Chargebee root and intermediate CA certificate updates
Upgrade and Testing Workflow
This document helps you verify, upgrade, and test your integration for compatibility with Chargebee's upcoming certificate and cipher changes.
Use these steps to test compatibility, upgrade, and validate your integration:
- Test Compatibility With Upcoming Certificates
- Check Your Current SDK Version
- Post-Upgrade Validation
Test Compatibility With Upcoming Certificates
Make a simple API call to a public Chargebee endpoint (such as the List customers API) to check compatibility.
Use the following test site and API key instead of your Chargebee site and key:
- Replace
{site}withssl-validation-test. - Replace
{site_api_key}withtest_abc.
Important:
- Use the hostname
https://ssl-validation-test.chargebee.comexactly as shown. Do not prefix it with your site name (for example,acme:oracme-). - The API key
test_abcis a public test key provided only for TLS validation. It does not access any real Chargebee data and can be used safely for this compatibility check. - If you are using a Chargebee client library, you can perform a similar test using your preferred language or SDK. The following examples are provided for reference.
Example request:
Expected JSON response:
A 401 Unauthorized response indicates that the TLS handshake was successful and your environment is compatible with the new certificates.
No further action is required; you can safely skip the remaining sections of this document.
If you encounter a certificate or SSL-related error instead, proceed to upgrade your SDK or trust store using the steps below.
Certificate error examples (not compatible)
certificate verify failed (self signed certificate in certificate chain)[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chainSSL certificate problem: self-signed certificate in certificate chain
Check Your Current SDK Version
We provide an updated minor version with full backward compatibility for SDKs that embed the CA bundle (Python, PHP v3, Ruby).
Example: If you're on Ruby SDK
v2.59.0, upgrade tov2.60.0.
Use the table below to identify your SDK, verify its current version, and determine the G2-supported version that includes the updated cacert.
Information:
- If you use an SDK other than Python/PHP/Ruby, we don't embed
cacertin the SDK. See the next section. - Python v2 and PHP v3 are deprecated. They will continue receiving updates until December 31, 2025, after which they will no longer be supported.
- Starting with PHP v4, embedded CA certificates were removed.
| SDK | EOS Versions | Current Version | G2-supported Version | Embedded cacert |
| Python v3 | < v2.0.0 | v3.9.0 | ≥ v3.10.0 | Yes |
| Python v2 | < v2.0.0 | v2.55.0 | ≥ v2.56.0 | Yes |
| PHP v3 | < v3.0.0 | v3.46.0 | ≥ v3.47.0 | Yes |
| Ruby | < v2.0.0 | v2.59.0 | ≥ v2.60.0 | Yes |
We strongly recommend upgrading to the latest supported SDK version. Continuing to use End-of-Support (EOS) versions may expose you to security vulnerabilities.
If you can't upgrade immediately, you can manually replace the cacert in your installed SDK, using the paths below:
| SDK | cacert path | New cacert |
| Python (EOS versions) | chargebee/ssl/ca-certs.crt | ca-certs.crt |
| PHP (EOS versions) | lib/ssl/ca-certs.crt | ca-certs.crt |
| Ruby (EOS versions) | lib/ssl/ca-certs.crt | ca-certs.crt |
Other SDKs and integration patterns
- If your integration uses a different SDK or manages its own keystore/trust store, manually import the DigiCert G2 root and all required intermediate certificates. You can also reference the bundled list here: ca-certs.crt.
- Steps vary by platform. Refer to your stack's documentation to identify and update the trust store in use.
Post-Upgrade Validation
After updating your SDK or trust store, repeat the Test Compatibility step.
Expected result (handshake OK):
Error: Sorry, authentication failed. The basic authentication header has invalid format.
HTTP Status Code: 401
This confirms your integration is compatible with the new certificate chain.
We recommend regression testing your key flows before promoting to higher environments.
Timelines
After you update cacert and validate your integration, you may deploy to production at your convenience.
Starting November 1, 2025, Chargebee will briefly switch certificates on our load balancers every weekend (Saturdays and Sundays) for 5 minutes to help you validate and detect issues.
| Region | Dates | Days | Testing Time (UTC) |
| AU | November 1, 2025 – January 31, 2026 | Saturdays & Sundays | 01:00–01:05 |
| EU | November 1, 2025 – January 31, 2026 | Saturdays & Sundays | 01:20–01:25 |
| US | November 1, 2025 – January 31, 2026 | Saturdays & Sundays | 01:40–01:45 |
The new certificates will be applied permanently beginning February 2026. Any unresolved compatibility issues after this date may cause API call failures or connection disruptions.
Please complete all required updates well in advance to avoid service interruptions.