Canadian CST-GA, STI-PA and STI-CA on-boarding steps
Sansay is an approved Certificate Authority (STI-CA) in Canada. This document provides the necessary information for becoming part of the STIR/SHAKEN ecosystem in Canada, specifically focusing on obtaining a Canadian STI Certificate from Sansay STI-CA.
CST-GA
The CST-GA governs the STIR/SHAKEN ecosystem in Canada. Canadian STIR/SHAKEN participants are:
- STI-PA (Policy Administrator)
- TSP (Telephone Service Provider)
- STI-CA (Certificate Authority).
As a Service Provider the first step to receive approval is to complete the CST-GA application form: https://cstga.ca/participate/tsps/
Application requirements include obtaining an OCN (Operating Carrier Number) from NECA that is specific to Canada. If the OCN is registered to a related company, the related company must be registered with the CRTC to provide voice services in Canada and listed on the application.
STI-PA
After completing the CST-GA application process, you'll receive an on-boarding email requesting you to perform User Acceptance Testing (UAT) on both the CST-GA portal and the STI-PA. To complete critical portions of the STI-PA UAT, you must first enroll your company with STI-PA.
STI-PA Enrollment Steps
Your company's primary contact should email Neustar Customer Support (communications@support.neustar) to begin the enrollment process, which includes executing an STI-PA User Agreement. The email should contain:
- Primary contact name
- Phone number
- Email address
- Company name
If available, the primary contact should also provide the IP addresses to add to your Company's Access Control List (ACL) for the UAT environment. After submission, the primary contact will receive an enrollment email from Neustar Customer Support containing a User ID and temporary password.
Completing STI-PA UAT
To complete the STI-PA UAT process, you'll need to create an API user as shown below. Note that "sansay_api" is just an example username, not a requirement. You will be required to enter the API credentials in our STI-CA portal. Please have the API credentials available.
STI-CA
Upon completing CST-GA and STI-PA UATs Sansay can continue the onboarding process. Sansay will proceed to create your account in the Sansay STI-CA portal. This portal provides tools that facilitate certificate management including manual certificate issuance tools and ACME (Automated Certificate Management Environment) endpoint whitelisting. Obtaining a certificate via Sansay's CA web portal takes less than five minutes and it is done in three easy steps.
- When the account is created you Sansay will enable access to your list of authorized users. Users will receive an introductory e-mail to reset their passwords as displayed below. We suggest that the following steps (2-6) are only completed by one user.
- Log into Sansay STI-CA portal by clicking on the Reset Password button or link and entering your password. A few seconds after you set your new password you will redirected to the main login page.
- After successfully login to the portal you will see a welcome page. From the STI-CA portal we will be completing three steps to issue your SHAKEN certificate.
The steps are as described above:
- Generate a private key per SPC code (SPC code is usually linked to your OCN).
- Generate a certificate signature request (CSR).
- Create your certificate.
- Create private key. Browse to Keys (top navigation bar) then click on Add. Select your SPC code (previously loaded by Sansay during account setup) and give your key a memorable name. Immediately after the key is generated your browser will auto-initiate a key download. You will need this key later on.
- Create CSR. Browse to CSRs and click on Add. It is important to associate the CSR with the previously generated key. (You don't need to download the CSR).
- Generate certificate. Browse to Certificates and click on Add. You will be asked for the following information:
- Key Pair (Private Key) generated in step 4.
- CSR generated in step 5.
- Certificate type: Standard End Entity.
- Lifespan: Your choice from 1 to X days. Maximum is generally 6 months.
- Certificate Repository (STI-CR) URL. If left blank it will be auto generated.
ACME Renewals
For customers with infrastructure capable of ACME renewals, such as Sansay NSS, the only required step is to whitelist the endpoint(s).