Transition to Automated Certificate Renewals

4 days ago

Sansay NSS supports the automation of certificate renewals as defined in defined in ATIS-1000080. Automated renewals combine the simplicity of certificate lifecycle management with enhanced security through short validity periods, limiting exposure if a certificate is compromised.

Every STIR/SHAKEN certificate requires obtaining an SPC token which serves as a proof that your organization is eligible to obtain a certificate and it is in good standing with the STIR/SHAKEN ecosystem policed by the STI-PA. The SPC token requirement is an important pre-requisite as the STI-PA API interface is controlled by an access list.

Pre-requisites

Whitelist all NSS units as API endpoints following the STI-PA authorization form.
Ensure NSS is running version 5.4.596 or later. You can view the version of NSS under System > General: System Code Version.
API user credentials for NSS to obtain SPC token with STI-PA infrastructure.
Provide your Certificate Signature Request details:
- State
- Location (City)
- Organization Name
- Organization Unit
- E-mail address
- SPC ID
Certificate lifetime. We recommend 30 days with daily renewals. A shorter timespan is also possible.
Coordinate a maintenance window with Sansay Support if your NSS is in production. The enablement of automatic renewal requires a software restart.

The enablement configuration is completed by Sansay Support to ensure connectivity to the STI-PA, STI-CA in addition to verifying API login for the certificate order to be successful.

Functionality

Once automated renewals are enabled NSS will obtain a new STIR/SHAKEN certificate along with a new private key on a daily basis using the specified certificate lifetime. Every time Sansay STI-CA issues a certificate it will generate a new certificate URL which NSS will also automatically update on its own.

In the event NSS fails to obtain a certificate it will attempt within the next 24 hours. Alerts events are available for renewal failures in addition to upcoming certificate expiration. In addition to the alerts you can opt to receive, Sansay TAC will notify you if any issues are detected with your automated renewals.