Self-Signed Certificates for STIR/SHAKEN



In today's digital epoch, ensuring the security of communications and verifying the legitimacy of callers have risen to paramount importance. STIR/SHAKEN, an acronym for Secure Telephone Identity Revisited/Signature-based Handling of Asserted information using toKENs, has emerged as a formidable weapon against the pervasive menace of Caller ID spoofing. To effectively deploy STIR/SHAKEN, the acquisition of self-signed certificates becomes imperative. In this article, we will meticulously navigate you through the intricate process of generating self-signed certificates tailored for STIR/SHAKEN, ultimately fortifying the integrity of your communication channels.


STIR/SHAKEN, conceived as a framework, stands as a robust sentinel in the realm of telecommunications, dedicated to authenticating the veracity of caller ID information and curbing the nefarious practice of Caller ID spoofing. Within this intricate labyrinth, self-signed certificates serve as the linchpin, facilitating entities in validating their identity and establishing impervious channels of secure communication. In this all-encompassing compendium, we shall plunge into the profound significance of self-signed certificates within the STIR/SHAKEN domain and unveil a systematic guide for their generation.

Unveiling Self-Signed Certificates

Self-signed certificates, an esoteric domain for the uninitiated, bear the distinction of being endorsed by the very entity they represent, obviating the need for an external Certificate Authority (CA) to vouch for their authenticity. These cryptographic tokens assume the mantle of authenticators, upholding data integrity and erecting citadels of secure connectivity. In stark contrast to their CA-signed counterparts, self-signed certificates find their genesis and validation within the confines of the entity itself.

To generate a private key using OpenSSL, follow these steps:

Open your terminal or command prompt.

Enter the following command to generate a private key:

Install packages (For Debian based System)
apt -y install openssl coreutils

mkdir /tmp/stir-shaken-ca
cd /tmp/stir-shaken-ca
openssl ecparam -noout -name prime256v1 -genkey -out ca-key.pem

openssl req -x509 -new -nodes -key ca-key.pem -sha256 -days 1825 -out ca-cert.pem
mkdir /tmp/stir-shaken-sp1
cd /tmp/stir-shaken-sp1

 openssl ecparam -noout -name prime256v1 -genkey -out sp-key.pem

 cat >TNAuthList.conf << EOF

 openssl asn1parse -genconf TNAuthList.conf -out TNAuthList.der

 cat >openssl.conf << EOF
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
commonName = "SHAKEN"
[ v3_req ]

od -An -t x1 -w TNAuthList.der | sed -e 's/ /:/g' -e 's/^/' >>openssl.conf

openssl req -new -nodes -key sp-key.pem -keyform PEM -subj '/C=US/ST=VA/L=IQNT/O=YOURCOMPANYNAME, Inc./OU=VOIP/CN=SHAKEN'  -sha256 -config openssl.conf  -out sp-csr.pem

openssl x509 -req -in sp-csr.pem -CA ../stir-shaken-ca/ca-cert.pem -CAkey ../stir-shaken-ca/ca-key.pem -CAcreateserial  -days 825 -sha256 -extfile openssl.conf -extensions v3_req -out sp-cert.pem

openssl ecparam -noout -name prime256v1 -genkey -out ca-key.pem

Testing and Troubleshooting

Testing your self-signed certificate is crucial to ensure that it functions as expected. You can perform various tests to validate the certificate's functionality and security. If you encounter any issues, refer to the documentation or seek assistance to troubleshoot and resolve them.

Advantages and Disadvantages

Before concluding, let's recap the advantages of using self-signed certificates for STIR/SHAKEN:

  • Cost-Effective: Self-signed certificates are budget-friendly, making them accessible for a wide range of organizations.

  • Control and Customization: Entities have full control over certificate management and can customize certificates as needed.

However, it's essential to be aware of potential disadvantages, such as reduced trust compared to CA-signed certificates. Organizations should weigh the pros and cons when choosing certificate types for their STIR/SHAKEN implementation.


In summary, self-signed certificates are a valuable component of STIR/SHAKEN, ensuring secure communication and authentication of caller identities. By following the steps outlined in this guide, you can generate self-signed certificates for your STIR/SHAKEN setup and enhance the security of your communications.

For Consultant Freeswitch, Asterisk, Kamailio and Opensips Related works.Contact Us for more information.


Q1: Can self-signed certificates be used for production environments?

A1: While self-signed certificates are suitable for testing and development, they may not be the best choice for production environments. Consider obtaining CA-signed certificates for enhanced trust and security.

Q2: Is there a specific certificate format required for STIR/SHAKEN?

A2: STIR/SHAKEN is compatible with X.509 certificates, which include both CA-signed and self-signed certificates.

Q3: Are there any specific security measures to protect the private key?

A3: Yes, it's crucial to safeguard the private key, as it is a critical component of certificate security. Store it securely and restrict access to authorized personnel.

Q4: Can self-signed certificates be used for other security applications?

A4: Yes, self-signed certificates can be used for various security applications beyond STIR/SHAKEN, such as securing web servers and email communication.

Q5: Are self-signed certificates suitable for small businesses?

A5: Yes, self-signed certificates can be a cost-effective choice for small businesses looking to enhance security without incurring the cost of CA-signed certificates.