From 31028f6c60b5a743dbba9b0125d8e6791f67153f Mon Sep 17 00:00:00 2001 From: Dmitry Date: Sat, 23 Aug 2025 16:00:07 +0300 Subject: [PATCH 1/3] more stir/shaken info --- en/best-practices/stir-shaken.rst | 87 +++++++++++++++++++ en/index.rst | 1 + en/web-interface/equipment.rst | 3 + en/web-interface/equipment/gateways.rst | 2 + .../stir_shaken_signing_certificates.rst | 27 ++++++ .../stir_shaken_trusted_certificates.rst | 39 +++++++++ .../stir_shaken_trusted_repositories.rst | 20 +++++ en/web-interface/routing/customers-auths.rst | 51 +++++++++-- 8 files changed, 224 insertions(+), 6 deletions(-) create mode 100644 en/best-practices/stir-shaken.rst create mode 100644 en/web-interface/equipment/stir_shaken_signing_certificates.rst create mode 100644 en/web-interface/equipment/stir_shaken_trusted_certificates.rst create mode 100644 en/web-interface/equipment/stir_shaken_trusted_repositories.rst diff --git a/en/best-practices/stir-shaken.rst b/en/best-practices/stir-shaken.rst new file mode 100644 index 0000000..a4004dc --- /dev/null +++ b/en/best-practices/stir-shaken.rst @@ -0,0 +1,87 @@ +.. :maxdepth: 2 + +=========== +STIR/SHAKEN +=========== + +.. _stir_shaken: + +Yeti-Switch is compatible with STIR/SHAKEN mechanisms and allows you to perform both Identity validation and signing. +The Yeti system does not require any external components to perform these operations. + +.. mermaid:: + + graph LR + gw1[Call originator] + gw2[Termination provider] + + + gw1 -->|legA SIP initial INVITE
**Identity:.....;x5u=https:\/\/example.com/certs/pub.pem**| validation-logic + validation-logic --> call-routing + validation-logic --> call-reject + call-routing --> signing-logic + + signing-logic -->|legB SIP initial INVITE| gw2 + + signing-certificate-repository -->|Fetching private certificate| signing-logic + + + public-certificate-repository[Public certificate repository
**https:\/\/example.com/certs/pub.pem**] + public-certificate-cache[Certificate Cache] + + validation-logic -->|Fetching public certificate| public-certificate-cache + public-certificate-cache -->|Fetching public certificate| public-certificate-repository + + + subgraph yeti[Yeti SBC] + validation-logic[Signature Validation] + public-certificate-cache + signing-certificate-repository + signing-logic[Signing] + call-routing + call-reject + end + + +Signature Validation +==================== + +.. _stir_shaken_validation: + +Signature validation logic is controlled by :ref:`Customers Auth STIR/SHAKEN settings `. +Depending on the configuration, Yeti may take different actions if the signature is missing or invalid. + +The validation procedure requires a public key certificate to perform the cryptographic signature check. +This certificate is retrieved from a public repository according to the **X5U** parameter of the incoming Identity header. + +During signature validation, Yeti performs the following steps: + + - Check if the public certificate repository URL from the **X5U** parameter is allowed by :ref:`Trusted repository configuration ` + - Retrieve the public certificate from the repository URL or from the internal cache + - Verify that the public certificate is valid and not expired + - Ensure that the certificate chain is linked to a trusted root certificate defined in :ref:`Trusted certificates configuration ` + - Validate the JWT signature + - Check the ``iat`` (issued-at) timestamp for expiration + - Confirm that the ``orig.tn`` and ``dest.tn`` attributes in the Identity header match the Source and Destination numbers present in SIP signaling + +The results of signature validation are stored in the CDR fields: ``Lega Ss Status`` and ``Lega Identity``. + + +Signing +======= + +.. _stir_shaken_signing: + +When sending a call to the termination gateway, Yeti can either: + + - pass the original Identity header as-is, + - remove it, + - generate and attach its own signature. + +This behavior is controlled by :ref:`Termination gateway STIR/SHAKEN settings `. + +To perform signing, a private certificate and key material are required. +These are defined in :ref:`Signing Certificates configuration `. + +Yeti supports multiple signing certificates, and you can choose which certificate will be used for signing in :ref:`Termination gateway STIR/SHAKEN settings `. +Additionally, it is possible to override the certificate in :ref:`Customers Auth STIR/SHAKEN settings `, allowing different certificates to be used for different call originators (customers). diff --git a/en/index.rst b/en/index.rst index 99352c5..362218a 100644 --- a/en/index.rst +++ b/en/index.rst @@ -37,6 +37,7 @@ Welcome to Yeti's documentation! best-practices/headers-transit.rst best-practices/numbers-translations.rst best-practices/teams-direct-routing.rst + best-practices/stir-shaken.rst best-practices/using-routing-tags.rst best-practices/troubleshooting.rst diff --git a/en/web-interface/equipment.rst b/en/web-interface/equipment.rst index 9c8a072..bf29dcd 100644 --- a/en/web-interface/equipment.rst +++ b/en/web-interface/equipment.rst @@ -17,3 +17,6 @@ YETI WEB interface - Equipment menu description. This section describes Equipmen equipment/lnp_databases equipment/radius_auth_profiles equipment/radius_accounting_profiles + equipment/stir_shaken_trusted_repositories + equipment/stir_shaken_trusted_certificates + equipment/stir_shaken_signing_certificates diff --git a/en/web-interface/equipment/gateways.rst b/en/web-interface/equipment/gateways.rst index a6f59c0..adc7e05 100644 --- a/en/web-interface/equipment/gateways.rst +++ b/en/web-interface/equipment/gateways.rst @@ -803,6 +803,8 @@ Radius accounting profile STIR/SHAKEN attributes ====================== +.. _gateway_stir_shaken: + STIR/SHAKEN mode STIR/SHAKEN behavior when gateway used for call termination. Possible values: diff --git a/en/web-interface/equipment/stir_shaken_signing_certificates.rst b/en/web-interface/equipment/stir_shaken_signing_certificates.rst new file mode 100644 index 0000000..d64041b --- /dev/null +++ b/en/web-interface/equipment/stir_shaken_signing_certificates.rst @@ -0,0 +1,27 @@ + + +.. _stir_shaken_signing_certificates: + +================================ +STIR/SHAKEN Signing Certificates +================================ + +This configuration section defines the certificates and private keys used for the :ref:`Identity Signing procedure `. + +Attributes +========== + +Name + A user-friendly name for the signing certificate. + +Certificate + The certificate in PEM format. + The certificate must use the ``ecdsa-with-SHA256`` signature algorithm. + +Private Key + The corresponding ECDSA private key in PEM format. + +X5U + The **X5U** parameter for the Identity header. + The URL in X5U must point to your certificate and be publicly accessible. + Remote systems will use this URL to fetch your certificate during their own Identity validation procedure. diff --git a/en/web-interface/equipment/stir_shaken_trusted_certificates.rst b/en/web-interface/equipment/stir_shaken_trusted_certificates.rst new file mode 100644 index 0000000..e760d56 --- /dev/null +++ b/en/web-interface/equipment/stir_shaken_trusted_certificates.rst @@ -0,0 +1,39 @@ + +.. _stir_shaken_trusted_certificates: + +================================ +STIR/SHAKEN Trusted Certificates +================================ + +This configuration section defines the trusted root certificates required for validating public certificates. +See :ref:`Identity Validation procedure ` for details. + +Attributes +========== + +Name + A user-friendly name for the trusted root certificate. + +Certificate + The trusted root certificate in PEM format. Example:: + + -----BEGIN CERTIFICATE----- + MIIBqzCCAVCgAwIBAgIJALwomIWcKYBrMAoGCCqGSM49BAMCMCgxJjAkBgNVBAMM + HU1ldGFzd2l0Y2ggU1RJLUNBIFNIQUtFTiBSb290MB4XDTIwMTEyNTExMjEwM1oX + DTQwMTEyMDExMjEwM1owKDEmMCQGA1UEAwwdTWV0YXN3aXRjaCBTVEktQ0EgU0hB + S0VOIFJvb3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATyreklRBPdqnX38C+h + gk2SSlc0wql13TIvWTOt0sme07R9UDramRRqolR58Qz04CCtO8EPeuZKzqE0Xdb0 + RJQoo2MwYTAdBgNVHQ4EFgQUOVRpugxs9p9X0ZsBMUWKoPv/eGowHwYDVR0jBBgw + FoAUOVRpugxs9p9X0ZsBMUWKoPv/eGowDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B + Af8EBAMCAgQwCgYIKoZIzj0EAwIDSQAwRgIhAN+DEVzNLBjOsq8TbDHbkhO1MDUh + vcv6Kxxaj1puvAi5AiEAtbkNa56M4Sip0yLbWTXKdXcqAC5DHxbF4ab45aor220= + -----END CERTIFICATE----- + +Notes +===== + +- In the USA, trusted root certificates can be obtained from: + https://authenticatereg.iconectiv.com/download-lists + +- In France, trusted root certificates can be fetched from: + https://api.man-bpco.fr/ca/certs/16.cer diff --git a/en/web-interface/equipment/stir_shaken_trusted_repositories.rst b/en/web-interface/equipment/stir_shaken_trusted_repositories.rst new file mode 100644 index 0000000..5ed712e --- /dev/null +++ b/en/web-interface/equipment/stir_shaken_trusted_repositories.rst @@ -0,0 +1,20 @@ + +.. _stir_shaken_trusted_repositories: + +================================ +STIR/SHAKEN Trusted Repositories +================================ + +This configuration section defines the list of trusted URLs from which Yeti may fetch STIR/SHAKEN public certificates during the :ref:`Identity Validation procedure `. + +Attributes +========== + +URL Pattern + A regex pattern or specific URL that defines which repositories are allowed. Examples: + + - ``https://\*`` — allows requests to any HTTPS URL + - ``https://example.com/\*`` — allows fetching any certificate from the **example.com** domain + +Validate HTTPS Certificate + When using the HTTPS protocol, this flag enforces validation of the HTTPS server certificate to ensure authenticity. diff --git a/en/web-interface/routing/customers-auths.rst b/en/web-interface/routing/customers-auths.rst index d343434..dd2b244 100644 --- a/en/web-interface/routing/customers-auths.rst +++ b/en/web-interface/routing/customers-auths.rst @@ -1,8 +1,9 @@ .. _customer_auth: +=============== Customers Auths -~~~~~~~~~~~~~~~ +=============== This entity authenticates calls from customers or gateways, applies them to routing table and has some useful filters and options. @@ -151,7 +152,7 @@ After sorting of *Customer Auth* records routing procedure will be continued wit Customer Auth form contains few tabs and each one is described below. General attributes -`````````````````` +================== .. _customer_auth_id: @@ -211,7 +212,8 @@ General attributes current price for calls, in order to a Customer should be informed. Match condition options -``````````````````````` +======================= + This part is crucial for authentication process of incoming calls. You should note that a one customer may have many of Customer Auth with almost the same parameters, so pay attention to parameters besides Ip address. @@ -278,7 +280,7 @@ Match condition options .. _customers_auth_number_translation: Number translation options -`````````````````````````` +========================== Privacy mode Processing mode for :ref:`Private calls `. Available options: @@ -353,7 +355,7 @@ Cnam Database .. _radius_options: Radius options -`````````````` +============== Radius auth profile Must be specified if the additional radius authentication is required. @@ -373,7 +375,7 @@ Radius accounting profile .. _routing_tags_options: Routing Tags options -```````````````````` +==================== Tag action Describes one of the possible actions that could be applied to the current set of :ref:`Routing Tags ` that are applied for the call with using *Tag action value* below. Usually *Authentication* it is first step where :ref:`Routing Tags ` can be added to the call. Following actions can be selected in this field: @@ -386,3 +388,40 @@ Tag action Tag action value In this field :ref:`Routing Tags ` for making some *Tag action* above could be chosen. + + +STIR/SHAKEN attributes +====================== + +.. _customer_auth_stir_shaken: + +SS Mode + STIR/SHAKEN mode. Possible values: + + Disable STIR/SHAKEN processing + do nothing + + Validate identity + Perform stir/shaken validation + + Force rewrite attestation level + Override attention level. It is not possible to change attestation level withing existing signature. It means this option will replace existing signature with new one + +SS Invalid Identify Action + Stir/Shaken Invalid Identify Action defines system behavior in case of receiving invalid signature + +SS No Indentity Action + Stir/Shaken No Indentity Action defines system behavior in case of receiving call without Identify header + +Rewrite SS Status + Attestation level + +SS Src Rewrite rule/result +SS Dst Rewrite rule/result + + +STIR/SHAKEN Crt + STIR/SHAKEN certificate to use for Identify signing. + + +.. warning:: **STIR/SHAKEN** mechanisms are experimental features and not enabled by default. From 35c26517ffad9b79cb7df797f30b4c20e8554cf2 Mon Sep 17 00:00:00 2001 From: Dmitry Date: Sat, 23 Aug 2025 16:17:55 +0300 Subject: [PATCH 2/3] more stir/shaken info --- en/web-interface/equipment/gateways.rst | 2 +- en/web-interface/routing/customers-auths.rst | 36 +++++---- en/web-interface/routing/numberlist-items.rst | 81 ++++++++++--------- 3 files changed, 63 insertions(+), 56 deletions(-) diff --git a/en/web-interface/equipment/gateways.rst b/en/web-interface/equipment/gateways.rst index adc7e05..94d12ee 100644 --- a/en/web-interface/equipment/gateways.rst +++ b/en/web-interface/equipment/gateways.rst @@ -816,4 +816,4 @@ STIR/SHAKEN crt STIR/SHAKEN certificate to use for Identify signing. -.. warning:: **STIR/SHAKEN** mechanisms are experimental features and not enabled by default. +.. warning:: **STIR/SHAKEN** mechanisms are disabled by default. diff --git a/en/web-interface/routing/customers-auths.rst b/en/web-interface/routing/customers-auths.rst index dd2b244..3430f87 100644 --- a/en/web-interface/routing/customers-auths.rst +++ b/en/web-interface/routing/customers-auths.rst @@ -389,39 +389,43 @@ Tag action value In this field :ref:`Routing Tags ` for making some *Tag action* above could be chosen. - -STIR/SHAKEN attributes +STIR/SHAKEN Attributes ====================== .. _customer_auth_stir_shaken: SS Mode - STIR/SHAKEN mode. Possible values: + Defines the STIR/SHAKEN operating mode. Possible values: Disable STIR/SHAKEN processing - do nothing + No validation or signing is performed. Validate identity - Perform stir/shaken validation + Perform STIR/SHAKEN signature validation. Force rewrite attestation level - Override attention level. It is not possible to change attestation level withing existing signature. It means this option will replace existing signature with new one + Override the attestation level. + Since it is not possible to change the attestation level within an existing signature, this option replaces the existing signature with a new one. -SS Invalid Identify Action - Stir/Shaken Invalid Identify Action defines system behavior in case of receiving invalid signature +SS Invalid Identity Action + Defines system behavior when an invalid STIR/SHAKEN signature is received. -SS No Indentity Action - Stir/Shaken No Indentity Action defines system behavior in case of receiving call without Identify header +SS No Identity Action + Defines system behavior when a call is received without an Identity header. Rewrite SS Status - Attestation level + Allows overriding the original attestation level. + During the Identity signing procedure, this value determines the attestation level of the outgoing call. -SS Src Rewrite rule/result -SS Dst Rewrite rule/result + Additionally, the attestation level can be overridden in :ref:`Numberlist Item configuration `, which enables logic where the attestation level depends on the call’s Source/Destination number or prefix. +SS Src Rewrite Rule/Result + A regular expression applied to the original Source Number (``Src Number In``) from SIP signaling before comparing it with the ``orig.tn`` attribute in the signature. -STIR/SHAKEN Crt - STIR/SHAKEN certificate to use for Identify signing. +SS Dst Rewrite Rule/Result + A regular expression applied to the original Destination Number (``Dst Number In``) from SIP signaling before comparing it with the ``dest.tn`` attribute in the signature. +STIR/SHAKEN Certificate + The STIR/SHAKEN certificate to be used for the :ref:`Identity Signing procedure `. -.. warning:: **STIR/SHAKEN** mechanisms are experimental features and not enabled by default. +.. warning:: **STIR/SHAKEN** mechanisms are disabled by default. diff --git a/en/web-interface/routing/numberlist-items.rst b/en/web-interface/routing/numberlist-items.rst index 9eca1a1..42908de 100644 --- a/en/web-interface/routing/numberlist-items.rst +++ b/en/web-interface/routing/numberlist-items.rst @@ -1,63 +1,66 @@ .. _numberlist_items: -Numberlist items -~~~~~~~~~~~~~~~~ +================ +Numberlist Items +================ Numberlist items allow to do something with source or destination number or reject call in general before its routing and after rewriting on the level of :ref:`Customer Auth `. -**Numberlist item**'s attributes: -````````````````````````````````` - Id - Unique Numberlist item's id. - Numberlist - :ref:`Numberlist ` that is associated with this *Numberlist item*. +Attributes +========== + +Id + Unique Numberlist item's id. + +Numberlist + :ref:`Numberlist ` that is associated with this *Numberlist item*. .. _numberlist_items_key: - Key - Full number or Prefix. Interpretation of this field depends on Mode of comparison that was chosen in the :ref:`Numberlist `. - Action - This action will be applied to the call in case of conformity source (A) or destination (B) number and the Key field (according to the Mode that was chosen in the :ref:`Numberlist `): +Key + Full number or Prefix. Interpretation of this field depends on Mode of comparison that was chosen in the :ref:`Numberlist `. - **Default action** - Action that is set for the :ref:`Numberlist `) will be used. +Action + This action will be applied to the call in case of conformity source (A) or destination (B) number and the Key field (according to the Mode that was chosen in the :ref:`Numberlist `): - **Reject call** - Reject call in case of conformity source (A) or destination (B) number and the Key field (according to the Mode that was chosen in the :ref:`Numberlist `). Action from the :ref:`Numberlist `) will be ignored in case of choosing this action. + **Default action** - Action that is set for the :ref:`Numberlist `) will be used. - **Allow call** - Allow call in case of conformity source (A) or destination (B) number and the Key field (according to the Mode that was chosen in the :ref:`Numberlist `). Action from the :ref:`Numberlist `) will be ignored in case of choosing this action. + **Reject call** - Reject call in case of conformity source (A) or destination (B) number and the Key field (according to the Mode that was chosen in the :ref:`Numberlist `). Action from the :ref:`Numberlist `) will be ignored in case of choosing this action. + + **Allow call** - Allow call in case of conformity source (A) or destination (B) number and the Key field (according to the Mode that was chosen in the :ref:`Numberlist `). Action from the :ref:`Numberlist `) will be ignored in case of choosing this action. .. _numberlist_items_rewrite_rules: - Src rewrite rule - *Pattern* parameter of **regexp_replace** function from the `POSIX Regular Expressions `_. As *Source* parameter of **regexp_replace** function is used source number (number A), as a *Replacement* parameter of **regexp_replace** function is used value from *Src rewrite result* bellow. Returned value of **regexp_replace** function will be used as source number (number A) for the call during future routing. It helps to change format of the source number for providing compatibility. - See :ref:`how to use POSIX Regular Expressions in Yeti `. - Src rewrite result - *Replacement* parameter of **regexp_replace** function from the `POSIX Regular Expressions `_. As *Source* parameter of **regexp_replace** function is used source number (number A), as a *Pattern* parameter of **regexp_replace** function is used value from *Src rewrite rule* above. Returned value of **regexp_replace** function will be used as source number (number A) for the call during future routing. It helps to change format of the source number for providing compatibility. - See :ref:`how to use POSIX Regular Expressions in Yeti `. - Dst rewrite rule - *Pattern* parameter of **regexp_replace** function from the `POSIX Regular Expressions `_. As *Source* parameter of **regexp_replace** function is used destination number (number B), as a *Replacement* parameter of **regexp_replace** function is used value from *Dst rewrite result* bellow. Returned value of **regexp_replace** function will be used as destination number (number B) for the call during future routing. It helps to change format of the destination number for providing compatibility. - See :ref:`how to use POSIX Regular Expressions in Yeti `. - Dst rewrite result - *Replacement* parameter of **regexp_replace** function from the `POSIX Regular Expressions `_. As *Source* parameter of **regexp_replace** function is used destination number (number B), as a *Pattern* parameter of **regexp_replace** function is used value from *Dst rewrite rule* above. Returned value of **regexp_replace** function will be used as destination number (number B) for the call during future routing. It helps to change format of the destination number for providing compatibility. - See :ref:`how to use POSIX Regular Expressions in Yeti `. +Src rewrite rule + *Pattern* parameter of **regexp_replace** function from the `POSIX Regular Expressions `_. As *Source* parameter of **regexp_replace** function is used source number (number A), as a *Replacement* parameter of **regexp_replace** function is used value from *Src rewrite result* bellow. Returned value of **regexp_replace** function will be used as source number (number A) for the call during future routing. It helps to change format of the source number for providing compatibility. + See :ref:`how to use POSIX Regular Expressions in Yeti `. + +Src rewrite result + *Replacement* parameter of **regexp_replace** function from the `POSIX Regular Expressions `_. As *Source* parameter of **regexp_replace** function is used source number (number A), as a *Pattern* parameter of **regexp_replace** function is used value from *Src rewrite rule* above. Returned value of **regexp_replace** function will be used as source number (number A) for the call during future routing. It helps to change format of the source number for providing compatibility. + See :ref:`how to use POSIX Regular Expressions in Yeti `. - Tag action - Describes one of the possible actions that could be applied to the current set of :ref:`Routing Tags ` that are applied for the call with using *Tag action value* below. *Numberlist* it is second step (after *Authentication*) where :ref:`Routing Tags ` can be added to (or removed from) the call. Destination *Numberlist* is processed before the Source *Numberlist*. Following actions can be selected in this field: +Dst rewrite rule + *Pattern* parameter of **regexp_replace** function from the `POSIX Regular Expressions `_. As *Source* parameter of **regexp_replace** function is used destination number (number B), as a *Replacement* parameter of **regexp_replace** function is used value from *Dst rewrite result* bellow. Returned value of **regexp_replace** function will be used as destination number (number B) for the call during future routing. It helps to change format of the destination number for providing compatibility. + See :ref:`how to use POSIX Regular Expressions in Yeti `. - - **Clear tags**. Removes all :ref:`Routing Tags ` from the call (if any were added early); +Dst rewrite result + *Replacement* parameter of **regexp_replace** function from the `POSIX Regular Expressions `_. As *Source* parameter of **regexp_replace** function is used destination number (number B), as a *Pattern* parameter of **regexp_replace** function is used value from *Dst rewrite rule* above. Returned value of **regexp_replace** function will be used as destination number (number B) for the call during future routing. It helps to change format of the destination number for providing compatibility. + See :ref:`how to use POSIX Regular Expressions in Yeti `. - - **Remove selected tags**. Removes only :ref:`Routing Tags ` that were chosen in the *Tag action value* field bellow (if any were chosen) from the call; +Tag action + Describes one of the possible actions that could be applied to the current set of :ref:`Routing Tags ` that are applied for the call with using *Tag action value* below. *Numberlist* it is second step (after *Authentication*) where :ref:`Routing Tags ` can be added to (or removed from) the call. Destination *Numberlist* is processed before the Source *Numberlist*. Following actions can be selected in this field: - - **Append selected tags**. Appends :ref:`Routing Tags ` that were chosen in the *Tag action value* field bellow (if any were chosen) to the call; + - **Clear tags**. Removes all :ref:`Routing Tags ` from the call (if any were added early); - - **Intersection with selected tags**. Yeti leaves as is :ref:`Routing Tags ` that were chosen in the *Tag action value* field bellow (if any were chosen) in the call in case of their presence in the current set of :ref:`Routing Tags ` and removes any other :ref:`Routing Tags ` from the call. + - **Remove selected tags**. Removes only :ref:`Routing Tags ` that were chosen in the *Tag action value* field bellow (if any were chosen) from the call; - Tag action value - In this field :ref:`Routing Tags ` for making some *Tag action* above could be chosen. + - **Append selected tags**. Appends :ref:`Routing Tags ` that were chosen in the *Tag action value* field bellow (if any were chosen) to the call; - Created At - Date and time of this Numberlist item creation. - Updated At - Date and time of last updating of this Numberlist item. + - **Intersection with selected tags**. Yeti leaves as is :ref:`Routing Tags ` that were chosen in the *Tag action value* field bellow (if any were chosen) in the call in case of their presence in the current set of :ref:`Routing Tags ` and removes any other :ref:`Routing Tags ` from the call. +Tag action value + In this field :ref:`Routing Tags ` for making some *Tag action* above could be chosen. +Rewrite SS Status + This attribute allows overriding the original STIR/SHAKEN attestation level by redefining :ref:`Customer Auth Rewrite SS Status value ` From a18a1ff0ef76322dd17b37a61e3dcdc9d3b7a6c4 Mon Sep 17 00:00:00 2001 From: Dmitry Date: Sat, 23 Aug 2025 16:23:01 +0300 Subject: [PATCH 3/3] more stir/shaken info --- .../equipment/stir_shaken_trusted_certificates.rst | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/en/web-interface/equipment/stir_shaken_trusted_certificates.rst b/en/web-interface/equipment/stir_shaken_trusted_certificates.rst index e760d56..b4fb3bb 100644 --- a/en/web-interface/equipment/stir_shaken_trusted_certificates.rst +++ b/en/web-interface/equipment/stir_shaken_trusted_certificates.rst @@ -19,13 +19,8 @@ Certificate -----BEGIN CERTIFICATE----- MIIBqzCCAVCgAwIBAgIJALwomIWcKYBrMAoGCCqGSM49BAMCMCgxJjAkBgNVBAMM - HU1ldGFzd2l0Y2ggU1RJLUNBIFNIQUtFTiBSb290MB4XDTIwMTEyNTExMjEwM1oX - DTQwMTEyMDExMjEwM1owKDEmMCQGA1UEAwwdTWV0YXN3aXRjaCBTVEktQ0EgU0hB - S0VOIFJvb3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATyreklRBPdqnX38C+h - gk2SSlc0wql13TIvWTOt0sme07R9UDramRRqolR58Qz04CCtO8EPeuZKzqE0Xdb0 - RJQoo2MwYTAdBgNVHQ4EFgQUOVRpugxs9p9X0ZsBMUWKoPv/eGowHwYDVR0jBBgw - FoAUOVRpugxs9p9X0ZsBMUWKoPv/eGowDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B - Af8EBAMCAgQwCgYIKoZIzj0EAwIDSQAwRgIhAN+DEVzNLBjOsq8TbDHbkhO1MDUh + ......... + ......... vcv6Kxxaj1puvAi5AiEAtbkNa56M4Sip0yLbWTXKdXcqAC5DHxbF4ab45aor220= -----END CERTIFICATE----- @@ -36,4 +31,4 @@ Notes https://authenticatereg.iconectiv.com/download-lists - In France, trusted root certificates can be fetched from: - https://api.man-bpco.fr/ca/certs/16.cer + https://api.man-bpco.fr/ca/certs/