Get your Signed HTTP Exchanges certificate
A Signed HTTP Exchanges (SXG) certificate is an ECC TLS certificate that includes the CanSignHttpExchanges extension. Use this certificate to sign HTTP exchanges and improve AMP URL display in supported browsers.
Important
The CanSignHttpExchanges extension certificate can only be used for Signed HTTP Exchanges. You need two certificates on the server: one for TLS connections and one for signing HTTP exchanges. Chrome uses the certificate with the CanSignHttpExchanges extension for signed exchanges only and rejects it for TLS connections.
Before you begin
Update your domain's CAA resource record to include the cansignhttpexchanges=yes parameter before ordering:
example.com. IN CAA 0 issue "digicert.com; cansignhttpexchanges=yes"
DigiCert checks the domain's CAA resource record for this parameter before issuing the certificate. If the record does not contain the parameter, DigiCert cannot issue the certificate.
Generate an ECC certificate signing request (CSR). The SXG specification requires an ECC keypair for the certificate used to sign the exchange. For CSR creation instructions, see ECC CSR creation: Apache or ECC CSR creation: Microsoft Servers.
Order your SXG certificate
In the CertCentral main menu, go to Request a Certificate and select a certificate.
On the certificate request page, expand Additional Certificate Options.
Under Signed HTTP Exchanges, select Include the CanSignHttpExchanges extension in the certificate.
Important
Per industry standards, certificates that include the Signed HTTP Exchange extension have a 90-day maximum validity limit.
Complete the remaining order details and submit the request.
Create ACME credentials for SXG certificates
When creating ACME credentials for your SXG certificate, include the CanSignHttpExchanges extension in the certificate options. See Add ACME credentials in CertCentral.