I am seeing pop ups when logging into all of my upstream carrier portals to see the “8th order of STIR/SHAKEN deadline of June 20th 2025” and I want to ensure all of my users are configured correctly to avoid any service interruptions. Currently I am using Bandwidth.com as my primary carrier and I provide voice services with FreePBX to about 30 end users who all use their own unique DIDs. At this time my calls outbound are attested at the carrier and working wonderfully.
My main question relates to obtaining a digital certificate from a STIR/SHAKEN Certification Authority. I am waiting on my carrier to provide me with their documentation, but given the fact that we are already relying on the upstream carrier to attest our calls, is it safe to expect my existing carrier will end up being the source of my certificate?
With about 2 months to go I hope I can get a conversation going about STIR/SHAKEN that will help this community navigate the changes to the SIP landscape where call attestation is moving down to the PBX level.
If you are relying on your upstream provider to sign the calls, from a technical perspective you can continue to do so. If you are relying on them to sign your calls with their certificate, you will have to change something. Some upstream providers allow you to provide them with your certificate and they can continue to perform the technical act of signing calls for you. If not, you will have to send your calls already signed by some other method.
The upstreams also cannot assign the attestation. A 3rd party may do the technical signing of the call but it must with your certificate and you must pass the attestation.
Andrew, thanks for the reply. I appreciate the reply being consistent with the scope of “Wrapping my head around..”
I guess the reply from my carrier here is key. I do see terms in their limited reply stating " If a customer has the capability to sign its own calls, Bandwidth will accept and transit the existing signature as is without needing to do anything more. "
Though now I need to understand the signing of calls in my system..
It’s going to require you to do somethings. You’ll need to be a registered 499 filer, you’ll need an OCN, you’ll have to get a STIR/SHAKEN token, use that token to get a certificate, get setup with a service to use that certificate, setup the API for that service and pass proper attestation details…and update your RMDB entry. Not a complete list but things you will need to do. Many of which have a cost associated with it.
This makes it sound like they also offer the service of signing calls for you, although I’m not sure since I don’t use Bandwidth. That being said, @BlazeStudios is correct in saying that you are required to be doing all of these things in order to sign the calls with your own cert:
1.) Get an FRN and file in the Robocall Mitigation Database
2.) File your 499
3.) Get an OCN
4.) Get your STIR/SHAKEN token
5.) Get your certificate
All of those steps must be completed by 6/20 according to the FCC
Hey all — Just wanted to chime in that this is exactly the kind of situation Sangoma Wholesale Carrier Services built our call signing service for. It’s a fully hosted solution that signs your outbound calls with your own unique certificate, with zero config required on your voice network and/or on-prem devices.
We designed it to make compliance easy, especially for service providers, resellers, and ITSPs who want to stay focused on their business without taking on extra overhead. If that sounds like something you’re interested in, here’s a link
For clarification, VoIP Innovations still will require the customer cert to sign calls, which means all of the previously mentioned items are required.
Was genuinely curious about the retail state of STIR/SHAKEN changes - which saw a lot of pioneering leadership from the Asterisk engineering team as discussed in more detail starting about 4 minutes in to this video of @jcolp presenting at AstriCon 2025:
$300/month for a solution that requires 100% off all traffic go out VI?
For $3600 I could integrate Asterisk, FreePBX, Kamailio, even OpenSIPS to use a 3rd party API based solution that would allow calls to be attested and signed for any upstream carrier being used. It would save a ton of money in the long run.
It would most likely be how I described it. I use a 3rd party solution to sign my calls. I provided them with my STIR/SHAKEN certificate. I just check the callerid on each US/Canada based outbound call, assign attestation, make an API call to my vendor, add the returned Identity header to the call and send out fully attested and signed call to one of my upstream providers.
Granted, I use a softswitch between my network and carriers. I also do Lest-Cost Routing so depending on the destination of the call, it will go out the carrier with the best rate for the call. If that fails, failover to another carrier. No need to resign the call when it failovers.
Mike that is great you have a solution that we have all had for years in the industry to let resellers host their own certs for you to sign their calls.
Unless I am missing something where do they control what calls get a A, B or C as part of the 8th order is they have to control that logic and make the decision. You can not make it for them.
Based on the documentation, you setup a rule set on their platform. The calls use that ruleset to assign attestation. Because the VSP has to setup the ruleset that must count as them making the attestation decision.
Is this a full time thing for you or are you doing it on the side? Because you’re about to invest a couple thousand of dollars just to get into compliance. As well, once you become a 499 filer you will have to charge taxes/fees and remit them to the FCC. Even more so, once you are a registered provider there are numerous other compliances you will need to deal with.
You are about to have a whole bunch of new costs and responsibilities to support 30 end users.
Well this seems like a tall order for just getting started out. Luckily I believe this company has my Robocall Mitigation Database FRN & 499 submitted already. I will need to look into the OCN though as the company has been around a while and I think our OCN was issued based on an old carrier and has nothing to do with our current offerings with Bandwidth. Would I need a new OCN with my current carrier?
Also, where am I getting the STIR/SHAKEN token once I am at this step? I see a lot of information out there walking through the steps, but to make sure I am on the right track here (again thank you all for your input!) I need to register with iconectiv.com for my company specifically, and chase the token down through them it seems.
The 499 and OCN isn’t due to a relationship you have with a carrier - it’s specific to your organization that is offering interconnected voip to end users.
That’s the right place, but you need your OCN to get the token.
Your OCN has nothing to do with your upstreams. It means Operating Carrier Number and each provider has a unique OCN.
Are you a 100% sure of that?
Well, someone of authority at the company needs to do this. Iconectiv is going to want to know very specific details for the onboarding including your annual telecom revenue you report to the FCC.
I remember the meeting and the RMDB 12/31/24 deadline but I will follow up on this.
It feels like this is a massive task to undertake to get compliant for the small number of customers I currently support. This is a part of our service offerings that I have started since coming on with the company. I would love to take this small single line home voice service and small business basic VoIP as large as I can get it, but I am still just getting the program off the ground floor.
Backing up a little, I am maybe missing something that I hope you all can help me understand which gets at the heart of the initial question, what is the difference between my in house service I run for the company where I have just a handful of DIDs, versus the FreePBX server I am running to support these few end users? How will my upstream carriers (I use VI for my in house PBX) know the difference between my resold service vs my company service as far as STIR/SHAKEN is considered? Does S/S framework apply to both equally?
VSPs must do Known Your Customer verification. Bandwidth is a “carrier’s carrier” they consider you a provider by essence of setting up an account with them. VI on the other hand went from being a provider to anyone but has transformed to a wholesale carrier under Sangoma. The KYC should cover if you are a provider or just an end user.
Since you directly charge people for voice services, you are a VSP. The VSP is responsible for being compliant with S/S and all the federal and state requirements.
Honestly though, without some serious customization of your FreePBX system…it’s not going to be suitable for you to do all this. As I said, there’s a lot to be done in addition to paying setup fees.