Skip to content

STIR / SHAKEN Cert

Setup Information STIR/SHAKEN Cert

Document Metadata
Category: Setup & Configuration → Information → STIR/SHAKEN Cert
Audience: Administrators, Engineers, Carrier / VoIP Originators
Difficulty: Intermediate to Advanced
Time Required: 15–30 minutes (upload only); allow 2–4 weeks for certificate procurement if not already obtained
Prerequisites:
  • A valid STIR/SHAKEN certificate issued by a recognised STI-CA authority (e.g., Iconectiv as STI-PA in the U.S.).
  • Operating Company Number (OCN) and FCC Form 499-A registration (U.S. providers only).
  • An SPC token issued by the STI-PA, required to obtain signing certificates.
  • Your certificate and private key in PEM format, ready to upload.
  • Active ConnexCS account with access to Setup → Information → STIR/SHAKEN Cert.
Related Topics: Caller Line Identification (CLI) — configure attestation levels per CLI after certificate upload · New FCC Regulations on STIR/SHAKEN — regulatory background and compliance obligations · Audit Log — review certificate changes and configuration events
Next Steps: After uploading your certificate, configure attestation levels for your outbound CLIs at Customer → CLI. Then validate signing using a test call and SIP trace as described in the Testing & Validation section below.
Need a Certificate?: ConnexCS can assist with certificate procurement. Contact us or visit the Iconectiv STI-PA portal to begin the process independently.
Meta Description: Configure STIR/SHAKEN certificates in ConnexCS to authenticate outbound calls, assign attestation levels, and meet FCC and Ofcom compliance requirements.

Overview

STIR/SHAKEN is a framework designed to reduce caller ID spoofing and improve trust in voice communications. It enables service providers to digitally sign outbound calls and verify inbound calls using SIP Identity headers and certificate-based authentication.

STIR (Secure Telephone Identity Revisited) defines how caller identity information is signed and transmitted, while SHAKEN (Signature-based Handling of Asserted information using toKENs) defines the operational framework used by service providers.

Implementing STIR/SHAKEN helps providers:

  • Reduce robocalls and caller ID spoofing
  • Improve call trust and answer rates
  • Support regulatory compliance requirements
  • Reduce spam labeling risks
  • Improve call authentication visibility

The STIR / SHAKEN Cert is a necessary prerequisite step for call origination providers to adopt to authenticate outbound telephone calls and improve caller identity trust.

The adoption of this standard helps to mitigate spoofing, robocalling, scam calls, etc.

For more detailed information, see our article, FCC Regulations Regarding Robocalling (TRACED Act).

(FCC: Federal Communications Commission; Ofcom: Office of Communications)

ConnexCS doesn't provide the STIR / SHAKEN Certificate. Contact us if you need further assistance.

You must get it from a designated authority, such as Ofcom or the FCC (for the FCC, this began June 30, 2021).

Once you have the certificate, it's added to ConnexCS as described in the steps below.

STIR/SHAKEN background

See Wikipedia STIR / SHAKEN and the FCC Report on Selection of Governance Authority and Timely Deployment of SHAKEN/STIR for details.

Note

Click here to test your Stir-Shaken.

How STIR/SHAKEN Works

The STIR/SHAKEN workflow generally follows these steps:

  1. A call is initiated by a customer or carrier through ConnexCS.
  2. ConnexCS validates the caller identity and determines the appropriate attestation level based on the customer configuration and trust relationship.
  3. ConnexCS generates a signed PASSporT token containing the caller identity information.
  4. The PASSporT token is added to the SIP Identity header of the outbound INVITE request.
  5. The receiving carrier or downstream provider retrieves the public certificate and validates the digital signature.
  6. Based on the verification result and attestation level, the terminating provider determines whether the caller identity can be trusted.

This process helps carriers identify authenticated calls, reduce caller ID spoofing, and improve trust in voice communications.

Attestation Levels

STIR/SHAKEN uses attestation levels to indicate the provider’s confidence in the caller identity.

Level Description
A Attestation The provider has verified the customer identity and confirms the customer is authorized to use the caller ID.
B Attestation The provider knows the customer but cannot fully verify ownership of the caller ID.
C Attestation The provider received the call from another network and cannot verify the source or caller ID ownership.

Warning

Incorrect attestation assignment may result in traffic blocking, spam labeling, or regulatory compliance issues.

STIR/SHAKEN Call Flow

STIR/SHAKEN signing occurs during outbound SIP call processing.

The workflow includes:

  • Caller identity validation
  • PASSporT token generation
  • SIP Identity header insertion
  • Certificate-based digital signing
  • Downstream verification

When the receiving provider receives the call, it validates the SIP Identity header using the originating provider’s public certificate.

If validation succeeds, the call may be treated as trusted traffic.

Caller ID & Routing Considerations

Caller ID configuration directly affects STIR/SHAKEN behavior.

Important considerations:

  • Invalid caller IDs may fail attestation validation
  • Caller ID formatting should follow regional requirements
  • Customer routing policies may affect attestation handling
  • Upstream carriers may reject improperly signed traffic

Ensure outbound caller IDs are valid, authorized, and properly formatted before enabling STIR/SHAKEN signing.

Common STIR/SHAKEN Issues

Missing SIP Identity Header

Possible causes:

  • STIR/SHAKEN not enabled
  • Missing certificate configuration
  • Invalid routing policy
  • Unsupported SIP signaling path

Recommended checks:

  • Verify certificate upload
  • Confirm STIR/SHAKEN is enabled
  • Review SIP traces
  • Validate outbound routing configuration

Certificate Validation Failure

Possible causes:

  • Expired certificate
  • Invalid SPC token
  • Incorrect certificate upload
  • Certificate mismatch

Recommended checks:

  • Verify certificate expiration date
  • Confirm uploaded certificate and key pair
  • Validate SPC token assignment
  • Re-upload certificates if necessary

Invalid Attestation

Possible causes:

  • Unauthorized caller ID
  • Invalid customer CLI
  • Incorrect attestation assignment

Recommended checks:

  • Verify caller ID ownership
  • Review attestation policy
  • Confirm customer authorization

Testing & Validation

After configuration, validate STIR/SHAKEN operation using SIP traces and test calls.

Recommended validation steps:

  1. Place a test outbound call.
  2. Capture the SIP INVITE.
  3. Verify the presence of the SIP Identity header.
  4. Confirm PASSporT information is included.
  5. Validate attestation values.
  6. Confirm downstream verification succeeds.

You can also use supported STIR/SHAKEN validation tools to confirm proper signing and verification behavior.

Add STIR / SHAKEN Cert

To add a certificate:

  1. Click on the symbol.
  2. Complete the Name (indicated as "Alpha" in Control Panel), Certificate, and Key fields from the certificate provided by the issuing authority.
  3. Click Save.

Operational Best Practices

  • Keep certificates up to date
  • Monitor certificate expiration dates
  • Use appropriate attestation levels
  • Validate customer caller IDs before signing
  • Monitor rejected or spam-labeled traffic
  • Regularly test STIR/SHAKEN verification flows

Monitoring & Troubleshooting

Monitor the following for operational visibility:

  • SIP Identity header presence
  • Verification failures
  • Certificate expiration
  • Attestation mismatch events
  • Rejected outbound calls
  • Spam labeling patterns

SIP traces and call logs can help identify STIR/SHAKEN-related routing or authentication issues.