Please check against the following items:

1. Please check if the parameter format of the signature string complies with the requirements in the document.

2. Please note the line break requirement at the end of the parameter in the document, if the body is empty, two \n line breaks have to be used.

The old certificate could still initiate the v2 interface when the certificate was replaced with one using a foreign agency number because of the following reasons:

1. A period of transition is needed as the invalidation is not immediate.

2. A 14-day transition period is offered for replacing CA with self-signature, and a 48-hour transition period is offered for replacing CA with CA.

It is only supported by windows version.
It is recommended that you use Window7 systems and above.

Problem lies in reading the certificate and getting the public key. Check if the type used is deprecated in the new version jdk. For example, the jdk9 is deprecated

Log in to the merchant platform Account Settings > API Security > API Certificate to check the merchant API certificate serial number.
Both the merchant API certificate and WeChat Pay platform certificate parsing tool can be checked via the third-party certificate. parsing tool You can also use the openssl command line tool to check the certificate serial number.

1$ openssl x509 -in 1900009191_20180326_cert.pem -noout -serial
2serial=1DDE55AD98ED71D6EDD4A4A16996DE7B47773A8C

We recommend using the SDK provided by WeChat Pay. You can also view the sample codes in the following programming languages.

JAVA

1/**
2 * 获取证书。
3 *
4 * @param filename 证书文件路径  (required)
5 * @return X509证书
6 */
7public static X509Certificate getCertificate(String filename) throws IOException {
8	InputStream fis = new FileInputStream(filename);
9	BufferedInputStream bis = new BufferedInputStream(fis);
10
11	try {
12		CertificateFactory cf = CertificateFactory.getInstance("X509");
13		X509Certificate cert = (X509Certificate) cf.generateCertificate(bis);
14		cert.checkValidity();
15		return cert;
16	} catch (CertificateExpiredException e) {
17		throw new RuntimeException("证书已过期", e);
18	} catch (CertificateNotYetValidException e) {
19		throw new RuntimeException("证书尚未生效", e);
20	} catch (CertificateException e) {
21		throw new RuntimeException("无效的证书文件", e);
22	} finally {
23		bis.close();
24	}
25}
26

PHP

1 
2/**
3* Read certificate from file
4*
5* @param string    $filepath     PEM encoded X.509 certificate file path
6* 
7* @return resource|bool  X.509 certificate resource identifier on success or FALSE on failure
8*/
9public static function getCertificate($filepath) {
10    return openssl_x509_read(file_get_contents($filepath));}
11

The main purpose is to avoid affecting merchants' use of various WeChat Pay functions when the platform certificate is being replaced. WeChat Pay will replace the platform certificate in the following scenarios:

1. The certificate must be replaced when it expires. (Currently five years)

1. Replace the certificate routinely before it expires. (Once a year)

Mainly to prevent "man-in-the-middle attacks."

The platform certificate must be used to verify the signature of the response message and encrypt sensitive information. The platform certificate is the most critical element for merchants to authenticate WeChat payment. Therefore, multiple mechanisms, such as signature and encryption, must be adopted to ensure that the platform certificates obtained by the merchant have not been tampered with by "man-in-the-middle".

Merchants should perform the following four steps when calling the download API and obtaining the platform certificates to ensure the authenticity of the certificates:

1. Use the symmetric key shared with the platform to decrypt the certificate in the message (required).

2. Verify the signature of the message by decrypting the certificate (required).

3. Use the certificate viewing tool to ensure that the certificate is issued by Tenpay.com Root CA.

4. Verify the platform certificate through the certificate trust chain (highly recommended).

The following describes how the openssl tool can be used to verify the platform certificate through the certificate trust chain.

First, download the platform certificate trust chain CertTrustChain.p7b from the WeChat Pay merchant platform and convert it to the pem certificate format.

1openssl pkcs7 -print_certs -in CertTrustChain.p7b -inform der -out CertTrustChain.pem
2

Then, -CAfile file file will specify the trusted certificate to verify the downloaded platform certificate.

1openssl verify -verbose -CAfile ./CertTrustChain.pem ./WeChatPayPlatform.pem 
2

Merchants used WeChat Pay platform public key encryption when sending sensitive information. In order to use the correct key for decryption, WeChat Pay requires merchants to include the certificate serial number in the HTTP header of the request to declare the key pair and platform certificate used for encryption. Please refer to Private key and certificate for details.