STIR/SHAKEN Signing Certificates
This configuration section defines the certificates and private keys used for the Identity Signing procedure.
Attributes
- Name
A user-friendly name for the signing certificate.
- Certificate
The certificate in PEM format. The certificate must use the
ecdsa-with-SHA256signature algorithm.- Private Key
The corresponding ECDSA private key in PEM format. The key must be in PKCS#8 format, i.e. the PEM block must begin with
-----BEGIN PRIVATE KEY-----. Keys in SEC1 format (-----BEGIN EC PRIVATE KEY-----) are not supported and must be converted first:bashopenssl pkcs8 -topk8 -nocrypt -in EC_key.pem -out pkcs8_key.pem- X5U
The X5U parameter for the Identity header. The URL in X5U must point to your certificate and be publicly accessible. Remote systems will use this URL to fetch your certificate during their own Identity validation procedure.
Where to obtain certificate
STIR/SHAKEN certificates are typically issued by government institutions or authorized intermediaries to registered network operators.
In France, a dedicated platform is available for network operators to manage STIR/SHAKEN certificates: https://www.man-plateforme.fr
To generate a CSR and obtain a certificate, follow the procedure described in the document MAN_Mode_operatoire_Mecanisme_de_Confiance_v1.16_20241011.pdf, section 8.7.2.
TIP
A STIR/SHAKEN certificate is required to include the tn_auth_list extension. Therefore, if you plan to test STIR/SHAKEN signing using a self-signed certificate, make sure your certificate contains this extension. For detailed instructions, see: https://blog.opensips.org/2022/10/31/how-to-generate-self-signed-stir-shaken-certificates/