2

Sansay STI-CA

Overview

Sansay is an approved Certificate Authority (STI-CA) part of the STIR/SHAKEN ecosystem in the United States. As an STI-CA Sansay can issue Root-CA signed certificates to authorized Service Providers to sign calls in accordance to the STIR/SHAKEN framework.

Sansay STI-CA works in concert with Sansay's NSS (Number-lookup for STIR/SHAKEN server) and also supports third-party STI-AS/VS infrastructure.

This document describes information specific to Sansay STI-CA certificate issuance and management process.

Trust Model

A key concept of the STIR/SHAKEN framework in the United States is the triangle of trust that the STI-PA, the STI-CAs and the Service Providers form.

 

  • STI-GA: Governance Authority. In the United States, ATIS is managing the STI-GA, defining the rules governing the certificate management infrastructure to ensure effective use and security of SHAKEN certificates.
  • STI-PA: Policy Administrator. In the United States, iconectiv was selected by the GA as the PA. The STI-PA Applies the rules set by the STI-GA. The PA validates Service Providers and STI-CAs
  • STI-CA: Certification Authority. Sansay is one of a few CAs that are authorized to issue STI certificates.
  • Service Provider: A Service Provider that has been approved by the STI-PA.

The following definitions are used in this document.

  • Certificate Signing Request (CSR): A CSR is sent to a CA to request a certificate. A CSR contains a Public Key of the end-entity that is requesting the certificate.
  • Private Key: In asymmetric cryptography, the private key is kept secret by the end-entity. The private key can be used for both encryption and decryption [RFC 4949].
  • Root CA: A CA that is directly trusted by an end-entity. See also Trust Anchor CA and Trusted CA [RFC 4949].
  • STI Certificate: A public key certificate used by a service provider to sign and verify the PASSporT.
  • Service Provider Code: A unique identifier that is allocated by the STI-PA to a service provider.
  • Service Provider Code (SPC) Token: An authority token that can be used by a SHAKEN Service Provider during the ACME certificate ordering process to demonstrate authority over the identity information contained in the TN Authorization List extension of the requested STI certificate. The SPC Token complies with the structure of the TNAuthList Authority Token defined by [draft-ietf-acme-authority-token-tnauthlist], but with the restriction for SHAKEN where the TNAuthList value contained in the token’s "atc" claim identifies a single Service Provider Code.
  • STI-CR. Certificate Repository.

STI-PA/iconectiv Registration Process

All Service Providers that participate in the STIR/SHAKEN ecosystem must first register with the policy administraror (STI-PA). Registration details are available on iconectiv's website: https://authenticate.iconectiv.com/service-provider-authenticate

STI-PA Customer Requirements

  • Have a current form 499A on file with the FCC.

  • Have been assigned an Operating Company Number (OCN).

  • Have direct access to telephone numbers from the North American Number Plan Administrator (NANPA) and National Pooling Administrator (NPA).

To obtain an STI Certificate you must receive approval by the STI-PA.

Obtaining an STI Certificate

After receiving approval from the STI-PA as an authorized Service Provider, Sansay  customers can obtain a certificate with the following methods:

  • Web portal certificate
  • ACME client
  • Manual certificate

While each method will deliver an identical STI certificate the difference is the speed, procedures and protocols used. These three methods will work for any type of implementation and the key difference is the certificate delivery time.

STI-PA API User

To setup your STI-CA account with us, Sansay will need you to create an API user from the iconectiv STI-PA portal. From the STI-Portal, login as SP and click User Management

 Click Add User:

Select API as the user role when you are adding the user. Please use the name of your organization@sansay-ca.com (e.g. mycompany@sansay-ca.com) in the e-mail associated with this user. This user will give Sansay access to verify your status with the PA.

Please proceed with this step during normal business hours (7AM to 5PM PT). Creating an API user is time sensitive and requires 2FA (Two Factor Authentication) approval. We use the e-mail account to verify the account code when we first login and during future logins.

  

Sansay STI-CA Web Portal

Once you have provided Sansay an API user and your CA account has been created Sansay will provide you with access to the Sansay STI-CA web portal.

This portal provides tools that facilitate certificate management.  Obtaining a certificate via Sansay's CA web portal takes less than five minutes and it is done in three easy steps.

Manu

Manual certificate renewal via web portal is ideal for certificates with relatively longer lifespan (e.g. 30 days, 365 days) where automation is not essential.

The Sansay CA web portal provides the following functions:

  • Secure creation of certificate keys.
  • Secure creation of Certificate Signature Requests (CSR).
  • Secure creation of SHAKEN certificate.
  • Easy renewal of existing certificate.
  • Manage users within your organization.

ACME Client

ACME protocol provides a way to automate the issuance and renewal of STI certificates. STI-PA SPC (Service Provider Code) token are key to in the ACME protocol. SPC tokens allows a Sansay CA to validate that the Service Provider requesting a certificate is authorized by the STI-PA.

Sansay provides an ACME client implementation for Sansay NSS. Third-party STI-AS implementations can leverage Sansay's ACME client (documentation link) to facilitate the interop process. For additional information how ACME requests and receives certificate please refer to ATIS-100080v003.

Renewal via ACME API is accomplished by whitelisting the Service Provider's STI-AS system IPs against Sansay's CA ACME Server. In terms of Sansay's ecosystem the NSS systems will need to be whitelisted under My Account.

 

For Service Providers with third-party STIR/SHAKEN software, ACME client integration is provided with prepaid professional services.

Our base path is: https://sti-ca.sansay.com:4443/acme. Sansay's CA ACME server conforms with ATIS-1000080.v003.

Manual Certificate

A manual certificate can issued for long duration certificates. Manual certificates rely on submitting a CSR to obtain a certificate. Manual certificate issuance is used where the web portal or ACME client are not available to the Service Provider. Manual certificates issuance is only recommended for longer duration certificates (45-365 days).

The following steps are required to obtain a certificate via this method:

  • Create an API user from the API portal.

  • Indicate the number of days for which the certificate will be valid (1-365).

  • Submit a CSR to certificates@sansay-ca.com.

CSR Generation

Customers that opt for a manual certificate will need to provide Sansay with a CSR (Certificate Signature Request.)

There are two ways to generate a customer certificate:

  • Option 1. The customer provides a Certificate Signing Request (CSR) and asks Sansay to generate only the certificate. With this option, the customer retains the private key. To generate the private key and CSR, perform the procedure below. When you finish, send the CSR to Sansay and keep the private key secure for your own purposes.

  • Option 2. Have Sansay generate a certificate and private key, and then deliver them securely to the customer. For security reasons, delivery is made using two separate emails.

Option 1:

If you have access to a system with the OpenSSL library, you can issue the following command from your server or device. Replace the items in bold with the requested information. Please note that the <> do not need to be included.

openssl req -key 363A.key.pem -new -sha256 -out 363A.csr.pem -subj "/C=US/ST=<Location, State>/L=<Location, City>/O=<Company Name>/OU=<Organizational Unit>/CN=SHAKEN <Company Name SPID>"

Note: Please ensure that this key is stored securely. While not required it is desired that this key is generated from the STI-AS server where it will reside.

Please send Sansay the CSR.PEM file.

Option 2:

If you do not have OpenSSL or generating the CSR and key is beyond your technical abilities, Sansay can handle this for you. Please remember that the best practice is for you to hold the key and not share it with anyone else. Do not share your private key via e-mail or other insecure channel.

Sansay Action Items

After receiving the CSR and validating your account in the STI-PA portal Sansay will generate a STI certificate and provide customers with a unique URL for the STI-CR. For example: https://cr.sansay.com/Provder1_300E.crt

Certificate Repository

Sansay includes an STI-CR (Certificate Repository) to all Service Providers using Sansay CA. Sansay CR is a hosted service with fault-tolerant and geo-redundant components to provide high availability (99.999%) and low latency. Sansay STI-CR is hosted in AWS and Sansay's datacenter.

Sansay's CR supports TLS 1.2 and its preferred cipher is ECDHE-RSA-AES256-SHA384.

Reply

null
Login to reply

Content aside

Related Articles
NSS Simplified Flow Diagram
NSS Configuration Backup and Restore
Implementing DNO blocking in NSS
Freeswitch and NSS integration
Asterisk and NSS integration
Using NSS for STI-AS/STI-VS with ACME SBC
STI-VS Call Presentation Options
STI-AS Attestation Policy Options
Sansay STI-CA