In development, non-signed-exchange (SXG) certificates may be used. In production, a certificate with the CanSignHttpExchanges extension is needed for the signed exchange to be considered valid by SXG caches and browsers.

Certificate authorities (CAs) that are known to support generating such a certificate:

• DigiCert
• Google - Sign up for access, then follow these instructions, except using this ACME Directory for requesting SXG certs: https://dv-sxg.acme-v02.api.pki.goog/