Skip to main content

STIR/SHAKEN Hosted Signing Service

Updated over a month ago

The STIR/SHAKEN Hosted Signing Service enables Bandwidth customers to provision their own certificate and signing policy to sign their own calls, such that Bandwidth conducts only the technical function of applying customers’ signatures on their behalf. Bandwidth hosts certificates in our Certificate Repository (CR) and provides notifications, insights, and flexible controls over call signing.

Who is the Hosted Signing Service for?

The FCC requires all voice service providers with a STIR/SHAKEN implementation obligation to use their own STIR/SHAKEN certificate(s) to authenticate (sign and attest) their outbound calls, in accordance with the Third-Party Authentication Order.

The Third-Party Authentication Order necessitates that voice service providers with a STIR/SHAKEN implementation obligation:

  • Secure and use their own STIR/SHAKEN certificates.

  • Independently make call authentication signing decisions.

Specifically, for outbound calls originating from US phone numbers, these providers are required to:

  • Obtain a Service Provider Code (SPC) token from the Policy Administrator.

  • Use the SPC token to acquire a digital certificate from a STIR/SHAKEN Certificate Authority.

  • Sign calls using their own digital certificate.

  • Solely determine the attestation level for all their calls, without depending on a third party.

Bandwidth's upstream reseller customers are expected to sign all outbound US call traffic using their own STIR/SHAKEN certificate as is technically feasible, either themselves or together with a Third Party Authentication partner such as Bandwidth’s Hosted Signing Service. For more information, please see the FCC’s Third-Party Authentication Order and contact your own legal counsel.

Bandwidth will continue to sign unsigned outbound US call traffic as an Intermediate Provider, however, Bandwidth’s signing as an Intermediate Provider is not intended to cover its reseller customers’ own applicable STIR/SHAKEN signing obligations. Hosted Signing Service is a certificate management solution to allow Bandwidth to assist you in signing your calls using your certificate and a signing policy you dictate.

Certificate management

Certificates are configured per account in the Bandwidth App:

  1. Log in to the Bandwidth App.

  2. In the side navigation bar, click Account and select Certificate Management.

  3. Click the Add button next to Certificates.

  4. Select a region, then enter a name and description.

  5. Under Certificate, attach your public certificate obtained from your STIR/SHAKEN Certificate Authority.

  6. Under Private Key, attach your private key obtained from your STIR/SHAKEN Certificate Authority.

  7. Click Add.

    Note: Certificates uploaded under one account can be used across all of your accounts. It's important to upload your private key directly in the Bandwidth App and not to share it via a support ticket or email so it can be transmitted and stored securely.

Common certificate upload errors

Bandwidth implements certificate validation upon certificate upload to ensure provisioned certificates are unexpired, valid, and belong to the account attempting to upload them.

  • Certificate Expired: The uploaded certificate must have a future expiration date.

  • Subject Mismatch with Service Provider Code (SPC): The certificate's subject common name should match the configured SPC. For example, if the SPC is Bandwidth=997E, the certificate subject should be CN=SHAKEN 997E,O=Bandwidth.com CLEC LLC,C=US.

  • Missing Expected ASN.1 Identifier: Valid STIR/SHAKEN signing certificates must include the ASN.1 identifier 1.3.6.1.5.5.7.1.26.

  • Incorrect Key Algorithm: Certificates should be EC 256, but with the SHA-256 ECDSA signature algorithm.

  • Private Key Mismatch: The private key must correspond to the uploaded certificate to ensure proper call verification by terminating providers.

  • Unsupported private key format: Either SEC1 EC Key (RFC 5915) or PKCS#8 EC Key (RFC 5208) is supported. Submissions in any other format will be rejected; however, they can be corrected and resubmitted.

  • No Chain of Trust to CA: The certificate must be issued by an approved Certificate Authority.

If you receive any of the above errors, there may be an issue with your certificate, or you may have paired the wrong private key and certificate file. In that case, please double-check the files to make sure your certificate has not expired and that you’ve paired the correct certificate and private key. You can also contact your Certificate Authority with the error information above and seek their assistance in updating the certificate or private key as needed.

If your private key format is unsupported, please complete the following steps:

  1. Ensure the private key text starts with either -----BEGIN EC PRIVATE KEY or -----BEGIN PRIVATE KEY.

  2. Convert EC parameters + EC key to either SEC1 or PKCS#8 by running the following command in your terminal on Mac/Linux or command console on Windows : openssl ec -in private_key.pem -out sec1.pem -param_enc named_curve -traditional

Note: At the command line, most unix based systems (e.g., Mac and Linux) natively provide the openssl command. If you’re using Windows, you may need to first install OpenSSL.

Certificate assignment

Once your certificate is uploaded, it should be visible in the certificates table. On the same screen, there's a section for assignments. This view shows, on a per-region basis, which certificates are provisioned and being used to sign your calls.

  1. Click Add.

  2. Select your desired certificate using the Certificate ID dropdown.

  3. Set your Signing Policy (A, B, C).

Note:

  • All customer certificates have a profile type of “INDIRECT”.

  • The signing policy is required and becomes the default account-wide setting. It can be overridden on a per-call basis.

Testing the Hosted Signing Service

As soon as a valid, active certificate assignment is made, you should expect your calls to be signed and sent downstream for completion with your certificate.

Note: Because not every carrier’s network equipment currently supports the transmission of STIR/SHAKEN information across the PSTN, Bandwidth can’t guarantee that your STIR/SHAKEN information will always be transmitted to the call recipient’s service provider.

If you’ve provisioned your certificate under a test account, first send a test outbound call. Then you’ll be able to view the signing details in the Voice Insights Call Logs.

  1. In the side navigation bar, click Insights and select Voice.

  2. In the Call Logs table, click Settings and enable Attestation and X5U. By clicking the X5U URL, you’ll be directed to the location of the corresponding certificate.

Per-call attestation

If a single account-wide signing policy does not sufficiently support proper attestation levels across all of your numbers, you can set the desired attestation level in the SIP Signaling. The supported options are: A, B, and C (for example, P-Attestation-Indicator: B).

If the P-Attestation-Indicator is not present on the invite, the attestation level configured at the account level will be used to sign the call. Similarly, if an invalid option is received, the account-level setting will be used to sign the call. Even if using the per-call attestation, you must set an account-level signing policy to be used for this purpose.

Bandwidth Certificate Repository (CR)

Once your certificate is uploaded, Bandwidth will place a copy of the public certificate into Amazon S3. This ensures that all terminating operators who eventually verify your calls will have the required connectivity to download the certificate.

Certificate Expiry Notifications

You can sign up for our Notifications feature to receive email reminders about your certificate's expiration date. This allows you to renew the certificate with your Certificate Authority (CA) before it expires. However, please note that this process is not automatic. If your certificate does expire and you haven’t uploaded a new one and created an assignment, your calls may not get signed or could potentially be signed using the Bandwidth certificate until you take action. Our Notifications feature is designed to help you stay on top of your certificate management by providing timely reminders, ensuring you have ample time to renew and assign your own certificate.

  1. Log in to the Bandwidth App.

  2. In the side navigation bar, click Account and select Notifications.

  3. Click the Add button next to Subscriptions.

  4. In the Event type drop-down menu, select Signing Certificate Expiry.

  5. Enter a Custom name for your notification.

  6. Select Email as the Delivery type.

  7. Enter or select your Email.

  8. Select your Frequency:

    • Instantly: A notification for each expired certificate is sent once.

    • Daily: Multiple notifications are sent on a daily basis.

  9. Click Add Filter.

  10. Select the desired Field, Condition, and Value for your filter.

    • Days Until Expiry: Allows you to filter based on a date range.

      • Is greater than: Days before expiration

      • Is less then: Days after expiration

      • Is: Exact date of expiration

    • Certificate Name: Filter to include or exclude a single certificate.

      • Is: Exact name

      • Is not: Name of certificates to exclude (i.e. Bandwidth)

      • Is in: List of certificate names to include

  11. Click Add Subscription.

  12. Once you obtain the new certificate, please refer to the Certificate management section for instructions on how to upload it.

  13. When you upload the new certificate, the certificate assignment won't occur automatically. Please refer to the Certificate assignment section for instructions on how to create a new assignment. Your previous assignment will be set to inactive automatically and your view should be similar to the following.

Additional STIR/SHAKEN resources

Did this answer your question?