Skip to main content

Get your Signed HTTP Exchanges certificate

How to get an ECC TLS certificate with the CanSignHttpExchanges extension

Do you need a TLS certificate that includes the CanSignHttpExchanges extension?

DigiCert is happy to be among the first CAs to support this extension in an ECC TLS certificate as we seek to encourage innovative technologies and the advancement of web protocols. For more information, see Display better AMP URLs with Signed HTTP Exchange.

Important

This ECC TLS certificate with the CanSignHttpExchanges extension can only be used for the Signed HTTP Exchanges. So, you'll need two certificates for the server: one for TLS connections and one for signing the HTTP exchanges. Chrome only uses this TLS certificate with CanSignHttpExchanges extension for the signed exchanges and will reject it for TLS connections.

To get your ECC TLS certificate with the CanSignHttpExchanges extension included so you can start testing out this AMP URL improvement, you need to complete the tasks listed in these instructions:

Get your CertCentral account

First, you need to activate your CertCentral account. This account is specifically set up for ordering a TLS certificate with the CanSignHttpExchanges extension.

Get your CertCentral account

Already have a DigiCert account? Don't worry, our experts can help you manage your account. Reach out to your account representative or contact DigiCert support.

Set up your domain's CAA resource record

For a Certificate Authority (CA) to issue your certificate with the CanSignHttpExchanges extension, you must do a one-time set up in the domain's DNS record and add the "cansignhttpexchanges=yes" parameter to the record.

example.com. IN CAA 0 issue "digicert.com; cansignhttpexchanges=yes"

Prior to issuing your certificate with the CanSignHttpExchanges extension, a CA (such as DigiCert) checks the domain's CAA resource record for a valid property with this parameter. If the record contains the "cansignhttpexchanges=yes", we can issue the certificate. If the domain doesn't have a CAA resource record, or if the record doesn't contain this parameter, we can't issue the certificate.

Create an ECC CSR

As part of the Signed HTTP Exchanges technology specifications, the TLS certificate used to sign the exchange requires an Elliptic Curve Cryptology (ECC) keypair.

To order a TLS certificate with the CanSignHttpExchanges extension, you must submit an ECC certificate signing request (CSR) with the order.

Order your TLS certificate

In your CertCentral account, in the sidebar menu, click Request a Certificate and pick a certificate.

If you're not sure which certificate you want, click Request a Certificate > Product Summary. On the Request a Certificate page, look over the certificate options. Then choose the certificate you want.

Include the CanSignHttpExchanges extension

When ordering your TLS certificate, make sure to include the CanSignHttpExchanges extension in the certificate.

Important

Per industry standards, certificates that include the Signed HTTP Exchange extension have a 90-day maximum validity limit.

On the certificate's Request page, expand Additional Certificate Options. Under Signed HTTP Exchanges, check Include the CanSignHttpExchanges extension in the certificate.

include-cansignhttpexchanges-extension-3_width-800.png

Create ACME credentials for "Signed HTTP Exchange" certificates

When creating ACME credentials for your Signed HTTP Exchange certificate, make sure to include the CanSignHttpExchanges extension in the certificate.

For more information, see Add ACME credentials in CertCentral