I want to implement Signed Exchange within my website. I know that, in production, a certificate with the CanSignHttpExchanges extension is needed for the signed exchange. My website is hosted on AWS and I have bought the SSL certificate of my domain from SSL Store. Now I want to buy certificate from Google CA so that I can get support of CanSignHttpExchanges extension.

Now, my questions are :

1. if I buy a certificate from Gooogle CA, then does the support of "CanSignHttpExchanges" extension comes by default? If not, how can I get the support?

2. How can I add the certificate in my website?

3. Is there a way to auto update the certificate periodically?

CodePudding user response：

1. Google does not sell SSL certificates. AFAIK only Digicert sells (provides) certificates with CanSignHttpExchanges.

2. Consult the Digicert documentation as the purchase, Certificate Signing Request and installation requires knowing the web server type and DNS provider to determine the steps. You must use ECC TLS certificates.

Get your Signed HTTP Exchanges certificate

3. You must replace the certificate every 90 days or sooner. The payment can be auto-rewewing. Digicert supports the ACME protocol, which requires creating an ACME Directory URL for Signed HTTP Exchanges certificate. Provided that your account has paid for the certificate, an ACME client can download and install the new certificate.

ACME Directory URLs for Signed HTTP Exchange certificates

Only DV and EV certificates include the CanSignHttpExchanges feature. This requires validating your domain and your company identity. OV is easier, and EV is verification is fairly strict. You will need your identity, phone and address details, and company information documents to be in good order and verifiable.