Three Steps to Obtain a STIR/SHAKEN Certificate
This article illustrates the three simple steps to obtain a STIR/SHAKEN certificate using Sansay STI-CA web portal.
Pre-requisites:
- Approval from STI-PA. Related article: Working with the STI-PA https://support.sansay.com/t/p8hlsht/working-with-the-sti-pa#approval-phase
- STI-PA API User creation: https://support.sansay.com/t/y4hz3jc#sti-pa-api-user
STI-CA Web Portal
After completing registration with the STI-PA and creating an API user, Sansay Support will create an STI-CA account on Sansay's web portal. Here are the three steps to obtain your certificate.
Step 1: Private Key
Create a private key.
The private key can be securely generated via the web portal or imported.
Upon generating the key you will have the option to download and delete it.
Step 2: Certificate Signature Request
The Certificate Signature Request (CSR) contains information related to your organization. This is very similar to standard TLS certificates with the difference that CSRs carry your SPC.
Step 3: Generate Certificate
A certificate is generated using a previously generated or uploaded key/CSR combination. You will need to specify an effective date, the certificate lifespan (1-365 days) and a STI-CR URL. If you choose the default STI-CR URL you will not need to make any changes to your STI-AS infrastructure every time a certificate is renewed.
Once the certificate is generated you will have the option to download it. You won't need to do anything with the downloaded cert as this certificate is hosted by Sansay's geo-redundant and highly available STI-CR but you have the option to host it yourself if you prefer.
Renewing a Certificate
Certificate renewals can be done on-demand via the web portal or automated via a REST interface defined in ATIS-1000080. Sansay's NSS supports automated certificate renewal.
Web portal certificate renewal is accomplished by selecting a previous certificate or key/CSR pair. You will be asked to specify a desired start date and lifespan.
Note: To adhere with new standards please note that when a certificate is renewed it will have a new URL. The URL will need to be updated on the call signing (STI-AS) platform.
Automated certificate renewal is accomplished by whitelisting the Service Provider's STI-AS infrastructure that will be talking to STI-CA. In terms of Sansay's ecosystem the NSS systems will need to be whitelisted under My Account.
For Service Providers with third-party STIR/SHAKEN software, ACME client integration is provided with prepaid professional services.
Re-keying Process
The process of re-keying a certificate involves creating a new private key and certificate. This is usually done for security reasons, such as if the original private key has been compromised or lost. Customers using automated certificate renewal are less likely to require a re-key as the key is regularly refreshed.
Re-keying a certificate is similar to obtaining a new certificate, but with the potential to cause service disruption. The steps to re-key a certificate are:
- Log in to the STI-CA portal.
- Generate a new private key.
- Create a CSR (Certificate Signing Request).
- Issue a new certificate using the new private key and CSR.
- Update existing STI infrastructure to use the new private key and certificate URL (if applicable).
- When re-keying a Sansay NSS system, you will first need to import the new keystore and then update the keystore to all applicable switche/SBCs. Screenshots below. This is done under STI-AS > Configuration.
- Add the new keystore.
- Under "Switches" replace the existing keystore entry with the new keystore.
- When re-keying a Sansay NSS system, you will first need to import the new keystore and then update the keystore to all applicable switche/SBCs. Screenshots below. This is done under STI-AS > Configuration.
2 replies
-
After generating the certificate in the sti-ca how do I upload that certificate to the NSS's? or does the generated key/csr/cert not need to be on anything but the STI-CA?
And then what entries go into the NSS to do a blanket signing based on SBCid?
Thanks!