Certificates are used in ClearIP to sign calls during authentication and to verify signatures during verification. Every service provider has a certificate that clearly identifies the service provider and enables the service provider that originates a call to sign that call. The certificate of the originating service provider is used by the terminating service provider to verify the signature on the call.
Requirements for obtaining SHAKEN Certificates
To participate in STIR/SHAKEN and authenticate outbound calls, the organization must be registered as a service provider with the STI-PA (policy administrator) in the relevant country.
| Country | Link to Register | Eligibility Requirements | List of Authorized Service Providers |
|---|---|---|---|
| United States | STI-PA Registration | File annual form 499A, have an OCN from NECA, file in FCC robocall mitigation database | Authorized Service Providers |
| Canada | STI-GA Registration | Have a current year DCS and direct access to Canadian Telephone Numbers | Members |
Create API User in STI-PA Web Portal
For service providers based in the United States, once registration with the STI-PA iconectiv has been approved, a set of STI-PA account credentials will be obtained for login access to the STI-PA web portal. In the STI-PA web portal, a separate API User must be created. The login credentials for the API user must be entered into ClearIP to generate STI-PA-authorized STI certificates.
- Log into the STI-PA web portal at https://authenticateapp.iconectiv.com. NOTE: The STI-PA has both a staging environment and a production environment. Please ensure the login credentials for the production site are used at the link included above.
- Navigate to the User Management page.
- Click on Add User and select the Role to be “API User”. An email address that is not currently associated with a different STI-PA user account must be used. Access to read emails sent to the email address configured for the API user is required.
- An email confirmation with a link to set login credentials for the API user account should be received.
- Click the link in the email and set a user ID and password for the API user account.
- NOTE: User ID must be less than 256 characters long to be compatible with ClearIP
- NOTE: Password must be less than 190 characters long to be compatible with ClearIP
- Save the login credentials assigned for this API user account because it will be needed to enter that information into ClearIP.
- Navigate to the Account Profile page. Take note of the Service Provider ID. This will need to be entered into ClearIP.
NOTE: If a password is created with characters that ClearIP does not accept, the API user password must be reset by clicking the Reset Password button on the STI-PA login screen.
Setup Certificate in ClearIP
To request STIR/SHAKEN certificates through ClearIP, users must add an entry in the Certificates page and specify their OCN (Operating Company Number) in the SPID field. If multiple OCNs should be used to signing different sets of calls, then a new entry can be created in the Certificates page for each OCN.
Each OCN must be registered with the PA and listed under the Service Provider Code(s) section before being added to ClearIP.
After the API user is created, log into ClearIP and go to the Certificates page under the STI dropdown menu. Click the Add button and fill out the form as follows:
- Set the Name as a readable name to refer to the certificates (e.g. “ABC Telecom STI PA Certificates”)
- Set the SPID as the Operating Company Number (OCN) in the STI-PA web portal. If certificates were created for multiple OCNs, the unique OCN will need to be added in the SPID field.
- Set the STI-PA Account ID as the primary Operating Company Number (OCN) from the STI-PA web portal. If certificates were created for multiple OCNs, the STI-PA Account ID will be the same primary OCN value for all Certificate records.
- Set the STI-PA User ID as the username of the API user
- Set the STI-PA Password as the password of the API user
For multiple OCNs, it is possible to use a single OCN and certificate to sign all calls. If preferred to create separate certificates for different OCN values, enter the different OCN in the SPID field, but the STI-PA Account ID field will be the same for all certificates.
Each ClearIP certificate is valid for 7 days. ClearIP automatically generates new certificates before the current certificate expires, so users do not have to perform any additional steps to maintain certificates. ClearIP ensures that a valid certificate is always available in the service provider’s certificate repository to prevent service disruption.
View Certificates in SIP Messages
To view the currently available certificate, click on the Show button on a recent record in the SIP Messages page.
If there are any issues with generating certificates, ClearIP sends an email to the System Email for the Technical Contact associated with the ClearIP account.