Hi,
I’ve used Peeringhub to generate certificates for STIRSHAKEN. They have given me one 481L.crt and stir_private_key.pem.
However, I am having issues using these in Kamailio. All Kamailio does on secsipid_add_identity is return an ambigious error “failed to get identity header body (0)” even with higher debug level.
secsipid_add_identity("$fU", "$rU", "A", "$fU", "/etc/kamailio/certificates/stirshaken20251002/481L.crt", "/etc/kamailio/certificates/stirshaken20251002/stir_private_key.pem ");
Both the crt and the key have kamailio as owner and chmod 640. I am wondering if the certificates are not compatible with Kamailio.
Here’s the result of: openssl x509 -in 481L.crt -text -noout
Certificate: Data: Version: 3 (0x2) Serial Number: ec:0b:c0:fb:69:40:35:03:0e:7e:22:8f:12:3e:d3:0e Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, O = Peeringhub Inc, OU = Certification Authorities, CN = Peeringhub Inc SHAKEN Intermediate CA 2 Validity Not Before: Oct 2 12:12:51 2025 GMT Not After : Oct 2 12:12:51 2026 GMT Subject: C = US, ST = WA, L = Washington DC, O = Connectel AB, CN = SHAKEN 481L 1759407171535 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:ab:b3:21:c9:6e:20:fc:f4:43:89:e6:30:88:1f: 87:3c:38:f5:7d:ac:2c:06:3b:38:f6:11:ba:68:d1: 82:cb:1d:e6:f6:ee:0c:92:ef:66:64:8c:98:73:8b: a2:6a:9d:06:33:62:1d:d3:ec:cd:f1:4f:ee:d2:09: 95:ba:98:ae:f7 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: B8:D8:8C:F6:00:A7:3B:3D:87:58:2C:54:4A:7E:13:6D:F8:71:9B:8D X509v3 Authority Key Identifier: keyid:AE:A1:73:51:88:29:57:11:CA:0C:A9:F4:B1:0A:6E:4E:B8:4B:4D:07
X509v3 Certificate Policies: Policy: 2.16.840.1.114569.1.1.4
1.3.6.1.5.5.7.1.26: 0.....481L X509v3 CRL Distribution Points:
Full Name: URI:https://authenticate-api.iconectiv.com/download/v1/crl CRL Issuer: DirName:L = Bridgewater, ST = NJ, CN = STI-PA CRL, C = US, O = STI-PA
Signature Algorithm: ecdsa-with-SHA256 30:46:02:21:00:bb:18:07:ee:90:6d:a3:6f:0d:d5:af:49:82: f5:ea:aa:5c:03:74:87:22:28:a2:24:5c:02:05:f6:de:ca:82: c8:02:21:00:87:db:0a:48:2c:a7:7a:6f:87:2e:93:14:9a:04: 34:4d:1b:07:0b:bf:f2:61:37:8c:c5:85:67:68:ac:0c:9d:08
Here’s the filtered result of: openssl pkey -in /etc/kamailio/certificates/stirshaken20251002/stir_private_key.pem -text -noout
Private-Key: (256 bit) priv: <FILTERED> pub: 04:ab:b3:21:... ASN1 OID: prime256v1 NIST CURVE: P-256
Thanks for any help,
/M
Answering to myself, I might have solved it by converting the key with “openssl ec -in stir_private_key.pem -out stir_private_key_ec.pem” and using the new key in Kamailio.
Still looking to build some knowledge if anyone have input on this, and why it failed in the first place.
/M
From: Martin Nyström via sr-users sr-users@lists.kamailio.org Date: Thursday, 2 October 2025 at 18:23 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: Martin Nyström martin.nystrom@connectel.se Subject: [SR-Users] secsipid certificate issue for STIRSHAKEN
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi,
I’ve used Peeringhub to generate certificates for STIRSHAKEN. They have given me one 481L.crt and stir_private_key.pem.
However, I am having issues using these in Kamailio. All Kamailio does on secsipid_add_identity is return an ambigious error “failed to get identity header body (0)” even with higher debug level.
secsipid_add_identity("$fU", "$rU", "A", "$fU", "/etc/kamailio/certificates/stirshaken20251002/481L.crt", "/etc/kamailio/certificates/stirshaken20251002/stir_private_key.pem ");
Both the crt and the key have kamailio as owner and chmod 640. I am wondering if the certificates are not compatible with Kamailio.
Here’s the result of: openssl x509 -in 481L.crt -text -noout
Certificate: Data: Version: 3 (0x2) Serial Number: ec:0b:c0:fb:69:40:35:03:0e:7e:22:8f:12:3e:d3:0e Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, O = Peeringhub Inc, OU = Certification Authorities, CN = Peeringhub Inc SHAKEN Intermediate CA 2 Validity Not Before: Oct 2 12:12:51 2025 GMT Not After : Oct 2 12:12:51 2026 GMT Subject: C = US, ST = WA, L = Washington DC, O = Connectel AB, CN = SHAKEN 481L 1759407171535 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:ab:b3:21:c9:6e:20:fc:f4:43:89:e6:30:88:1f: 87:3c:38:f5:7d:ac:2c:06:3b:38:f6:11:ba:68:d1: 82:cb:1d:e6:f6:ee:0c:92:ef:66:64:8c:98:73:8b: a2:6a:9d:06:33:62:1d:d3:ec:cd:f1:4f:ee:d2:09: 95:ba:98:ae:f7 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: B8:D8:8C:F6:00:A7:3B:3D:87:58:2C:54:4A:7E:13:6D:F8:71:9B:8D X509v3 Authority Key Identifier: keyid:AE:A1:73:51:88:29:57:11:CA:0C:A9:F4:B1:0A:6E:4E:B8:4B:4D:07
X509v3 Certificate Policies: Policy: 2.16.840.1.114569.1.1.4
1.3.6.1.5.5.7.1.26: 0.....481L X509v3 CRL Distribution Points:
Full Name: URI:https://authenticate-api.iconectiv.com/download/v1/crl CRL Issuer: DirName:L = Bridgewater, ST = NJ, CN = STI-PA CRL, C = US, O = STI-PA
Signature Algorithm: ecdsa-with-SHA256 30:46:02:21:00:bb:18:07:ee:90:6d:a3:6f:0d:d5:af:49:82: f5:ea:aa:5c:03:74:87:22:28:a2:24:5c:02:05:f6:de:ca:82: c8:02:21:00:87:db:0a:48:2c:a7:7a:6f:87:2e:93:14:9a:04: 34:4d:1b:07:0b:bf:f2:61:37:8c:c5:85:67:68:ac:0c:9d:08
Here’s the filtered result of: openssl pkey -in /etc/kamailio/certificates/stirshaken20251002/stir_private_key.pem -text -noout
Private-Key: (256 bit) priv: <FILTERED> pub: 04:ab:b3:21:... ASN1 OID: prime256v1 NIST CURVE: P-256
Thanks for any help,
/M
Hello,
both private key and pub certificate files have to be in pem format. The readme of the secsipidx project has sample commands about creating them:
- https://github.com/asipto/secsipidx?tab=readme-ov-file#keys-generation
The .crt is probably the raw format of the public certificate.
Cheers, Daniel
On 02.10.25 18:28, Martin Nyström via sr-users wrote:
Answering to myself, I might have solved it by converting the key with “openssl ec -in stir_private_key.pem -out stir_private_key_ec.pem” and using the new key in Kamailio.
Still looking to build some knowledge if anyone have input on this, and why it failed in the first place.
/M
*From: *Martin Nyström via sr-users sr-users@lists.kamailio.org *Date: *Thursday, 2 October 2025 at 18:23 *To: *Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Cc: *Martin Nyström martin.nystrom@connectel.se *Subject: *[SR-Users] secsipid certificate issue for STIRSHAKEN
*CAUTION:*This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi,
I’ve used Peeringhub to generate certificates for STIRSHAKEN. They have given me one 481L.crt and stir_private_key.pem.
However, I am having issues using these in Kamailio. All Kamailio does on secsipid_add_identity is return an ambigious error “failed to get identity header body (0)” even with higher debug level.
secsipid_add_identity("$fU", "$rU", "A", "$fU", "/etc/kamailio/certificates/stirshaken20251002/481L.crt", "/etc/kamailio/certificates/stirshaken20251002/stir_private_key.pem ");
Both the crt and the key have kamailio as owner and chmod 640. I am wondering if the certificates are not compatible with Kamailio.
*Here’s the result of: openssl x509 -in 481L.crt -text -noout*
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ec:0b:c0:fb:69:40:35:03:0e:7e:22:8f:12:3e:d3:0e
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, O = Peeringhub Inc, OU = Certification Authorities, CN = Peeringhub Inc SHAKEN Intermediate CA 2
Validity
Not Before: Oct 2 12:12:51 2025 GMT
Not After : Oct 2 12:12:51 2026 GMT
Subject: C = US, ST = WA, L = Washington DC, O = Connectel AB, CN = SHAKEN 481L 1759407171535
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:ab:b3:21:c9:6e:20:fc:f4:43:89:e6:30:88:1f:
87:3c:38:f5:7d:ac:2c:06:3b:38:f6:11:ba:68:d1:
82:cb:1d:e6:f6:ee:0c:92:ef:66:64:8c:98:73:8b:
a2:6a:9d:06:33:62:1d:d3:ec:cd:f1:4f:ee:d2:09:
95:ba:98:ae:f7
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
B8:D8:8C:F6:00:A7:3B:3D:87:58:2C:54:4A:7E:13:6D:F8:71:9B:8D
X509v3 Authority Key Identifier:
keyid:AE:A1:73:51:88:29:57:11:CA:0C:A9:F4:B1:0A:6E:4E:B8:4B:4D:07
X509v3 Certificate Policies:
Policy: 2.16.840.1.114569.1.1.4
1.3.6.1.5.5.7.1.26:
0.....481L
X509v3 CRL Distribution Points:
Full Name:
URI:https://authenticate-api.iconectiv.com/download/v1/crl
CRL Issuer:
DirName:L = Bridgewater, ST = NJ, CN = STI-PA CRL, C = US, O = STI-PA
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:bb:18:07:ee:90:6d:a3:6f:0d:d5:af:49:82:
f5:ea:aa:5c:03:74:87:22:28:a2:24:5c:02:05:f6:de:ca:82:
c8:02:21:00:87:db:0a:48:2c:a7:7a:6f:87:2e:93:14:9a:04:
34:4d:1b:07:0b:bf:f2:61:37:8c:c5:85:67:68:ac:0c:9d:08
*Here’s the filtered result of: openssl pkey -in /etc/kamailio/certificates/stirshaken20251002/stir_private_key.pem -text -noout*
Private-Key: (256 bit)
priv: <FILTERED>
pub: 04:ab:b3:21:...
ASN1 OID: prime256v1
NIST CURVE: P-256
Thanks for any help,
/M
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
-
Daniel-Constantin Mierla -
Martin Nyström