Hosted Signing Service

In June 2023, France launched a version of STIR/SHAKEN known as the MAN Program. This means that French Operators must now sign and verify all French calls. The Hosted Signing Service allows Bandwidth to sign your call traffic with your certificate on your behalf, so you can remain compliant without having to invest in your own STIR/SHAKEN capabilities. Even if you're not a Global Numbering Hosting customer, you can still use this service by having your own numbering resources and hosting them with Bandwidth.

Pre-Requisites

Before receiving this service, you must complete the Bandwidth Service Agreement for Hosted Signing Service (France). Please reach out to your Account Manager to obtain this service agreement.

Furthermore, several other requirements must be met prior to leveraging this guide:

• Register as an Operator with ARCEP via the ARCEP Portal.
• Become a member of APNF. Please see this guide for help in this process.
• Register for an MAN Platform account.

Workflow Overview

France implemented a rigid process for issuing indirect certificates that requires both parties to participate.

1. Bandwidth (OPTS) whitelists your APNF code to allow you to request an certificate, which we do following service agreement signature.
2. Then, you must initiate the process by requesting an indirect certificate and specifying Bandwidth as the OPTS.
3. Finalize the certificate using our Account Certificates API.
4. Assign the certificate once it is active, using our Profiles API .

Applying for an Indirect Certificate

Indirect certificates are requested through the MAN platform, either through their web portal or via API.

In order for Bandwidth to sign your calls using an indirect certificate, you must specify VOXB00 as the OPTS.

Authentication

To leverage the MAN Platform API, you must first authenticate to obtain a bearer token.

Check here to see how to authenticate.

Example

Indirect Certificate Request

Note: MAN Platform enforces valid_from being at least 7 days from the time of request invocation.

POST https://api.man-plateforme.fr/certificates
Authorization: Bearer mySecretToken
{
  "type": "INDIRECT",
  "opts": "VOXB00",
  "name": "Indirect Certificate",
  "description": "Description of the certificate.",
  "test_certificate": false,
  "valid_from": "2025-01-31T00:00:00Z",
  "valid_to": "2026-01-3123:59:59Z",
  "renewal_auto": false
}

Indirect Certificate Response

{
    "id": "d240dd9e-a077-42f5-92e3-a3d3f10e002e",
    "provider_id": "cc4519cb-b2b6-45ad-904c-7698fdf72ba2",
    "type": "INDIRECT",
    "opts": "VOXB00",
    "name": "Indirect Certificate",
    "description": "Description of the certificate.",
    "test_certificate": false,
    "valid_from": "2025-01-31T00:00:00Z",
    "valid_to": "2026-01-3123:59:59Z",
    "renewal_auto": false,
    "status": "PENDING",
    "archived": false,
    "created_at": "2025-01-31T10:12:25Z",
    "created_by": "John Doe <john.doe@spa.domain>",
    "updated_at": "2025-01-31T10:12:25Z",
    "updated_by": "John Doe <john.doe@spa.domain>"
}

Finalizing the Indirect Certificate

Bandwidth provides an endpoint that you may use to facilitate the finalization process. You will need the id from the response above in order for Bandwidth to finalize the certificate.

Example

Indirect Certificate Finalization Request

PUT https://dashboard.bandwidth.com/api/v1/accounts/{accountId}/stirShakenCertificates/{certificateId}
Authorization: Bearer mySecretToken
{
  "region": "FR",
  "certificateType": "INDIRECT",
  "regionData": {
        "certificateId": "901d1b48-122b-433c-a047-a6dc814c8011",
        "name": "My France Cert",
        "description": "My France Signing Cert from MAN Platform",
        "organization": "foobar.com",
        "publicCertUrl": "https://api.man-bpco.fr/certs/ABCD00/789foobar.cer",
        "spc": "ABCD00", // your Provider code
        "validFrom": "2024-01-21T12:14:57Z",
        "expiryDate": "2025-03-31T12:14:57Z",
        "certificateType": "INDIRECT"
    }
}

Indirect Certificate Finalization Response

{
    "links": [
        {
            "href": "/stirShakenCertificates/901d1b48-122b-433c-a047-a6dc814c8011",
            "rel": "self",
            "method": "GET"
        },
        {
            "href": "/stirShakenCertificates",
            "rel": "create",
            "method": "POST"
        },
        {
            "href": "/stirShakenCertificates/901d1b48-122b-433c-a047-a6dc814c8011",
            "rel": "update",
            "method": "PUT"
        },
        {
            "href": "/stirShakenCertificates/901d1b48-122b-433c-a047-a6dc814c8011",
            "rel": "delete",
            "method": "DELETE"
        }
    ],
    "data": {
        "certificateId": "901d1b48-122b-433c-a047-a6dc814c8011",
        "name": "My France Cert",
        "description": "My France Signing Cert from MAN Platform",
        "organization": "foobar.com",
        "region": "FR",
        "publicCertUrl": "https://api.man-bpco.fr/certs/SPC-01/789foobar.cer",
        "spc": "ABCD00",
        "validFrom": "2024-01-21T12:14:57Z",
        "expiryDate": "2025-03-31T12:14:57Z",
        "status": "ACTIVE",
        "certificateType": "INDIRECT"
    },
    "errors": []
}

This request will instruct Bandwidth to generate the private key and certificate signing request for which we then send to the MAN Platform.

If successful, both parties will receive an email confirmation from the MAN Platform.

Assigning the Indirect Certificate

The MAN Platform has a requirement where one week must elapse from when the certificate was requested to when the certificate becomes active.

The valid_from date must be in the past before you may assign the certificate to be used to sign calls. Otherwise, terminating operators will reject your calls for failing verification.

As a result, we provide an additional API for managing certificate assignment.

Example

Indirect Certificate Assignment Request

POST https://dashboard.bandwidth.com/api/v1/accounts/{accountId}/stirShakenProfiles
Authorization: Bearer mySecretToken
{
"profileType": "DIRECT",
"region": "US",
"certificateId": "901d1b48-122b-433c-a047-a6dc814c8011"
}

Indirect Certificate Assignment Response

{
    "links": [
        {
            "href": "/accounts/1234567/stirShakenProfiles/12bae4ae-42d8-76ea-9e33-a8675309ba77",
            "rel": "self",
            "method": "GET"
        },
        {
            "href": "/accounts/1234567/stirShakenProfiles",
            "rel": "create",
            "method": "POST"
        },
        {
            "href": "/accounts/1234567/stirShakenProfiles/12bae4ae-42d8-76ea-9e33-a8675309ba77",
            "rel": "update",
            "method": "PUT"
        },
        {
            "href": "/accounts/1234567/stirShakenProfiles/12bae4ae-42d8-76ea-9e33-a8675309ba77",
            "rel": "delete",
            "method": "DELETE"
        }
    ],
    "data": {
        "stirShakenProfileId": "12bae4ae-42d8-76ea-9e33-a8675309ba77",
        "accountId": 1234567,
        "profileType": "INDIRECT",
        "region": "FR",
        "certificateId": "901d1b48-122b-433c-a047-a6dc814c8011",
        "active": true
    },
    "errors": []
}

Tips for Certificate Management

Primary and backup certificates

Bandwidth recommends you request and provision two indirect certificates, ideally offset from one and other. This allows you to simply swap to the backup certificate when they are nearing expiration. Remember, certificates take at least 7 days from request to being usable!

Falling back to Bandwidth Direct signing

In the event your one and only indirect signing certificate is revoked or expires, Bandwidth can intervene and re-provision our direct signing certificate to maintain compliance.

We dont allow this action to occur via our API, so reach out to your account manager should this situation occur.