about the owner of the certificate, such as the organization, country, duration of validity, website address, and the certificate ID of the person who certifies (signs) this information. It contains also the public key and a hash to ensure that the certificate has not been tampered with.
Here is a sample certificate:
Company Root CA 9
==================
-----BEGIN CERTIFICATE-----
MIIDQTCCAimgITBmyfz5m/jAo54vB4iXxxababbmljZbyjANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
rqXRfboQnoZsG4q5WTP468Sample
-----END CERTIFICATE-----
Certificate chains
Large global Certificate Authorities (CAs) certify other agencies to issue TLS/SSL certificates which usually operate at a regional level. If a server's certificate was issued by an intermediate CA, the server must also host the intermediate CA's certificate which, in turn, can be verified against a trusted root certificate stored locally.
Here are the steps for verifying a chain:
- Download the certificates from the server.
- Check if the server certificate matches the website name and is signed by the intermediate certificate.
- Check if the intermediate certificate is signed by one of the trusted root certificates stored locally.
Intermediate CAs can issue certificates to other intermediate CAs so the certificate chain may be longer than 3 certificates.
Why are TLS/SSL certificates needed?
Here are some reasons for using a TLS/SSL certificate:
- Security: The primary reason for using a TLS/SSL certificate is to keep data exchanged between a buyer's browser and your server secure. This prevents order and payment details or buyer data, such as the buyer's username and password from being exposed to the internet and intercepted.
- Buyer Trust: When you purchase a TLS/SSL certificate, the Certificate Authority will issue a seal to be displayed on your web page. This seal instills trust in your website when buyers know their data is secure.
Here are some sample seals:
- Traffic: Search engines such as Google rank stores that operate over insecure connections lower than sites that using secure connection, which reduces customer traffic.
TLS/SSL Certificates and Amazon Requirements
Amazon Pay and Login with Amazon
Amazon recommends that you always use a secure connection; however, there are two instances where TLS/SSL certificates are mandatory when integrating with Amazon Pay and Login with Amazon:
- Login with Amazon
There are two options for buyer login, either a popup window, or redirecting the buyer to another web page. For a secure connection:- Popup Login: the button itself must be on an HTTPS page.
- Redirect Login: the return URL must be on a secure page.
- IPN messages
IPN (Instant Payment Notification) messages can only be sent to a secure endpoint. Without a valid certificate Amazon can't tell if the server receiving the IPN messages actually belongs to the merchant or to somebody who is attempting to intercept the data.
Note: When testing in a local environment a TLS/SSL certificate is not required (that is, http://localhost).
MD5 with RSA Restriction
Amazon checks the bottom of the certificate chain (usually a domain such as example.com) and will not establish a TLS/SSL connection with a site using a Certificate Signature Algorithm that uses MD5 with RSA Encryption.
To examine your site's encryption algorithm, follow these steps.
In Firefox
- Go to your site using an HTTPS:// secure protocol.
- Click the site icon to the left of the domain name. This brings up an information dialog box about the host.
- Click the More Information button to display the Page Info dialog box.
- Click the Security icon, and then click the View Certificate button to display the Certificate Viewer dialog box.
- Click the Details tab, and then, under the Certificate Fields list box, scroll down and click Certificate Signature Algorithm to display the Field Value. The Field Value box displays the certificate algorithm used.
- If the Field Value is MD5 With RSA Encryption, the certificate is not valid for use with Amazon Pay transactions.
In IE 7
- Go to your site using the HTTPS:// secure protocol.
- Click the security icon (a lock) to the right of the domain name. This brings up the Website Identification pop-up window.
- Click View Certificates to display the Certificate dialog box.
- Click the Details tab to display the Signature algorithm that is used.
- If the Signature algorithm value is md5RSA, the certificate is not valid for use with Amazon Pay transactions.
In Safari 8
- Go to your site using the HTTPS:// secure protocol.
- Click the security icon (a lock) to the left of the domain name. This brings up the Website Identification pop-up window.
- Click Show Certificate to display the Certificate dialog box.
- Click the Details tab to display the Signature algorithm used.
- If Signature algorithm value is md5RSA, the certificate is not valid for use with Amazon Pay transactions.
Common TLS/SSL errors
Missing intermediate certificate
This occurs when the certificate is installed correctly but the server does not store the intermediate certificate so the chain of trust cannot be established. Ensure all of the certificates in the chain are stored locally.
Certificate name mismatch
The name on the installed certificate is different than the website's address. In other words, the installed certificate belongs to a different website. You will need to purchase a new certificate for the website.
Purchasing a certificate
Certificates can be purchased over the internet from any number of hosting companies.
TLS/SSL certificates are issued and maintained by a network of Certificate Authorities (CAs). These are usually well-known companies from the IT sector that have to adhere to strict security standards.
There are two types of certificates, standard and extended. The standard version meets the requirements for Amazon Pay, it is less expensive than an extended type, and is issued within minutes of purchase.
Certificate prices will vary over time and many certificates come with a 30 day free trial and can be revoked at no cost if you aren't happy with it.
Amazon-Approved TLS/SSL Certificates
Amazon Pay currently accepts SSL certificates with root certificates from any of the Certificate Authorities (CAs) listed on the Certificate Authorities (CA) Recognized by Amazon SNS for HTTPS Endpoints page.