Which key is used for signed exchange certificate?

Question

I was trying to generate a Signed Exchange Certificate from Google CA followed by this documentation https://cloud.google.com/certificate-manager/docs/public-ca-tutorial

But now facing this error :

"An unexpected error occurred: Public key does not follow policy: Signed HTTP Exchange certificates can not be issued for RSA keys."

Which type of Key is used for SXG certificate?

score 0 · Answer 1 · answered Oct 19 '22 at 06:08

0

The type is ECC (Elliptic Curve Cryptography).

This openssl command generates an ECC private key:

openssl ecparam -out server.key -name prime256v1 -genkey

Google has not released public documentation on generating ECC certificates and keys. Those features are in private preview.

AFAIK only Digicert sells (provides) certificates with CanSignHttpExchanges.

answered Oct 19 '22 at 06:08

John Hanley

I have generated this command to generate ECC private key and then CSR file using openssl. Then pass that CSR file to certbot cli to generate SXG certificate from Google CA. Ive used their ACME directory for SXG. Now after implementing the certificate, the website isn't working. The ssl handshake isn't happening. – MD. Zeaul Hoque Shuvo Oct 20 '22 at 06:56
@MD.ZeaulHoqueShuvo - **is not working** is not a useful problem description. What is not working - meaning what is logged on the server side? – John Hanley Oct 20 '22 at 07:15

1 Answers1