Get your Signed HTTP Exchanges certificate

How to get an ECC TLS certificate with the CanSignHttpExchanges extension

Do you need a TLS certificate that includes the CanSignHttpExchanges extension?

DigiCert is happy to be among the first CAs to support this extension in an ECC TLS certificate as we seek to encourage innovative technologies and the advancement of web protocols. For more information, see Display better AMP URLs with Signed HTTP Exchange.

Important

This ECC TLS certificate with the CanSignHttpExchanges extension can only be used for the Signed HTTP Exchanges. So, you'll need two certificates for the server: one for TLS connections and one for signing the HTTP exchanges. Chrome only uses this TLS certificate with CanSignHttpExchanges extension for the signed exchanges and will reject it for TLS connections.

To get your ECC TLS certificate with the CanSignHttpExchanges extension included so you can start testing out this AMP URL improvement, you need to complete the tasks listed in these instructions:

First, you need to activate your CertCentral account. This account is specifically set up for ordering a TLS certificate with the CanSignHttpExchanges extension.

Set up your domain's CAA resource record

For a Certificate Authority (CA) to issue your certificate with the CanSignHttpExchanges extension, you must do a one-time set up in the domain's DNS record and add the "cansignhttpexchanges=yes" parameter to the record.

example.com. IN CAA 0 issue "digicert.com; cansignhttpexchanges=yes"

Prior to issuing your certificate with the CanSignHttpExchanges extension, a CA (such as DigiCert) checks the domain's CAA resource record for a valid property with this parameter. If the record contains the "cansignhttpexchanges=yes", we can issue the certificate. If the domain doesn't have a CAA resource record, or if the record doesn't contain this parameter, we can't issue the certificate.

Create an ECC CSR

As part of the Signed HTTP Exchanges technology specifications, the TLS certificate used to sign the exchange requires an Elliptic Curve Cryptology (ECC) keypair.

To order a TLS certificate with the CanSignHttpExchanges extension, you must submit an ECC certificate signing request (CSR) with the order.

In your CertCentral account, in the sidebar menu, click Request a Certificate and pick a certificate.

If you're not sure which certificate you want, click Request a Certificate > Product Summary. On the Request a Certificate page, look over the certificate options. Then choose the certificate you want.

Include the CanSignHttpExchanges extension

When ordering your TLS certificate, make sure to include the CanSignHttpExchanges extension in the certificate.

Important

Per industry standards, certificates that include the Signed HTTP Exchange extension have a 90-day maximum validity limit.

On the certificate's Request page, expand Additional Certificate Options. Under Signed HTTP Exchanges, check Include the CanSignHttpExchanges extension in the certificate.

Create a "Signed HTTP Exchange" certificate ACME Directory URL

When creating an ACME Directory URL for your Signed HTTP Exchange certificate, make sure to include the CanSignHttpExchanges extension in the certificate.

For more information, see ACME Directory URLs for Signed HTTP Exchange certificates