TLS certificates

Last updated: June 3, 2026

All communication with Checkout.com APIs is encrypted in transit using the Transport Layer Security (TLS) protocol. During the TLS handshake, Checkout.com provides a certificate chain consisting of leaf and intermediate certificates signed by several different certificate authorities. To validate the authenticity of a certificate, a complete chain of trust must be established. The complete chain of trust ends with a trust anchor, which is within the client's trust store.

Most modern operating systems and browsers have these certificates preinstalled. If you manage your own trusted store of certificate authorities, you must include them in that trusted root store. If you do not, certificate validation fails during the TLS handshake and your client cannot establish a secure connection.

Information

Avoid pinning the leaf or intermediate certificates, as they change frequently.

When integrating with Checkout.com APIs, your trust store must include the following certificates:

Certificate subject name	Serial	Repository location
`CN=Amazon Root CA 1,O=Amazon,C=US`	`06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca`	`https://www.amazontrust.com/repository/`
`CN=Amazon Root CA 2,O=Amazon,C=US`	`06:6c:9f:d2:96:35:86:9f:0a:0f:e5:86:78:f8:5b:26:bb:8a:37`
`CN=Amazon Root CA 3,O=Amazon,C=US`	`06:6c:9f:d5:74:97:36:66:3f:3b:0b:9a:d9:e8:9e:76:03:f2:4a`
`CN=Amazon Root CA 4,O=Amazon,C=US`	`06:6c:9f:d7:c1:bb:10:4c:29:43:e5:71:7b:7b:2c:c8:1a:c1:0e`
`CN=Amazon RSA 2048 Root EU M1,O=Amazon,C=DE`	`07:c0:cd:89:6c:c3:e9:d4:d2:a5:60:cc:07:0b:7d:bd:2c:f7:21`
`CN=Amazon ECDSA 256 Root EU M1,O=Amazon,C=DE`	`07:c0:cd:89:6c:cb:9c:16:04:6c:18:21:a6:4c:6c:7b:29:dd:3f`
`CN=Amazon ECDSA 384 Root EU M1,O=Amazon,C=DE`	`07:c0:cd:89:6c:ce:23:ec:d5:73:bd:64:98:96:62:ab:25:df:e9`
`CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies, Inc.,C=US,S=Arizona,L=Scottsdale`	`0`
`C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2`	`0`	`https://certs.godaddy.com/repository` `sfroot-g2.crt.pem` or `sfroot-g2.crt.der`
`CN=Certainly Root R1,O=Certainly,C=US`	`8e:0f:f9:4b:90:71:68:65:33:54:f4:d4:44:39:b7:e0`	`https://www.certainly.com/repository/index.html` `Certainly_Root_R1.pem` and `Certainly_Root_E1.pem`
`CN=Certainly Root E1,O=Certainly,C=US`	`06:25:33:b1:47:03:33:27:5c:f9:8d:9a:b9:bf:cc:f8`

To ensure maximum compatibility, add all of these certificates to the trust store that your application uses. If this list of trusted certificate anchors changes, we'll send you an email from updates@checkout.com.

Information

Trusted certificate anchors