{"id":737,"date":"2026-03-14T20:14:41","date_gmt":"2026-03-14T20:14:41","guid":{"rendered":"https:\/\/www.vos3000.com\/blog\/?p=737"},"modified":"2026-03-14T20:14:48","modified_gmt":"2026-03-14T20:14:48","slug":"stir-shaken-implementation","status":"publish","type":"post","link":"https:\/\/www.vos3000.com\/blog\/stir-shaken-implementation\/","title":{"rendered":"STIR\/SHAKEN Implementation Guide \u2013 Open Source Solutions with Kamailio and Asterisk"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\" id=\"stir-shaken-implementation-guide-open-source-solutions-with-kamailio-and-asterisk\">STIR\/SHAKEN Implementation Guide \u2013 Open Source Solutions with Kamailio and Asterisk<\/h1>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#stir-shaken-implementation-guide-open-source-solutions-with-kamailio-and-asterisk\">STIR\/SHAKEN Implementation Guide \u2013 Open Source Solutions with Kamailio and Asterisk<\/a><ul><li><a href=\"#introduction-to-stir-shaken-implementation-for-vo-ip-providers\">Introduction to STIR\/SHAKEN Implementation for VoIP Providers<\/a><\/li><li><a href=\"#\ud83d\udd0d-understanding-stir-shaken-architecture-and-components\">\ud83d\udd0d Understanding STIR\/SHAKEN Architecture and Components<\/a><ul><li><a href=\"#stir-shaken-core-components\">STIR\/SHAKEN Core Components<\/a><\/li><li><a href=\"#attestation-levels-explained\">Attestation Levels Explained<\/a><\/li><\/ul><\/li><li><a href=\"#\ud83d\udee0\ufe0f-kamailio-stir-shaken-module-configuration\">\ud83d\udee0\ufe0f Kamailio STIR\/SHAKEN Module Configuration<\/a><ul><li><a href=\"#installing-kamailio-with-stir-shaken-support\">Installing Kamailio with STIR\/SHAKEN Support<\/a><\/li><li><a href=\"#kamailio-stir-shaken-configuration\">Kamailio STIR\/SHAKEN Configuration<\/a><\/li><li><a href=\"#kamailio-as-stir-shaken-gateway-for-vos-3000\">Kamailio as STIR\/SHAKEN Gateway for VOS3000<\/a><\/li><\/ul><\/li><li><a href=\"#\ud83d\udda5\ufe0f-asterisk-stir-shaken-configuration\">\ud83d\udda5\ufe0f Asterisk STIR\/SHAKEN Configuration<\/a><ul><li><a href=\"#asterisk-stir-shaken-module-setup\">Asterisk STIR\/SHAKEN Module Setup<\/a><\/li><li><a href=\"#pjsip-endpoint-stir-shaken-configuration\">PJSIP Endpoint STIR\/SHAKEN Configuration<\/a><\/li><\/ul><\/li><li><a href=\"#\ud83d\udcdc-stir-shaken-certificate-management\">\ud83d\udcdc STIR\/SHAKEN Certificate Management (STIR\/SHAKEN Implementation)<\/a><ul><li><a href=\"#certificate-sources-and-pricing\">Certificate Sources and Pricing<\/a><\/li><li><a href=\"#certificate-installation-process\">Certificate Installation Process<\/a><\/li><\/ul><\/li><li><a href=\"#\ud83d\udd04-vos-3000-integration-with-stir-shaken-gateway\">\ud83d\udd04 VOS3000 Integration with STIR\/SHAKEN Gateway<\/a><ul><li><a href=\"#vos-3000-routing-configuration-for-stir-shaken\">VOS3000 Routing Configuration for STIR\/SHAKEN (STIR\/SHAKEN Implementation)<\/a><\/li><\/ul><\/li><li><a href=\"#\ud83d\udcca-stir-shaken-server-requirements\">\ud83d\udcca STIR\/SHAKEN Server Requirements<\/a><\/li><li><a href=\"#\ud83e\uddea-stir-shaken-testing-and-verification\">\ud83e\uddea STIR\/SHAKEN Testing and Verification (STIR\/SHAKEN Implementation)<\/a><ul><li><a href=\"#testing-methods\">Testing Methods<\/a><\/li><li><a href=\"#\ud83d\udcda-related-resources\">\ud83d\udcda Related Resources:<\/a><\/li><\/ul><\/li><li><a href=\"#\u2753-frequently-asked-questions-about-stir-shaken-implementation\">\u2753 Frequently Asked Questions About STIR\/SHAKEN Implementation<\/a><\/li><li><a href=\"#\ud83d\udcde-need-call-center-setup-support\">\ud83d\udcde Need Call Center Setup Support?<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"introduction-to-stir-shaken-implementation-for-vo-ip-providers\">Introduction to STIR\/SHAKEN Implementation for VoIP Providers<\/h2>\n\n\n\n<p>STIR\/SHAKEN implementation has become mandatory for all VoIP service providers operating in the United States and Canada, following FCC regulations designed to combat robocall fraud and caller ID spoofing. The STIR\/SHAKEN framework, which stands for Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted information using toKENs (SHAKEN), uses cryptographic signatures to verify that the calling party is authorized to use the phone number displayed on the recipient&#8217;s caller ID. For VoIP providers using VOS3000 softswitch or similar platforms, implementing STIR\/SHAKEN requires either native softswitch support or deployment of a separate authentication gateway.<\/p>\n\n\n\n<p>Open source solutions for STIR\/SHAKEN implementation provide cost-effective alternatives to commercial services, allowing providers to maintain control over their infrastructure while achieving regulatory compliance. Kamailio SIP server includes native STIR\/SHAKEN modules (secsipid and stirshaken) that can sign and verify calls at the SIP signaling layer. Similarly, Asterisk PBX has built-in STIR\/SHAKEN support through the res_stir_shaken module since version 18. These open source tools enable providers to implement caller ID authentication without recurring subscription fees, making compliance accessible even for smaller operators.<\/p>\n\n\n\n<p>\ud83d\udca1 <strong>Critical Requirement:<\/strong> VOS3000 softswitch does NOT have native STIR\/SHAKEN support. VoIP providers using VOS3000 must deploy a separate STIR\/SHAKEN gateway (Kamailio, Asterisk, or commercial service) to sign calls before they reach carriers. This architecture allows VOS3000 to continue handling routing and billing while the STIR\/SHAKEN layer handles authentication.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"\ud83d\udd0d-understanding-stir-shaken-architecture-and-components\">\ud83d\udd0d Understanding STIR\/SHAKEN Architecture and Components<\/h2>\n\n\n\n<p>STIR\/SHAKEN implementation requires understanding several interconnected components that work together to authenticate caller identity. The framework operates at the SIP signaling layer, adding a cryptographically signed token to the SIP Identity header during call setup. This token, called a PASSporT (Personal Assertion Token), contains claims about the call including the calling number, called number, timestamp, and attestation level. The receiving party can verify this signature using public certificates published in the SHAKEN ecosystem.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"stir-shaken-core-components\">STIR\/SHAKEN Core Components<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Component<\/th><th>Function<\/th><th>Implementation<\/th><\/tr><\/thead><tbody><tr><td><strong>PASSporT Token<\/strong><\/td><td>JWT containing call claims (orig\/dest numbers, timestamp)<\/td><td>Generated by STI-AS (Attestation Service)<\/td><\/tr><tr><td><strong>Identity Header<\/strong><\/td><td>SIP header carrying the signed PASSporT<\/td><td>Added by signing service, verified by receiver<\/td><\/tr><tr><td><strong>STI-AS<\/strong><\/td><td>Secure Telephone Identity Attestation Service<\/td><td>Signs outgoing calls with private key<\/td><\/tr><tr><td><strong>STI-VS<\/strong><\/td><td>Secure Telephone Identity Verification Service<\/td><td>Verifies incoming call signatures<\/td><\/tr><tr><td><strong>STI-CA<\/strong><\/td><td>Certificate Authority for SHAKEN<\/td><td>Issues certificates (Neustar, Transnexus, etc.)<\/td><\/tr><tr><td><strong>TNAuth Certificate<\/strong><\/td><td>Certificate proving number authorization<\/td><td>Contains authorized telephone numbers<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"attestation-levels-explained\">Attestation Levels Explained<\/h3>\n\n\n\n<p>STIR\/SHAKEN implementation uses three attestation levels to indicate the level of confidence in the caller ID authenticity. These levels help terminating carriers and consumers understand how thoroughly the calling number has been verified by the originating service provider.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502                    STIR\/SHAKEN ATTESTATION LEVELS                        \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502                                                                          \u2502\n\u2502  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510   \u2502\n\u2502  \u2502  ATTESTATION LEVEL A - FULL                                      \u2502   \u2502\n\u2502  \u2502  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500  \u2502   \u2502\n\u2502  \u2502  \u2022 Service provider verified caller is authorized to use         \u2502   \u2502\n\u2502    the telephone number                                            \u2502   \u2502\n\u2502  \u2502  \u2022 Customer has passed identity verification                     \u2502   \u2502\n\u2502  \u2502  \u2022 Number assigned to customer account                           \u2502   \u2502\n\u2502  \u2502  \u2022 Highest trust level - shows \"Verified Call\"                   \u2502   \u2502\n\u2502  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518   \u2502\n\u2502                                                                          \u2502\n\u2502  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510   \u2502\n\u2502  \u2502  ATTESTATION LEVEL B - PARTIAL                                   \u2502   \u2502\n\u2502  \u2502  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500  \u2502   \u2502\n\u2502  \u2502  \u2022 Call originated from known customer                           \u2502   \u2502\n\u2502  \u2502  \u2022 Cannot verify specific number authorization                   \u2502   \u2502\n\u2502  \u2502  \u2022 Common for enterprise PBX with multiple DIDs                  \u2502   \u2502\n\u2502  \u2502  \u2022 Medium trust level                                            \u2502   \u2502\n\u2502  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518   \u2502\n\u2502                                                                          \u2502\n\u2502  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510   \u2502\n\u2502  \u2502  ATTESTATION LEVEL C - GATEWAY                                   \u2502   \u2502\n\u2502  \u2502  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500  \u2502   \u2502\n\u2502  \u2502  \u2022 Call passed through gateway from unknown source               \u2502   \u2502\n\u2502  \u2502  \u2022 No verification of caller ID                                  \u2502   \u2502\n\u2502  \u2502  \u2022 Used for transit\/wholesale traffic                            \u2502   \u2502\n\u2502  \u2502  \u2022 Lowest trust level - may show warning                         \u2502   \u2502\n\u2502  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518   \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"\ud83d\udee0\ufe0f-kamailio-stir-shaken-module-configuration\">\ud83d\udee0\ufe0f Kamailio STIR\/SHAKEN Module Configuration<\/h2>\n\n\n\n<p>Kamailio SIP server provides two modules for STIR\/SHAKEN implementation: secsipid (recommended) and stirshaken. The secsipid module uses the SecSIPIDx library, a mature Go\/C implementation that handles both signing and verification. This module can operate as a REST API server, allowing integration with existing infrastructure without modifying the Kamailio core configuration significantly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"installing-kamailio-with-stir-shaken-support\">Installing Kamailio with STIR\/SHAKEN Support<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># Install Kamailio with STIR\/SHAKEN modules on CentOS\/RHEL\nyum install -y kamailio kamailio-secsipidx kamailio-mysql\n\n# Install libstirshaken (alternative approach)\ngit clone https:\/\/github.com\/signalwire\/libstirshaken.git\ncd libstirshaken\n.\/bootstrap.sh\n.\/configure\nmake &amp;&amp; make install\n\n# Kamailio secsipid module installation\nkamailio -V  # Verify installation\n# Load module in kamailio.cfg:\nloadmodule \"secsipid.so\"\n<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"kamailio-stir-shaken-configuration\">Kamailio STIR\/SHAKEN Configuration<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># Kamailio secsipid Module Configuration\n# \/etc\/kamailio\/kamailio.cfg\n\n# Load STIR\/SHAKEN module\nloadmodule \"secsipid.so\"\n\n# Module parameters\nmodparam(\"secsipid\", \"mode\", 1)  # 1=sign, 2=verify, 3=both\nmodparam(\"secsipid\", \"libopt\", 4)  # Enable certificate caching\n\n# Certificate paths\nmodparam(\"secsipid\", \"key_path\", \"\/etc\/kamailio\/certs\/private.pem\")\nmodparam(\"secsipid\", \"cert_path\", \"\/etc\/kamailio\/certs\/public.pem\")\n\n# Attestation level (A=1, B=2, C=3)\nmodparam(\"secsipid\", \"attest_level\", 1)\n\n# REST API endpoint for external signing service\nmodparam(\"secsipid\", \"sign_endpoint\", \"http:\/\/localhost:8080\/sign\")\n\n# Verification settings\nmodparam(\"secsipid\", \"verify_timeout\", 5)\nmodparam(\"secsipid\", \"cache_expire\", 3600)\n\n# Request routing with STIR\/SHAKEN signing\nrequest_route {\n    # Sign outgoing calls\n    if (is_method(\"INVITE\") &amp;&amp; !has_totag()) {\n        # Extract caller and called numbers\n        $var(caller) = $fU;  # From user (caller)\n        $var(called) = $rU;  # R-URI user (called)\n\n        # Sign the call\n        if (secsipid_sign($var(caller), $var(called))) {\n            xlog(\"L_INFO\", \"Call signed successfully\\n\");\n        } else {\n            xlog(\"L_ERR\", \"STIR\/SHAKEN signing failed: $secsipid_error\\n\");\n        }\n    }\n\n    # Verify incoming calls\n    if (is_method(\"INVITE\") &amp;&amp; has_totag()) {\n        if (secsipid_verify()) {\n            xlog(\"L_INFO\", \"STIR\/SHAKEN verification passed\\n\");\n            # Get verification result\n            $var(attest) = $secsipid_attest;\n            xlog(\"L_INFO\", \"Attestation level: $var(attest)\\n\");\n        }\n    }\n\n    # Continue with normal routing\n    route(RELAY);\n}\n<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"kamailio-as-stir-shaken-gateway-for-vos-3000\">Kamailio as STIR\/SHAKEN Gateway for VOS3000<\/h3>\n\n\n\n<p>The most practical deployment for VOS3000 users is placing Kamailio as a front-end STIR\/SHAKEN gateway. In this architecture, calls from VOS3000 are first sent to Kamailio, which signs them with valid certificates before forwarding to carriers. This approach requires no modifications to VOS3000 and maintains full compatibility with existing routing and billing configurations.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502         KAMAILIO STIR\/SHAKEN GATEWAY FOR VOS3000                        \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502                                                                          \u2502\n\u2502   \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510                                                    \u2502\n\u2502   \u2502   VOS3000     \u2502                                                    \u2502\n\u2502   \u2502   Softswitch  \u2502                                                    \u2502\n\u2502   \u2502 (No STIR\/     \u2502                                                    \u2502\n\u2502   \u2502  SHAKEN)      \u2502                                                    \u2502\n\u2502   \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518                                                    \u2502\n\u2502           \u2502                                                             \u2502\n\u2502           \u2502 SIP INVITE (unsigned)                                       \u2502\n\u2502           \u25bc                                                             \u2502\n\u2502   \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510            \u2502\n\u2502   \u2502              KAMAILIO STIR\/SHAKEN GATEWAY             \u2502            \u2502\n\u2502   \u2502  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u2502            \u2502\n\u2502   \u2502  \u2502  1. Receive INVITE from VOS3000                 \u2502 \u2502            \u2502\n\u2502   \u2502  \u2502  2. Extract caller\/called numbers               \u2502 \u2502            \u2502\n\u2502   \u2502  \u2502  3. Generate PASSporT token                     \u2502 \u2502            \u2502\n\u2502   \u2502  \u2502  4. Sign with private key (A\/B\/C attest)        \u2502 \u2502            \u2502\n\u2502   \u2502  \u2502  5. Add Identity header to SIP                  \u2502 \u2502            \u2502\n\u2502   \u2502  \u2502  6. Forward signed INVITE to carrier            \u2502 \u2502            \u2502\n\u2502   \u2502  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2502            \u2502\n\u2502   \u2502                                                       \u2502            \u2502\n\u2502   \u2502  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510               \u2502            \u2502\n\u2502   \u2502  \u2502 secsipid.so   \u2502  \u2502 Certificate   \u2502               \u2502            \u2502\n\u2502   \u2502  \u2502 Module        \u2502  \u2502 Store         \u2502               \u2502            \u2502\n\u2502   \u2502  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518               \u2502            \u2502\n\u2502   \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518            \u2502\n\u2502           \u2502                                                             \u2502\n\u2502           \u2502 SIP INVITE (with Identity header)                           \u2502\n\u2502           \u25bc                                                             \u2502\n\u2502   \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510                                                    \u2502\n\u2502   \u2502   CARRIER     \u2502                                                    \u2502\n\u2502   \u2502   NETWORK     \u2502                                                    \u2502\n\u2502   \u2502 (Verifies     \u2502                                                    \u2502\n\u2502   \u2502  signature)   \u2502                                                    \u2502\n\u2502   \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518                                                    \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"\ud83d\udda5\ufe0f-asterisk-stir-shaken-configuration\">\ud83d\udda5\ufe0f Asterisk STIR\/SHAKEN Configuration<\/h2>\n\n\n\n<p>Asterisk PBX version 18 and later includes native STIR\/SHAKEN support through the res_stir_shaken and res_pjsip_stir_shaken modules. This implementation allows Asterisk to both sign outgoing calls and verify incoming calls. The Asterisk approach is particularly suitable for call centers, PBX deployments, and smaller VoIP operations where a full SIP proxy like Kamailio may be overkill.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"asterisk-stir-shaken-module-setup\">Asterisk STIR\/SHAKEN Module Setup<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># Asterisk STIR\/SHAKEN Configuration\n# \/etc\/asterisk\/stir_shaken.conf<\/pre>\n\n\n<p>[general]<\/p>\n\n\n\n<p>; Enable STIR\/SHAKEN functionality enabled = yes ; Certificate configuration<\/p>\n\n\n<p>[my_certificate]<\/p>\n\n\n\n<p>type = attestation ; Attestation level: A, B, or C attest_level = A ; Certificate file paths (obtain from STI-CA) private_key_file = \/etc\/asterisk\/keys\/private.pem public_cert_file = \/etc\/asterisk\/keys\/public.pem ca_file = \/etc\/asterisk\/keys\/ca.pem ; Caller ID to certificate mapping<\/p>\n\n\n<p>[callerid_map]<\/p>\n\n\n\n<p>type = callerid callerid = +1XXXXXXXXXX attestation = my_certificate ; Endpoint configuration for signing<\/p>\n\n\n<p>[signing_config]<\/p>\n\n\n\n<p>type = endpoint stir_shaken = yes attest_level = A check_tn_auth = yes ; Verification configuration<\/p>\n\n\n<p>[verification]<\/p>\n\n\n\n<p>type = verify ; Action on verification failure: allow, reject, continue failure_action = continue ; Cache verified certificates cache_expiry = 3600<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"pjsip-endpoint-stir-shaken-configuration\">PJSIP Endpoint STIR\/SHAKEN Configuration<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># Asterisk PJSIP Configuration with STIR\/SHAKEN\n# \/etc\/asterisk\/pjsip.conf\n\n; Trunk to carrier with STIR\/SHAKEN<\/pre>\n\n\n<p>[carrier-trunk]<\/p>\n\n\n\n<p>type = endpoint context = from-carrier disallow = all allow = ulaw,alaw,g729 outbound_auth = carrier-auth aors = carrier-aor ; Enable STIR\/SHAKEN signing stir_shaken_profile = signing_config<\/p>\n\n\n<p>[carrier-auth]<\/p>\n\n\n\n<p>type = auth username = your_username password = your_password<\/p>\n\n\n<p>[carrier-aor]<\/p>\n\n\n\n<p>type = aor contact = sip:carrier.ip.address:5060 ; Incoming verification<\/p>\n\n\n<p>[incoming-trunk]<\/p>\n\n\n\n<p>type = endpoint context = from-pstn disallow = all allow = ulaw,alaw ; Verify incoming STIR\/SHAKEN stir_shaken_profile = verification<\/p>\n\n\n\n<p>\u26a0\ufe0f <strong>Certificate Requirement:<\/strong> Both Kamailio and Asterisk require valid certificates from an authorized STI-CA (Secure Telephone Identity Certification Authority) such as Neustar, Transnexus, or Telnyx. Self-signed certificates are NOT acceptable for production STIR\/SHAKEN implementation. Certificate costs typically range from $100-500\/month depending on provider and number of DIDs.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"\ud83d\udcdc-stir-shaken-certificate-management\">\ud83d\udcdc STIR\/SHAKEN Certificate Management (STIR\/SHAKEN Implementation)<\/h2>\n\n\n\n<p>Certificate management is the most critical aspect of STIR\/SHAKEN implementation. Certificates must be obtained from an authorized STI-CA, installed securely on your signing server, and renewed before expiration. The certificate contains TNAuth (Telephone Number Authorization) claims that prove your authorization to sign calls for specific telephone numbers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"certificate-sources-and-pricing\">Certificate Sources and Pricing<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Provider<\/th><th>Type<\/th><th>Monthly Cost<\/th><th>Features<\/th><\/tr><\/thead><tbody><tr><td><strong>Neustar<\/strong><\/td><td>STI-CA<\/td><td>$250-500<\/td><td>Industry standard, full support<\/td><\/tr><tr><td><strong>Transnexus<\/strong><\/td><td>STI-CA + Service<\/td><td>$250-500<\/td><td>Managed service option<\/td><\/tr><tr><td><strong>Telnyx<\/strong><\/td><td>Carrier + STI-CA<\/td><td>$100-200<\/td><td>Included with SIP trunking<\/td><\/tr><tr><td><strong>ClearlyIP<\/strong><\/td><td>STI-CA<\/td><td>$150-300<\/td><td>FreePBX integration<\/td><\/tr><tr><td><strong>SignalWire<\/strong><\/td><td>Open Source<\/td><td>Free (self-hosted)<\/td><td>libstirshaken library<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"certificate-installation-process\">Certificate Installation Process<\/h3>\n\n\n\n<p><strong>Step 1: Apply for Certificate<\/strong> \u2013 Submit application to STI-CA with your company information, TN registration documents, and proof of telephone number ownership<\/p>\n\n\n\n<p><strong>Step 2: Identity Verification<\/strong> \u2013 Complete business verification process (similar to SSL certificate validation)<\/p>\n\n\n\n<p><strong>Step 3: Number Authorization<\/strong> \u2013 Prove ownership or authorization for telephone numbers you will sign<\/p>\n\n\n\n<p><strong>Step 4: Certificate Issuance<\/strong> \u2013 STI-CA issues TNAuth certificate containing authorized numbers<\/p>\n\n\n\n<p><strong>Step 5: Installation<\/strong> \u2013 Install private key and certificate on your signing server (Kamailio\/Asterisk)<\/p>\n\n\n\n<p><strong>Step 6: Testing<\/strong> \u2013 Test signing and verification with test calls to verifying parties<\/p>\n\n\n\n<p><strong>Step 7: Monitoring<\/strong> \u2013 Set up certificate expiration monitoring (typically 1-2 year validity)<\/p>\n\n\n\n<p>\u2705 <strong>Free Option:<\/strong> SignalWire&#8217;s libstirshaken library provides free, open source STIR\/SHAKEN implementation. However, you still need a valid certificate from an STI-CA for production use. The library handles token generation and verification, reducing implementation complexity.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"\ud83d\udd04-vos-3000-integration-with-stir-shaken-gateway\">\ud83d\udd04 VOS3000 Integration with STIR\/SHAKEN Gateway<\/h2>\n\n\n\n<p>Integrating VOS3000 with a STIR\/SHAKEN gateway requires configuring routing to send calls through the signing server before reaching carriers. This can be accomplished by setting up the STIR\/SHAKEN server as a &#8220;carrier&#8221; in VOS3000&#8217;s routing gateway configuration, effectively making it the first hop in the call path.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"vos-3000-routing-configuration-for-stir-shaken\">VOS3000 Routing Configuration for STIR\/SHAKEN (STIR\/SHAKEN Implementation)<\/h3>\n\n\n\n<p><strong>1. Create Mapping Gateway:<\/strong> Add Kamailio\/Asterisk STIR\/SHAKEN server as a mapping gateway in VOS3000 with IP authentication<\/p>\n\n\n\n<p><strong>2. Configure Routing Gateway:<\/strong> Set up routing rules to send calls through the STIR\/SHAKEN gateway first<\/p>\n\n\n\n<p><strong>3. Gateway Group Setup:<\/strong> Create gateway group that includes STIR\/SHAKEN server as primary and carriers as secondary<\/p>\n\n\n\n<p><strong>4. Caller ID Passthrough:<\/strong> Ensure caller ID is passed correctly to the signing server for attestation<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502         VOS3000 + STIR\/SHAKEN INTEGRATION ARCHITECTURE                   \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502                                                                          \u2502\n\u2502  CLIENTS          VOS3000           STIR\/SHAKEN         CARRIERS        \u2502\n\u2502    \u2502                 \u2502                  \u2502                  \u2502            \u2502\n\u2502    \u2502  1. INVITE      \u2502                  \u2502                  \u2502            \u2502\n\u2502    \u2502\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u25b6\u2502                  \u2502                  \u2502            \u2502\n\u2502    \u2502                 \u2502                  \u2502                  \u2502            \u2502\n\u2502    \u2502                 \u2502 2. Route to      \u2502                  \u2502            \u2502\n\u2502    \u2502                 \u2502    STIR\/SHAKEN   \u2502                  \u2502            \u2502\n\u2502    \u2502                 \u2502\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u25b6\u2502                  \u2502            \u2502\n\u2502    \u2502                 \u2502                  \u2502                  \u2502            \u2502\n\u2502    \u2502                 \u2502                  \u2502 3. Sign call     \u2502            \u2502\n\u2502    \u2502                 \u2502                  \u2502    (add Identity)\u2502            \u2502\n\u2502    \u2502                 \u2502                  \u2502                  \u2502            \u2502\n\u2502    \u2502                 \u2502                  \u2502 4. Forward       \u2502            \u2502\n\u2502    \u2502                 \u2502                  \u2502    to carrier    \u2502            \u2502\n\u2502    \u2502                 \u2502                  \u2502\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u25b6\u2502            \u2502\n\u2502    \u2502                 \u2502                  \u2502                  \u2502            \u2502\n\u2502    \u2502                 \u2502                  \u2502                  \u2502 5. Verify  \u2502\n\u2502    \u2502                 \u2502                  \u2502                  \u2502    &amp; route \u2502\n\u2502    \u2502                 \u2502                  \u2502                  \u2502            \u2502\n\u2502    \u2502                 \u2502                  \u2502\u25c0\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2502            \u2502\n\u2502    \u2502                 \u2502                  \u2502  200 OK \/ 183    \u2502            \u2502\n\u2502    \u2502                 \u2502\u25c0\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2502                  \u2502            \u2502\n\u2502    \u2502\u25c0\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2502                  \u2502                  \u2502            \u2502\n\u2502    \u2502  200 OK         \u2502                  \u2502                  \u2502            \u2502\n\u2502                                                                          \u2502\n\u2502  \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550    \u2502\n\u2502  VOS3000 Configuration:                                                  \u2502\n\u2502  \u2022 Gateway Type: Mapping Gateway                                         \u2502\n\u2502  \u2022 Gateway IP: [STIR\/SHAKEN Server IP]                                   \u2502\n\u2502  \u2022 Signaling Port: 5060                                                  \u2502\n\u2502  \u2022 Media: Bypass (pass-through)                                          \u2502\n\u2502  \u2022 Caller ID: Preserve original                                          \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n<\/pre>\n\n\n\n<p><strong>\ud83d\udcde Need STIR\/SHAKEN Gateway Server?<\/strong><\/p>\n\n\n\n<p>Get pre-configured Kamailio or Asterisk STIR\/SHAKEN gateway server ready for VOS3000 integration. We provide certificate installation, attestation configuration, and complete setup.<\/p>\n\n\n\n<p>\ud83d\udcac <a href=\"https:\/\/wa.me\/8801911119966\" target=\"_blank\" rel=\"noreferrer noopener\">WhatsApp: +8801911119966<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"\ud83d\udcca-stir-shaken-server-requirements\">\ud83d\udcca STIR\/SHAKEN Server Requirements<\/h2>\n\n\n\n<p>STIR\/SHAKEN implementation has modest resource requirements since it operates at the SIP signaling layer only, without processing media. A lightweight server can handle thousands of calls per second, making it cost-effective to deploy alongside existing infrastructure.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Capacity<\/th><th>CPU<\/th><th>RAM<\/th><th>Storage<\/th><th>Monthly Cost<\/th><\/tr><\/thead><tbody><tr><td><strong>Small (&lt;500 CPS)<\/strong><\/td><td>2 Cores<\/td><td>2 GB<\/td><td>20 GB SSD<\/td><td>$15-25<\/td><\/tr><tr><td><strong>Medium (500-2000 CPS)<\/strong><\/td><td>4 Cores<\/td><td>4 GB<\/td><td>40 GB SSD<\/td><td>$30-50<\/td><\/tr><tr><td><strong>Large (2000+ CPS)<\/strong><\/td><td>8 Cores<\/td><td>8 GB<\/td><td>80 GB SSD<\/td><td>$80-150<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"\ud83e\uddea-stir-shaken-testing-and-verification\">\ud83e\uddea STIR\/SHAKEN Testing and Verification (STIR\/SHAKEN Implementation)<\/h2>\n\n\n\n<p>After completing STIR\/SHAKEN implementation, thorough testing is essential to verify correct operation. Testing should include both signing verification (ensuring your signatures are valid) and verification testing (ensuring you can correctly validate incoming signed calls). Several tools and services are available for testing without making actual phone calls.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"testing-methods\">Testing Methods<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>SecsIPIDx CLI Tool:<\/strong> Command-line tool for generating and verifying PASSporT tokens locally without making calls<\/li>\n\n\n\n<li><strong>Test Calls to Mobile:<\/strong> Many mobile carriers now display verification status; test calls should show &#8220;Verified&#8221; indicator<\/li>\n\n\n\n<li><strong>Carrier Verification:<\/strong> Work with your carrier&#8217;s technical support to verify they receive valid signatures<\/li>\n\n\n\n<li><strong>Transnexus Test Service:<\/strong> Free testing service that verifies STIR\/SHAKEN implementation<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\"># Test STIR\/SHAKEN signing with secsipidx CLI\nsecsipidx sign -caller +1XXXXXXXXXX -called +1YYYYYYYYY \\\n  -key \/path\/to\/private.pem \\\n  -cert \/path\/to\/public.pem \\\n  -attest A\n\n# Verify a PASSporT token\nsecsipidx verify -token \"eyJhbGciOiJFUzI1NiIsInR5cCI6...\"\n\n# Check Identity header in SIP message\n# Look for header format:\n# Identity: eyJhbGciOiJFUzI1NiIsInR5cCI6Imp3dCIsInhtc...;info=;alg=ES256;ppt=shaken\n<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"\ud83d\udcda-related-resources\">\ud83d\udcda Related Resources:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/multahost.com\/blog\/be-careful-before-using-vos3000-web-management-interface-why\/\" target=\"_blank\" rel=\"noreferrer noopener\">VOS3000 Web Management Security Best Practices<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/multahost.com\/blog\/how-vos3000-get-hacked-by-sql-injection-script-prevent-hacking\/\" target=\"_blank\" rel=\"noreferrer noopener\">VOS3000 Security \u2013 Preventing SQL Injection Attacks<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/multahost.com\/blog\/vos3000-extended-firewall\/\" target=\"_blank\" rel=\"noreferrer noopener\">VOS3000 Extended Firewall Configuration Guide<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"\u2753-frequently-asked-questions-about-stir-shaken-implementation\">\u2753 Frequently Asked Questions About STIR\/SHAKEN Implementation<\/h2>\n\n\n\n<p><strong>Q: Does VOS3000 support STIR\/SHAKEN natively?<\/strong><\/p>\n\n\n\n<p>A: No, VOS3000 does not have native STIR\/SHAKEN support. You must deploy a separate STIR\/SHAKEN gateway using Kamailio, Asterisk, or a commercial service to sign calls before they reach carriers.<\/p>\n\n\n\n<p><strong>Q: What is the minimum server requirement for STIR\/SHAKEN gateway?<\/strong><\/p>\n\n\n\n<p>A: A 2 GB RAM, 2 CPU core server can handle up to 500 calls per second (CPS) for STIR\/SHAKEN signing. The operation is CPU-intensive for cryptographic operations but does not require significant RAM or storage.<\/p>\n\n\n\n<p><strong>Q: Can I use free certificates for STIR\/SHAKEN?<\/strong><\/p>\n\n\n\n<p>A: No, valid STIR\/SHAKEN certificates must be obtained from an authorized STI-CA (Secure Telephone Identity Certification Authority). Self-signed or standard SSL certificates are not valid for SHAKEN. Certificate costs typically range from $100-500\/month.<\/p>\n\n\n\n<p><strong>Q: What attestation level should I use?<\/strong><\/p>\n\n\n\n<p>A: Use Attestation A (Full) when you have verified the customer owns the phone number. Use Attestation B (Partial) for enterprise PBX with multiple DIDs. Use Attestation C (Gateway) only for transit traffic where you cannot verify the caller.<\/p>\n\n\n\n<p><strong>Q: Is Kamailio or Asterisk better for STIR\/SHAKEN?<\/strong><\/p>\n\n\n\n<p>A: Kamailio is better for high-volume carrier-grade deployments with thousands of CPS, offering better performance and scalability. Asterisk is easier to configure for smaller deployments and integrates well with existing PBX installations.<\/p>\n\n\n\n<p><strong>Q: What happens if I don&#8217;t implement STIR\/SHAKEN?<\/strong><\/p>\n\n\n\n<p>A: Calls without valid STIR\/SHAKEN signatures may be blocked or marked as spam by US and Canadian carriers. The FCC requires all providers to implement STIR\/SHAKEN and may impose fines for non-compliance.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>\ud83d\ude80 Deploy Your STIR\/SHAKEN Gateway Today<\/strong><\/p>\n\n\n\n<p>Get pre-installed Kamailio or Asterisk server with STIR\/SHAKEN configuration ready for VOS3000 integration. Complete FCC compliance solution with certificate installation support.<\/p>\n\n\n\n<p>\ud83d\udcac <a href=\"https:\/\/wa.me\/8801911119966\" target=\"_blank\" rel=\"noreferrer noopener\">Contact Us: WhatsApp +8801911119966<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"\ud83d\udcde-need-call-center-setup-support\">\ud83d\udcde Need Call Center Setup Support?<\/h2>\n\n\n\n<p>For professional VOS3000 call center configuration and deployment:<\/p>\n\n\n\n<p>\ud83d\udcf1 <strong>WhatsApp:<\/strong> <a href=\"https:\/\/wa.me\/8801911119966\" target=\"_blank\" rel=\"noopener\">+8801911119966<\/a><br>\ud83c\udf10 <strong>Website:<\/strong> <a href=\"https:\/\/www.vos3000.com\">www.vos3000.com<\/a><br>\ud83c\udf10 <strong>Blog:<\/strong> <a href=\"https:\/\/multahost.com\/blog\" target=\"_blank\" rel=\"noopener\">multahost.com\/blog<\/a><br>\ud83d\udce5 <strong>Downloads:<\/strong> <a href=\"https:\/\/www.vos3000.com\/downloads.php\">VOS3000 Downloads<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><img decoding=\"async\" style=\"\" src=\"https:\/\/www.vos3000.com\/blog\/wp-content\/uploads\/2026\/02\/VOS3000-Offer-1024x683.png\" alt=\"VOS3000 Installation, VOS3000 Server, VOS3000 SoftSwitch, VOS3000 Switch, VOS3000, VOS3000 Pricem VOS3000 Web, VOS3000 API, VOS3000 Rent, VOS3000 Manual, VOS3000 Downloads, VOS3000 VoIP, VOS3000 Carrier Switch, VOS3000, VOS3000 Login, VOS3000 Monitoring, VOS3000 Performance Metrics, VOS3000 Call Routing, VOS3000 Security, VOS3000 Web Manager, VOS3000 Versions, VOS3000 BillingVOS3000 Monitoring,VOS3000 Capacity, VOS3000 Billing System, VOS3000 License, Mobile Apps for VOS3000, VOS3000 Mobile Apps, Mobile Apps, VOS3000 Apps, Android VOS3000, VOS3000 in IOS, Manual for VOS3000, VOS3000 Manual, Manual VOS3000, Reference Manual VOS3000, User Manual VOS3000, CentOS7 Installation for VOS3000, Multiple IP License in VOS3000, VOS3000 License, License in VOS3000, vos installation, VOS\u5b89\u88c5, VOS3000 Security, VOS3000 Hosting, VOS3000 \u6258\u7ba1, VOS3000 2.1.0.07 Release Notes, VOS3000 Server Rent, VOS3000 Architecture, VOS3000 Disaster Recovery, VOS3000 Rate Management, VOS3000 System Parameters, VOS3000 Phone Card, VOS3000 Geofencing, VOS3000 CDR analytics, VOS3000 Training, VOS3000 Tutorial, VOS3000 Client Download, VOS3000 vs Asterisk, VOS3000 error codes, VOS3000 call center, best voip softswitch, vos3000 routing, vos3000 vicidial auto dialer, vos3000 sip trunk configuration, VOS3000 ASR ACD Analysis, VOS3000 Codec G729 Transcoding, VOS3000 IVR Balance Query, VOS3000 DTMF Modes, VOS3000 Gateway Analysis Reports, VOS3000 RTP Media, VOS3000 SIP Call Flow, VOS3000 ASR ACD\u5206\u6790, VOS3000\u7f16\u89e3\u7801\u5668G729\u8f6c\u7801, VOS3000 An\u00e1lisis ASR ACD, Servicios VOS3000 IVR, Vicidial Server Setup, STIR\/SHAKEN Implementation, VOS3000 Call Center Solution\"><\/td><td><img decoding=\"async\" style=\"\" src=\"https:\/\/www.vos3000.com\/blog\/wp-content\/uploads\/2026\/02\/VOS3000-Offer-1024x683.png\" alt=\"VOS3000 Installation, VOS3000 Server, VOS3000 SoftSwitch, VOS3000 Switch, VOS3000, VOS3000 Pricem VOS3000 Web, VOS3000 API, VOS3000 Rent, VOS3000 Manual, VOS3000 Downloads, VOS3000 VoIP, VOS3000 Carrier Switch, VOS3000, VOS3000 Login, VOS3000 Monitoring, VOS3000 Performance Metrics, VOS3000 Call Routing, VOS3000 Security, VOS3000 Web Manager, VOS3000 Versions, VOS3000 BillingVOS3000 Monitoring,VOS3000 Capacity, VOS3000 Billing System, VOS3000 License, Mobile Apps for VOS3000, VOS3000 Mobile Apps, Mobile Apps, VOS3000 Apps, Android VOS3000, VOS3000 in IOS, Manual for VOS3000, VOS3000 Manual, Manual VOS3000, Reference Manual VOS3000, User Manual VOS3000, CentOS7 Installation for VOS3000, Multiple IP License in VOS3000, VOS3000 License, License in VOS3000, vos installation, VOS\u5b89\u88c5, VOS3000 Security, VOS3000 Hosting, VOS3000 \u6258\u7ba1, VOS3000 2.1.0.07 Release Notes, VOS3000 Server Rent, VOS3000 Architecture, VOS3000 Disaster Recovery, VOS3000 Rate Management, VOS3000 System Parameters, VOS3000 Phone Card, VOS3000 Geofencing, VOS3000 CDR analytics, VOS3000 Training, VOS3000 Tutorial, VOS3000 Client Download, VOS3000 vs Asterisk, VOS3000 error codes, VOS3000 call center, best voip softswitch, vos3000 routing, vos3000 vicidial auto dialer, vos3000 sip trunk configuration, VOS3000 ASR ACD Analysis, VOS3000 Codec G729 Transcoding, VOS3000 IVR Balance Query, VOS3000 DTMF Modes, VOS3000 Gateway Analysis Reports, VOS3000 RTP Media, VOS3000 SIP Call Flow, VOS3000 ASR ACD\u5206\u6790, VOS3000\u7f16\u89e3\u7801\u5668G729\u8f6c\u7801, VOS3000 An\u00e1lisis ASR ACD, Servicios VOS3000 IVR, Vicidial Server Setup, STIR\/SHAKEN Implementation, VOS3000 Call Center Solution\"><\/td><td><img decoding=\"async\" style=\"\" src=\"https:\/\/www.vos3000.com\/blog\/wp-content\/uploads\/2026\/02\/VOS3000-Offer-1024x683.png\" alt=\"VOS3000 Installation, VOS3000 Server, VOS3000 SoftSwitch, VOS3000 Switch, VOS3000, VOS3000 Pricem VOS3000 Web, VOS3000 API, VOS3000 Rent, VOS3000 Manual, VOS3000 Downloads, VOS3000 VoIP, VOS3000 Carrier Switch, VOS3000, VOS3000 Login, VOS3000 Monitoring, VOS3000 Performance Metrics, VOS3000 Call Routing, VOS3000 Security, VOS3000 Web Manager, VOS3000 Versions, VOS3000 BillingVOS3000 Monitoring,VOS3000 Capacity, VOS3000 Billing System, VOS3000 License, Mobile Apps for VOS3000, VOS3000 Mobile Apps, Mobile Apps, VOS3000 Apps, Android VOS3000, VOS3000 in IOS, Manual for VOS3000, VOS3000 Manual, Manual VOS3000, Reference Manual VOS3000, User Manual VOS3000, CentOS7 Installation for VOS3000, Multiple IP License in VOS3000, VOS3000 License, License in VOS3000, vos installation, VOS\u5b89\u88c5, VOS3000 Security, VOS3000 Hosting, VOS3000 \u6258\u7ba1, VOS3000 2.1.0.07 Release Notes, VOS3000 Server Rent, VOS3000 Architecture, VOS3000 Disaster Recovery, VOS3000 Rate Management, VOS3000 System Parameters, VOS3000 Phone Card, VOS3000 Geofencing, VOS3000 CDR analytics, VOS3000 Training, VOS3000 Tutorial, VOS3000 Client Download, VOS3000 vs Asterisk, VOS3000 error codes, VOS3000 call center, best voip softswitch, vos3000 routing, vos3000 vicidial auto dialer, vos3000 sip trunk configuration, VOS3000 ASR ACD Analysis, VOS3000 Codec G729 Transcoding, VOS3000 IVR Balance Query, VOS3000 DTMF Modes, VOS3000 Gateway Analysis Reports, VOS3000 RTP Media, VOS3000 SIP Call Flow, VOS3000 ASR ACD\u5206\u6790, VOS3000\u7f16\u89e3\u7801\u5668G729\u8f6c\u7801, VOS3000 An\u00e1lisis ASR ACD, Servicios VOS3000 IVR, Vicidial Server Setup, STIR\/SHAKEN Implementation, VOS3000 Call Center Solution\"><\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Complete STIR\/SHAKEN implementation guide using open source Kamailio and Asterisk. Learn certificate management, PASSporT token generation, attestation levels, and VOS3000 integration for FCC compliance.<\/p>\n","protected":false},"author":1,"featured_media":738,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_kadence_starter_templates_imported_post":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2],"tags":[2189,2194,2190,2187,2185,2186,2188,2192,2191,2184,2195,119,2193],"class_list":["post-737","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vos3000","tag-asterisk-stir-shaken","tag-attestation-service","tag-caller-id-authentication","tag-fcc-compliance","tag-kamailio-stir-shaken","tag-open-source-stir-shaken","tag-passport-token","tag-robocall-prevention","tag-sip-identity-header","tag-stir-shaken-implementation","tag-tnauth-certificate","tag-voip-security","tag-vos3000-stir-shaken"],"acf":[],"jetpack_featured_media_url":"https:\/\/www.vos3000.com\/blog\/wp-content\/uploads\/2026\/03\/vos3000-vicidial-banner-1.jpg","blog_post_layout_featured_media_urls":{"thumbnail":["https:\/\/www.vos3000.com\/blog\/wp-content\/uploads\/2026\/03\/vos3000-vicidial-banner-1-150x150.jpg",150,150,true],"full":["https:\/\/www.vos3000.com\/blog\/wp-content\/uploads\/2026\/03\/vos3000-vicidial-banner-1.jpg",1536,1024,false]},"categories_names":{"2":{"name":"VOS3000`","link":"https:\/\/www.vos3000.com\/blog\/category\/vos3000\/"}},"tags_names":{"2189":{"name":"Asterisk STIR\/SHAKEN","link":"https:\/\/www.vos3000.com\/blog\/tag\/asterisk-stir-shaken\/"},"2194":{"name":"Attestation Service","link":"https:\/\/www.vos3000.com\/blog\/tag\/attestation-service\/"},"2190":{"name":"Caller ID Authentication","link":"https:\/\/www.vos3000.com\/blog\/tag\/caller-id-authentication\/"},"2187":{"name":"FCC Compliance","link":"https:\/\/www.vos3000.com\/blog\/tag\/fcc-compliance\/"},"2185":{"name":"Kamailio STIR\/SHAKEN","link":"https:\/\/www.vos3000.com\/blog\/tag\/kamailio-stir-shaken\/"},"2186":{"name":"Open Source STIR\/SHAKEN","link":"https:\/\/www.vos3000.com\/blog\/tag\/open-source-stir-shaken\/"},"2188":{"name":"PASSporT Token","link":"https:\/\/www.vos3000.com\/blog\/tag\/passport-token\/"},"2192":{"name":"Robocall Prevention","link":"https:\/\/www.vos3000.com\/blog\/tag\/robocall-prevention\/"},"2191":{"name":"SIP Identity Header","link":"https:\/\/www.vos3000.com\/blog\/tag\/sip-identity-header\/"},"2184":{"name":"STIR\/SHAKEN Implementation","link":"https:\/\/www.vos3000.com\/blog\/tag\/stir-shaken-implementation\/"},"2195":{"name":"TNAuth Certificate","link":"https:\/\/www.vos3000.com\/blog\/tag\/tnauth-certificate\/"},"119":{"name":"voip security","link":"https:\/\/www.vos3000.com\/blog\/tag\/voip-security\/"},"2193":{"name":"VOS3000 STIR\/SHAKEN","link":"https:\/\/www.vos3000.com\/blog\/tag\/vos3000-stir-shaken\/"}},"comments_number":"0","wpmagazine_modules_lite_featured_media_urls":{"thumbnail":["https:\/\/www.vos3000.com\/blog\/wp-content\/uploads\/2026\/03\/vos3000-vicidial-banner-1-150x150.jpg",150,150,true],"cvmm-medium":["https:\/\/www.vos3000.com\/blog\/wp-content\/uploads\/2026\/03\/vos3000-vicidial-banner-1-300x300.jpg",300,300,true],"cvmm-medium-plus":["https:\/\/www.vos3000.com\/blog\/wp-content\/uploads\/2026\/03\/vos3000-vicidial-banner-1-305x207.jpg",305,207,true],"cvmm-portrait":["https:\/\/www.vos3000.com\/blog\/wp-content\/uploads\/2026\/03\/vos3000-vicidial-banner-1-400x600.jpg",400,600,true],"cvmm-medium-square":["https:\/\/www.vos3000.com\/blog\/wp-content\/uploads\/2026\/03\/vos3000-vicidial-banner-1-600x600.jpg",600,600,true],"cvmm-large":["https:\/\/www.vos3000.com\/blog\/wp-content\/uploads\/2026\/03\/vos3000-vicidial-banner-1-1024x1024.jpg",1024,1024,true],"cvmm-small":["https:\/\/www.vos3000.com\/blog\/wp-content\/uploads\/2026\/03\/vos3000-vicidial-banner-1-130x95.jpg",130,95,true],"full":["https:\/\/www.vos3000.com\/blog\/wp-content\/uploads\/2026\/03\/vos3000-vicidial-banner-1.jpg",1536,1024,false]},"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.vos3000.com\/blog\/wp-json\/wp\/v2\/posts\/737","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.vos3000.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.vos3000.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.vos3000.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.vos3000.com\/blog\/wp-json\/wp\/v2\/comments?post=737"}],"version-history":[{"count":1,"href":"https:\/\/www.vos3000.com\/blog\/wp-json\/wp\/v2\/posts\/737\/revisions"}],"predecessor-version":[{"id":740,"href":"https:\/\/www.vos3000.com\/blog\/wp-json\/wp\/v2\/posts\/737\/revisions\/740"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.vos3000.com\/blog\/wp-json\/wp\/v2\/media\/738"}],"wp:attachment":[{"href":"https:\/\/www.vos3000.com\/blog\/wp-json\/wp\/v2\/media?parent=737"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.vos3000.com\/blog\/wp-json\/wp\/v2\/categories?post=737"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.vos3000.com\/blog\/wp-json\/wp\/v2\/tags?post=737"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}