Stop bundling root certificates and use the system certs instead

[bdewater-thatch]

Describe the bug

Stripe recently sent an email announcing that the api.stripe.com certificates will no longer be issued from "DigiCert High Assurance EV Root CA" starting February 16. We checked if this could cause problems for us, and initially we figured the line

if your system doesn’t perform certificate pinning, no action is required

applied to us. Then we realized the gem bundles a copy of Mozilla's root certificates file here and configures it here. In essence the gem not following Stripes own advice 😅 from the same page:

Stripe recommends against certificate pinning to avoid complications with your integration when we roll out new certificates for our systems. DigiCert, one of the major CAs, also recommends against certificate pinning.
As a Stripe user, if you must use certificate pinning for some reason, make sure you pin only (and all of) the root certificates listed below.

Shipping outdated root certificates can lead to outages, for example Shopify experienced this in 2022 with the httpclient gem. Specifically for us: we're on Stripe gem 12.x and are working on upgrading, but it looks like this could impact clients as recent as 18.0.1. The last recent update to the ca-certificates.crt file shipped in 18.1 on December 16, 2025. Comparing the 18.0.1 certificate bundle with the aforementioned list, the following roots are missing:

• DigiCert TLS ECC P384 Root G5
• DigiCert TLS RSA4096 Root G5

(Originally had more listed here, I noticed the naming didn't match exactly, and looked up by base64 encoding instead)

Expected behavior

Stripe gem doesn't configure it's own ca_bundle_path, relying on OpenSSL gem defaults instead.

Workaround

Manually configuring the Stripe gem to use the default certificate bundle. E.g. in a Rails initalizer:

Stripe.ca_bundle_path = OpenSSL::X509::DEFAULT_CERT_FILE

Additional context

A bit of code archeology tells me its a workaround from the original gem release in 2011: SSL wasn't ubiquitous, local installations often shipped with broken OpenSSL installations and setting VERIFY_NONE was a common workaround at the time. This doesn't apply anymore today, we use plenty of Ruby net/http based API clients that use the default system CA store just fine.

IMO it's not Stripe's job to try and fix people's broken OpenSSL installations, especially when that will now cause more breakage for older gem users.

[ideasasylum]

fwiw, on Heroku the default cert path does not actually exist:

f = OpenSSL::X509::DEFAULT_CERT_FILE; puts f; puts File.exist?(f)
/usr/lib/ssl/cert.pem
false

Instead this path appears correct:

f = "/etc/ssl/certs/ca-certificates.crt"; puts f; puts File.exist?(f)
/etc/ssl/certs/ca-certificates.crt
true

So our initialiser ends up as this to handle Heroku & local dev:

Stripe.ca_bundle_path = [
  OpenSSL::X509::DEFAULT_CERT_FILE,
  "/etc/ssl/certs/ca-certificates.crt",
].find { |f| File.exist?(f) } || OpenSSL::X509::DEFAULT_CERT_FILE

[bdewater-thatch]

@ideasasylum thanks for the feedback. I think it'll work If you override Stripe::StripeConfiguration#ca_store to the following, since that's what OpenSSL does internally.

    def ca_store
      @ca_store ||= begin
        store = OpenSSL::X509::Store.new
        store.set_default_paths
        store
      end
    end

I'll update the PR.

[shubh-stripe]

Hey folks, just wanted to clarify that the Feb 16 certificate rotation won't be using the G5 roots mentioned here, so no immediate impact from this change. That said, this is a valid issue and our SDK team should be working to move away from bundling certificates independently of this migration. Appreciate the detailed writeup and fix!

For now though, no action needed for this rotation.

[prathmesh-stripe]

This shouldn't break your integration because we have shipped the DigiCert Assured ID Root G2 certificate for a very long time(since 2016) and DigiCert High Assurance EV (G1)(since 2011).
If you would like to manage and use your own CA bundles, it's possible to configure it in the Ruby SDK:

Stripe.ca_bundle_path = 'path/to/ca/bundle'

[etherbob]

For now though, no action needed for this rotation.

Is that true for projects that aren't on the latest Stripe gem?

[prathmesh-stripe]

Is that true for projects that aren't on the latest Stripe gem?

That is correct. No action is needed on your part even if you are not on the latest Stripe gem.