STIR/SHAKEN Signing Certificates
This configuration section defines the certificates and private keys used for the Identity Signing procedure.
Attributes
- Name
- A user-friendly name for the signing certificate.
- Certificate
- The certificate in PEM format. The certificate must use the
ecdsa-with-SHA256signature algorithm. - Private Key
- The corresponding ECDSA private key in PEM format.
- X5U
- The X5U parameter for the Identity header. The URL in X5U must point to your certificate and be publicly accessible. Remote systems will use this URL to fetch your certificate during their own Identity validation procedure.
Where to obtain certificate
STIR/SHAKEN certificates are typically issued by government institutions or authorized intermediaries to registered network operators.
In France, a dedicated platform is available for network operators to manage STIR/SHAKEN certificates: https://www.man-plateforme.fr
To generate a CSR and obtain a certificate, follow the procedure described in the document MAN_Mode_operatoire_Mecanisme_de_Confiance_v1.16_20241011.pdf, section 8.7.2.
TIP
A STIR/SHAKEN certificate is required to include the tn_auth_list extension. Therefore, if you plan to test STIR/SHAKEN signing using a self-signed certificate, make sure your certificate contains this extension. For detailed instructions, see: https://blog.opensips.org/2022/10/31/how-to-generate-self-signed-stir-shaken-certificates/