STIR/SHAKEN compliance is no longer new to most communication service providers. Since the FCC and CRTC stepped up enforcement after 2021, the rule is simple: providers must authenticate and verify caller identity to fight spoofing and fraud.
In practice, however, many providers, especially smaller or non-facilities-based operators face the same question: how to build a compliant framework in the first place. Implementing STIR/SHAKEN can be technically complex, costly if outsourced to third-party vendors, and risky if implemented incorrectly. On top of that, many are still unsure where to obtain authorized certificates and how to register with the proper authorities to achieve full compliance.
That’s why we built the STIR/SHAKEN framework is built directly into our P-Series Cloud PBX for shared trunks. With the built-in solution you don’t need extra integrations or a separate signing infrastructure, just upload your certificates to the Yeastar Central Management plaform and the system handles signing and verification automatically.
In this post, we’ll walk you through who needs certificates, how to obtain them, and how to apply them in PBX system in detail. So you can achieve STIR/SHAKEN compliance quickly and reliably. Follow along, it will be valuable at every step.
Jump to ↓
- Who Needs the STIR/SHAKEN Certificate (STI Certificate) →
- 4 Steps to Obtain the Certificates →
- In-house STIR/SHAKEN Solution on Yeastar Cloud PBX system →
Who Needs the STIR/SHAKEN Certificate
According to FCC, any voice service provider that originates SIP calls must implement the STIR/SHAKEN framework and sign calls with an authorized STI certificate.
In practical terms:
- Tier-1 carriers, CLECs, and ITSPs controlling their own PSTN numbers need to obtain their own certificates.
- Non-facilities-based ITSPs or providers with their own softswitch that originate calls also need to hold their own certificates.
- Resellers or providers that only resell trunk resources do not need their own certificates. However, they must register in the FCC Robocall Mitigation Database (RMD), declare the use of upstream certificates, and enforce robocall mitigation policies.
To enable the built-in STIR/SHAKEN infrastructure in Yeastar P-Series Cloud PBX, you will need either your own STI certificate or a certificate authorized by your upstream service provider.
4 Clear Steps to Obtain the Certificates
If your company owns trunk resources or originates calls that need to be signed, you’ll need to obtain your own STIR/SHAKEN certificates. The process is straightforward, verify your identity, get the required certificates, and complete the registration.
Here’s a complete step-by-step breakdown.
Step 1: Verify Your Eligibility as a Voice Service Provider
To qualify for signing calls under the STIR/SHAKEN framework, you must first prove your legitimacy as a U.S. voice service provider. This requires:
- FCC Registration (FCC Form 499-A)
Register with the FCC here and obtain your 499 Filer ID. *This registration is free. - Apply for an Operating Company Number (OCN)
The National Extension Carrier Association (NECA) is responsible for distributing Operating Company Numbers (OCNs). All information for applying for your OCN can be gleaned from their website. Required documents typically include:
(1) Interconnection agreement with an upstream carrier
(2) Invoice copy with one of your customers
(3) Certified copy of Articles of Association
(4) Basic administrative details
*NECA charges a standard fee of $475 for each OCN application. If you need an expedited service with a 3 day turnaround time it costs $600. - Verify Your Number Resources (NANP Numbers)
You must have verifiable U.S. number resources, either directly owned or allocated through an upstream ITSP.
*These credentials are required for STI-PA verification. Without a valid OCN and FCC Filer ID, your company cannot be recognized as an authorized voice service provider.
Step2: Register with the Secure Telephony Identity Policy Administrator (STI-PA)
The FCC has authorized Iconectiv as the official STI Policy Administrator (STI-PA). You’ll need to register with Iconectiv to obtain a Service Provider Code (SPC) Token, which authorizes you to request certificates from approved Certification Authorities (CAs).
You should click on “Getting Started” under the Service Provider section.
You will need to provide the following:
- Company name and address
- FCC 499 Filer ID
- OCN
- Billing contact details
Once verified, you’ll receive your SPC Token, a digital credential proving your authorization to request STIR/SHAKEN certificates. The SPC Token is typically valid for one year and must be renewed periodically.
Step 3: Obtain Your STIR/SHAKEN Certificate
With your SPC Token in hand, the next step is to request your certificate from an approved Certification Authority (CA). You can obtain it from any CA listed in the official directory of approved providers.
You’ll need to submit:
- Your SPC Token
- A Certificate Signing Request (CSR)
- Basic company information
Once verified, the CA will issue your STI Certificate, which will be used by your authentication service to sign outbound calls and by the verification service to validate inbound calls.
*Most CAs charge an annual fee for certificate issuance and maintenance.
Step 4: Register with the FCC Robocall Mitigation Database (RMD)
Finally, all voice service providers regardless of size or call volume must register in the FCC Robocall Mitigation Database (RMD)
You’ll need to submit:
- FCC Filer ID
- Company and contact information
- Whether STIR/SHAKEN is fully implemented
- Your implementation type (Full / Partial / Gateway / Hosted)
- Robocall mitigation details (if not fully compliant)
After submission, your company will appear in the public RMD listings.
*If your upstream carrier performs the signing on your behalf, you can register as “Hosted” or “Partial Implementation” and indicate your reliance on the upstream’s STIR/SHAKEN compliance.
You can complete the process by following this checklist below:
| STIR/SHAKEN Certificate Application Checklist | ||
|---|---|---|
| Step | What You Need to Do | Links |
| Verify Eligibility | • Register with FCC and get 499 Filer ID (Form 499-A) • Apply for Operating Company Number (OCN) via NECA • Verify your NANP number resources |
FCC Registration (Form 499-A), NECA OCN Application Info |
| Register with STI-PA | • Register with Iconectiv • Obtain SPC Token (valid for 1 year) |
Iconectiv STI-PA – Get Started |
| Obtain STIR/SHAKEN Certificate | • Request certificate from an approved Certification Authority (CA) • Receive STI Certificate (used for signing and verification) |
List of Approved CAs |
| Register in RMD | Provide robocall mitigation details if applicable | FCC Robocall Mitigation Database Portal |
In-House STIR/SHAKEN Solution on Yeastar Cloud PBX
Once you obtain the STIR/SHAKEN certificate, you can upload it and set your signing and verification strategy directly in Yeastar Central Management (YCM). With the built-in STIR/SHAKEN framework, the system automatically manages both outgoing call signing and incoming call verification, ensuring regulatory compliance and trusted caller identification.
For outgoing calls:
PBX system uses your uploaded STIR/SHAKEN certificate to sign each outbound call with a digital signature. This ensures that every call carries verified caller identity information and can be authenticated by the receiving network.
For incoming calls:
When an inbound SIP call arrives, the PBX checks the SIP header for the originating provider’s public key reference, retrieves it, and verifies the caller’s digital signature.
If the verification passes, the call is marked as trusted and delivered. If not, the system automatically applies your predefined rules to filter or drop suspicious calls, keeping spoofed and robocalls out of your network.
For call records and tracking:
All inbound verification and outbound signing results are automatically logged in the Call Detail Records (CDR) for monitoring and compliance tracking.
In short, our P-Series Cloud PBX takes care of the entire STIR/SHAKEN workflow from signing to verification completely on its own, without the need for extra systems or complicated setup. This makes it easy for you to implement, saves on infrastructure and development costs, ensures regulatory compliance, and builds trust in every call. With the technical details handled automatically, you can stay competitive and focus on growing your business. Read more
If you have any questions about using or configuring the STIR/SHAKEN solution, please check on the configuration guide.
