Canadian CST-GA, STI-PA and STI-CA on-boarding steps

Sansay is an approved Certificate Authority (STI-CA) in Canada. This document provides necessary information to become part of the STIR/SHAKEN ecosystem in Canada.

CST-GA

The CST-GA governs the STIR/SHAKEN ecosystem in Canada. Canadian STIR/SHAKEN participants are:

• STI-PA (Policy Administrator)
• TSP (Telephone Service Provider)
• STI-CA (Certificate Authority).

As a Service Provider the first step to receive approval is to complete the CST-GA application form: https://cstga.ca/participate/tsps/

Application requirements include obtaining an OCN (Operating Carrier Number) from NECA that is specific to Canada. If the OCN is registered to a related company, the related company must be registered with the CRTC to provide voice services in Canada and listed on the application.

STI-PA

After the CST-GA application process has been completed you will receive an on-boarding e-mail asking you to complete User Acceptance Testing against the CST-GA portal and the STI-PA. To complete important parts of the STI-PA UAT you will first need to enroll your company with the STI-PA.

The company’s primary contact will e-mail Neustar Customer Support
(communications@support.neustar) to initiate the enrollment process which will include executing an STI-PA User Agreement. The e-mail should contain the following information: 1) primary contact name, 2) phone number, 3) e-mail address and 4) Company name. If known, the primary contact should also provide the IP addresses to add to their Company’s Access Control List (ACL) for the UAT environment. The primary contact will then receive an enrollment e-mail from Neustar Customer Support with provided User ID and a temporary password. 

To complete the STI-PA UAT process we will need you to create an API user as it is illustrated below. sansay_api is just an example username not a requirement. The e-mail address must be your organization's name @sansay-ca.com

STI-CA

Upon completing CST-GA and STI-PA UATs Sansay can continue the onboarding process. Sansay will proceed to create your account in the Sansay STI-CA portal.  This portal provides tools that facilitate certificate management.  Obtaining a certificate via Sansay's CA web portal takes less than five minutes and it is done in three easy steps.

1. When the account is created you Sansay will enable access to your list of authorized users. Users will receive an introductory e-mail to reset their passwords as displayed below.  We suggest that the following steps (2-6) are only completed by one user.
2. Log into Sansay STI-CA portal by clicking on the Reset Password button or link and entering your password. A few seconds after you set your new password you will redirected to the main login page.
3. After successfully login to the portal you will see a welcome page. From the STI-CA portal we will be completing three steps to issue your SHAKEN certificate. The steps are as described above:
   • Generate a private key per SPC code (SPC code is usually linked to your OCN).
   • Generate a certificate signature request (CSR). 
   • Create your certificate.
4. Create private key. Browse to Keys (top navigation bar) then click on Add. Select your SPC code (previously loaded by Sansay during account setup) and give your key a memorable name. Immediately after the key is generated your browser will auto-initiate a key download. You will need this key later on.  
5. Create CSR. Browse to CSRs and click on Add. It is important to associate the CSR with the previously generated key.  (You don't need to download the CSR).  
6. Generate certificate. Browse to Certificates and click on Add. You will be asked for the following information:
   • Key Pair (Private Key) generated in step 4.
   • CSR generated in step 5.
   • Certificate type: Standard End Entity.
   • Lifespan: Your choice from 1 to X days. Maximum is generally 6 months.
   • Certificate Repository (STI-CR) URL. If left blank it will be auto generated.