Introduction
Certificates are used in ClearIP to sign calls during authentication and to verify signatures during verification. Every service provider has a certificate that clearly identifies the service provider and enables the service provider that originates a call to sign that call. The certificate of the originating service provider is used by the terminating service provider to verify the signature on the call.
Requirements for obtaining SHAKEN Certificates
To participate in STIR/SHAKEN and authenticate your outbound calls, your organization must be registered as a service provider with the STI-PA (policy administrator) in the relevant country.
Country | Link to Register | Eligibility Requirements | List of Authorized Service Providers |
---|---|---|---|
United States | STI-PA Registration | File annual form 499A, have an OCN from NECA, file in FCC robocall mitigation database | Authorized Service Providers |
Canada | STI-GA Registration | Have a current year DCS and direct access to Canadian Telephone Numbers | Members |
Create API User in STI-PA Web Portal
For service providers based in the United States, once registration with the STI-PA iconectiv has been approved, you will obtain a set of STI-PA account credentials for login access to the STI-PA web portal. In the STI-PA web portal, you must create a separate API User. The login credentials for the API user must be entered into ClearIP to generate STI-PA-authorized STI certificates.
- Log into the STI-PA web portal at https://authenticateapp.iconectiv.com. Note: The STI-PA has both a staging environment and a production environment. Please ensure you use the login credentials for the production site at the link included above.
- Navigate to the User Management page.
- Click on Add User and select the Role to be “API User”. You must set an email address that is not currently associated with a different STI-PA user account. You must have access to read emails sent to the email address configured for the API user.
- You will get an email confirmation with a link to set login credentials for the API user account.
- Click the link in the email and set a user ID and password for the API user account.
- Please note: When you set your user ID and password, you must be follow these requirements for ClearIP: less than 256 characters long.
- Save the login credentials assigned for this API user account because you will need to enter that information into ClearIP.
- Navigate to the Account Profile page. Take note of the Service Provider ID. You will need to enter this into ClearIP.
Note: If you create a password with characters that ClearIP does not accept, then you must reset your API user password by clicking the Reset Password button on the STI-PA login screen.
Setup Certificate in ClearIP
To request STIR/SHAKEN certificates through ClearIP, users must add an entry in the Certificates page and specify their OCN (Operating Company Number) in the SPID field. If multiple OCNs should be used to signing different sets of calls, then a new entry can be created in the Certificates page for each OCN.
Each OCN must be registered with the PA and listed under the Service Provider Code(s) section before being added to ClearIP.
After the API user is created, log into ClearIP and go to the Certificates page under the STI menu. Click the green Add button and fill out the fields as follows:
- Set the Name as a readable name to refer to the certificates (e.g. “ABC Telecom STI PA Certificates”)
- Set the SPID as the Operating Company Number (OCN) in the STI-PA web portal. If you create certificates for multiple OCNs, you will add the unique OCN in the SPID field.
- Set the STI-PA Account ID as the primary Operating Company Number (OCN) from the STI-PA web portal. If you create certificates for multiple OCNs, the STI-PA Account ID will be the same primary OCN value for all Certificate records.
- Set the STI-PA User ID as the username of the API user
- Set the STI-PA Password as the password of the API user
If you have multiple OCNs, you can choose to use a single OCN and certificate to sign all your calls. If you prefer to create separate certificates for different OCN values, then you can enter the different OCN in the SPID field, but the STI-PA Account ID field will be the same for all certificates.
Each ClearIP certificate is valid for 7 days. ClearIP automatically generates new certificates before the current certificate expires, so users do not have to perform any additional steps to maintain certificates. ClearIP ensures that a valid certificate is always available in the service provider’s certificate repository to prevent service disruption.
Test Certificate
If your organization has not yet been approved as a service provider by the STI-PA, then ClearIP can use a test certificate to enable testing with STIR/SHAKEN authentication. For the test certificate, you do not need to create any record in the Certificates page. When the Authentication Policy is created, the Certificate field is left blank to use the default test certificate. With the test STI certificate, the attestation level is limited to C regardless of the attestation level selected in the Action field.
View certificates in SIP Messages
To view your currently available certificate, click on the blue Show button.
If there are any issues with generating your certificate, then ClearIP sends an email to the System Email for the Technical Contact associated with your ClearIP account.