STIR/SHAKEN Hosted Signing Service

Sarah

The STIR/SHAKEN Hosted Signing Service enables Bandwidth customers to provision their own certificate and signing policy to sign their own calls, such that Bandwidth conducts only the technical function of applying customers’ signatures on their behalf. Bandwidth hosts certificates in our Certificate Repository (CR) and provides notifications, insights, and flexible controls over call signing. 

Who is the Hosted Signing Service for? 

The FCC requires all voice service providers with a STIR/SHAKEN implementation obligation to use their own STIR/SHAKEN certificate(s) to authenticate (sign and attest) their outbound calls, in accordance with the Third-Party Authentication Order.

The Third-Party Authentication Order necessitates that voice service providers with a STIR/SHAKEN implementation obligation:

  • Secure and use their own STIR/SHAKEN certificates.
  • Independently make call authentication signing decisions.

Specifically, for outbound calls originating from US phone numbers, these providers are required to:

  • Obtain a Service Provider Code (SPC) token from the Policy Administrator.
  • Use the SPC token to acquire a digital certificate from a STIR/SHAKEN Certificate Authority.
  • Sign calls using their own digital certificate.
  • Solely determine the attestation level for all their calls, without depending on a third party.

As of June 20, 2025, Bandwidth reseller customers are expected to sign all outbound US call traffic using their own STIR/SHAKEN certificates. For more information, please see the FCC’s Third-Party Authentication Order and contact your own legal counsel.

Bandwidth is required to sign the unsigned outbound US call traffic to meet its own obligation as an Intermediate Service Provider. However, Bandwidth’s signing as an Intermediate Service Provider does not alleviate customers’ own STIR/SHAKEN signing obligation. As such, we have introduced a new certificate management solution to allow Bandwidth to assist you in signing your calls using a signing policy you dictate. 

Certificate management 

Certificates are configured per account in the Bandwidth App: 

  1. Log in to the Bandwidth App.
  2. In the side navigation bar, click Account and select Certificate Management.
  3. Click the Add button next to Certificates

  1. Select a region, then enter a name and description. 
  2. Under Certificate, attach your public certificate obtained from your STIR/SHAKEN Certificate Authority.
  3. Under Private Key, attach your private key obtained from your STIR/SHAKEN Certificate Authority.
  4. Click Add

Note: Certificates uploaded under one account can be used across all of your accounts.

Common certificate upload errors

Bandwidth implements certificate validation to ensure provisioned certificates are unexpired, valid, and belong to the account attempting to upload them. 

  • Certificate Expired: The uploaded certificate must have a future expiration date.
  • Subject Mismatch with Service Provider Code (SPC): The certificate's subject common name should match the configured SPC. For example, if the SPC is Bandwidth=997E, the certificate subject should be CN=SHAKEN 997E,O=Bandwidth.com CLEC LLC,C=US.
  • Missing Expected ASN.1 Identifier: Valid STIR/SHAKEN signing certificates must include the ASN.1 identifier 1.3.6.1.5.5.7.1.26.
  • Incorrect Key Algorithm: Certificates should be EC 256, but with the SHA-256 ECDSA signature algorithm.
  • Private Key Mismatch: The private key must correspond to the uploaded certificate to ensure proper call verification by terminating providers.
  • No Chain of Trust to CA: The certificate must be issued by an approved Certificate Authority. 

If you receive any of the above errors, there may be an issue with your certificate, or you may have paired the wrong private key and certificate file. 

  • Double-check the files to make sure your certificate is not expired and that you’ve paired the correct certificate and private key.
  • Contact your Certificate Authority with the error information above and seek their assistance in updating the certificate or private key as needed.

Certificate assignment 

Once your certificate is uploaded, it should be visible in the certificates table. On the same screen, there's a section for assignments. This view shows, on a per-region basis, which certificates are provisioned and being used to sign your calls. 

  1. Click Add.

  1. Select your desired certificate using the Certificate ID dropdown.
  2. Set your Signing Policy (A, B, C).

Note:

  • All customer certificates have a profile type of “INDIRECT”. 
  • The signing policy is required and becomes the default account-wide setting. It can be overridden on a per-call basis. 

Testing the Hosted Signing Service

As soon as a valid, active certificate assignment is made, you should expect your calls to be signed and sent downstream for completion with your certificate. 

Note: Because not every carrier’s network equipment currently supports the transmission of STIR/SHAKEN information across the PSTN, Bandwidth can’t guarantee that your STIR/SHAKEN information will always be transmitted to the call recipient’s service provider.

If you’ve provisioned your certificate under a test account, first send a test outbound call. Then you’ll be able to view the signing details in the Voice Insights Call Logs.

  1. In the side navigation bar, click Insights and select Voice
  2. In the Call Logs table, click Settings and enable Attestation and X5U. By clicking the X5U URL, you’ll be directed to the location of the corresponding certificate.

Per-call attestation 

If a single account-wide signing policy does not sufficiently support proper attestation levels across all of your numbers, you can set the desired attestation level in the SIP Signaling. The supported options are: A, B, and C (for example, P-Attestation-Indicator: B).

If the P-Attestation-Indicator is not present on the invite, the attestation level configured at the account level will be used to sign the call. Similarly, if an invalid option is received, the account-level setting will be used to sign the call. Even if using the per-call attestation, you must set an account-level signing policy to be used for this purpose.

Bandwidth Certificate Repository (CR) 

Once your certificate is uploaded, Bandwidth will place a copy of the public certificate into Amazon S3. This ensures that all terminating operators who eventually verify your calls will have the required connectivity to download the certificate. 

Additional STIR/SHAKEN resources

Article is closed for comments.