Certificates

Introduction

Certificates are used in ClearIP to sign calls during authentication and to verify signatures during verification. Every service provider has a certificate that clearly identifies the service provider and enables the service provider that originates a call to sign that call. The certificate of the originating service provider is used by the terminating service provider to verify the signature on the call.

Requirements for obtaining SHAKEN Certificates

To participate in STIR/SHAKEN and authenticate your outbound calls, your organization must be registered as a service provider with the STI-PA (policy administrator) in the relevant country.

CountryLink to RegisterEligibility RequirementsList of Authorized Service Providers
United StatesSTI-PA RegistrationFile annual form 499A, have an OCN from NECA, file in FCC robocall mitigation databaseAuthorized Service Providers
CanadaSTI-GA RegistrationHave a current year DCS and direct access to Canadian Telephone NumbersMembers

Create API User in STI-PA Web Portal

For service providers based in the United States, once registration with the STI-PA iconectiv has been approved, you will obtain a set of STI-PA account credentials for login access to the STI-PA web portal. In the STI-PA web portal, you must create a separate API User. The login credentials for the API user must be entered into ClearIP to generate STI-PA-authorized STI certificates.

  1. Log into the STI-PA web portal at https://authenticateapp.iconectiv.com. Note: The STI-PA has both a staging environment and a production environment. Please ensure you use the login credentials for the production site at the link included above.
  2. Navigate to the User Management page. User Management
  3. Click on Add User and select the Role to be “API User”. You must set an email address that is not currently associated with a different STI-PA user account. You must have access to read emails sent to the email address configured for the API user. API User
  4. You will get an email confirmation with a link to set login credentials for the API user account.
  5. Click the link in the email and set a user ID and password for the API user account.
    • Please note: When you set your user ID and password, you must be follow these requirements for ClearIP: less than 256 characters long.
  6. Save the login credentials assigned for this API user account because you will need to enter that information into ClearIP.
  7. Navigate to the Account Profile page. Take note of the Service Provider ID. You will need to enter this into ClearIP.

Note: If you create a password with characters that ClearIP does not accept, then you must reset your API user password by clicking the Reset Password button on the STI-PA login screen.

Reset Password

Setup Certificate in ClearIP

To request STIR/SHAKEN certificates through ClearIP, users must add an entry in the Certificates page and specify their OCN (Operating Company Number) in the SPID field. If multiple OCNs should be used to signing different sets of calls, then a new entry can be created in the Certificates page for each OCN.

Each OCN must be registered with the PA and listed under the Service Provider Code(s) section before being added to ClearIP.

STI-PA Account Info

After the API user is created, log into ClearIP and go to the Certificates page under the STI menu. Click the green Add button and fill out the fields as follows:

  • Set the Name as a readable name to refer to the certificates (e.g. “ABC Telecom STI PA Certificates”)
  • Set the SPID as the Operating Company Number (OCN) in the STI-PA web portal. If you create certificates for multiple OCNs, you will add the unique OCN in the SPID field.
  • Set the STI-PA Account ID as the primary Operating Company Number (OCN) from the STI-PA web portal. If you create certificates for multiple OCNs, the STI-PA Account ID will be the same primary OCN value for all Certificate records.
  • Set the STI-PA User ID as the username of the API user
  • Set the STI-PA Password as the password of the API user

Request STI-PA authorized certificates

If you have multiple OCNs, you can choose to use a single OCN and certificate to sign all your calls. If you prefer to create separate certificates for different OCN values, then you can enter the different OCN in the SPID field, but the STI-PA Account ID field will be the same for all certificates.

Request STI-PA authorized certificates

Each ClearIP certificate is valid for 7 days. ClearIP automatically generates new certificates before the current certificate expires, so users do not have to perform any additional steps to maintain certificates. ClearIP ensures that a valid certificate is always available in the service provider’s certificate repository to prevent service disruption.

Test Certificate

If your organization has not yet been approved as a service provider by the STI-PA, then ClearIP can use a test certificate to enable testing with STIR/SHAKEN authentication. For the test certificate, you do not need to create any record in the Certificates page. When the Authentication Policy is created, the Certificate field is left blank to use the default test certificate. With the test STI certificate, the attestation level is limited to C regardless of the attestation level selected in the Action field.

Test certificate

View certificates in SIP Messages

To view your currently available certificate, click on the blue Show button. Show Certificate

If there are any issues with generating your certificate, then ClearIP sends an email to the System Email for the Technical Contact associated with your ClearIP account.