How to add the CanSignHttpExchanges extension to your ECC TLS certificates

Do you need a TLS certificate that includes the CanSignHttpExchanges extension and an ECC keypair? DigiCert is happy to be among the very first CAs to support this extension in an ECC TLS certificate as we seek to encourage innovative technologies and the advancement of web protocols.

This ECC certificate with the CanSignHttpExchanges extension can only be used for the Signed HTTP Exchange. So, you'll need two certificates for the server: one for TLS connections and one for signing the HTTP exchanges. Chrome only uses this TLS certificate with CanSignHttpExchanges extension for the signed exchanges and will reject if for TLS connections.

To get your ECC TLS certificate with the CanSignHttpExchanges extension included so you can start testing out this AMP URL improvement, you need to do four things:

1. Get your CertCentral account

First, you need to activate your CertCentral account. This account is specifically set up for ordering a TLS certificate with the CanSignHttpExchanges extension.

Get your CertCentral account

Already have a DigiCert account? Don't worry, our experts can help you manage your account. Reach out to your account representative or contact our Support team.

2. Create an ECC CSR

As part of the Signed HTTP Exchange technology specifications, the TLS certificate used to sign the exchange requires an Elliptic Curve Cryptology (ECC) keypair.

To order a TLS certificate with the CanSignHttpExchanges extension, you must submit an ECC CSR with the order.

3. Order your TLS Certificate

In your CertCentral account, in the sidebar menu, click Request a Certificate and pick a certificate. If you're not sure which certificate you want, click Request a Certificate > Product Summary. On the Request a Certificate page, look over the certificate options and then choose the certificate you want.

4. Include the CanSignHttpExchanges extension

When ordering your TLS certificate, make sure to include the CanSignHttpExchanges extension in the certificate.

On the certificate's Request page, expand Additional Certificate Options and under Signed HTTP Exchanges, check Include the CanSignHttpExchanges extension in the certificate.

Get your CertCentral account