# Verify a Stir/Shaken Certificate Part of the identity token included in a SIP header is the Stir/Shaken Certificate of the originating carriers. An identity token looks like the following: {% code overflow="wrap" %} ``` eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9idy1zaGFrZW4tY2VydC1wdWIuczMuYW1xx9uYXdzLmNvbS9iYW5kd2lkdGgtc2hha2VuLWNlcnRfMjAyMzA3MTYucGVtIn0.eyJhdHRlc3QiOiJCIiwiZGVzdCI6eyJ0biI6WyIxNzcwMjk2NTM1OSJdfSwiaWF0IjoxNjY1NDI0MDcxLCJvcmlnIjp7InRuIjoiMTc3MDQ0ODgyMDAifSwib3JpZ2lkIjoiY2Y1NzVkOWYtOGNiMS0zOWMzLWI3N2EtODUyZjJiYTdmNTQ2In0.IIXlVkGpYtP70O-HQQKAv4mqR2_1qqPpDqELS_US1mS0jEcvUnUm2N16HLwlrn0Zne2-UkTl0U3f_IYNO8slvQ;info=;alg=ES256;ppt=shaken ``` {% endcode %} You can download the certificate file from the "info" field and the content of the file is similar to below: ``` -----BEGIN CERTIFICATE----- zIIDdddCAr2gAwIBAgIQSJ/BURPUF9492q9GgBDhlDAKBggqhkjOPQQDAjB8MQsw xQYDVQQGEwJVUzEXMBUGA1UECgwOUGVlcmluZ2h1YiBJbmMxIjAgBgNVBAsMGUNl cnRpZmljYXRpb24gQXV0aG9yaXRpZXMxMDAuBgNVBAMMJ1BlZXJpbmdodWIgSW5j IFNIQUtFTiBJbnRlcm1lZGlhdGUgQ0EgMjAeFw0yMjA4MjQwNTA1MzBaFw0yMjA5 MTIxMTExNTVaMF8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJERTERMA8GA1UEBwwI Q0xBWU1PTlQxETAPBgNVBAoMCE1lcmF0YWxrMR0wGwYDVQQDDBRNZXJhdGFsayBT SEFLRU4gMjg5SzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLa/dZjC4lmBJw7 m2nFkausaapWdoWc1ug4pr/w3rm/DQsSRs/0o0Gm7Cw0L2WjSYTG6e2wt820w9rq Z5rgl9KjggE8MIIBODAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNV HQ4EFgQUw1+a9xx+PW878Lx98N9MOf33JEcwHwYDVR0jBBgwFoAUrqFzUYgpVxHK DKn0sQpuTrhLTQcwFwYDVR0gBBAwDjAMBgpghkgBhv8JAQEBMBYGCCsGAQUFBwEa BAowCKAGFgQyODlLMIGmBgNVHR8EgZ4wgZswgZigOqA4hjZodHRwczovL2F1dGhl bnRpY2F0ZS1hcGkuaWNvbmVjdGl2LmNvbS9kb3dubG9hZC92MS9jcmyiWqRYMFYx FDASBgNVBAcMC0JyaWRnZXdhdGVyMQswCQYDVQQIDAJOSjETMBEGA1UEAwwKU1RJ LVBBIENSTDELMAkGA1UEBhMCVVMxDzANBgNVBAoMBlNUSS1QQTAKBggqhkjOPQQD AgNIADBFAiEA9FwWY/mpoaJrUX/5C0kiMy0tFTwb4LmRiVgJc3RImNwCICt2Z6Mo Z2Bza1qdBai5uMy0BeIXbGq/9b1Z6wCOfLHW -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- xxxxxdCCArWgAwIBAgIRALZNFq96KG4nRDKyzVhPcaUwCgYIKoZIzj0EAwIwazEL MAkGA1UEBhMCVVMxFzAVBgNVBAoMDlBlZXJpbmdodWIgSW5jMSIwIAYDVQQLDBlD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMR8wHQYDVQQDDBZQZWVyaW5naHViIElu YyBSb290IENBMB4XDTIyMDYyMjIyNDUwMloXDTMyMDYxOTIyNDUwMlowfDELMAkG A1UEBhMCVVMxFzAVBgNVBAoMDlBlZXJpbmdodWIgSW5jMSIwIAYDVQQLDBlDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0aWVzMTAwLgYDVQQDDCdQZWVyaW5naHViIEluYyBT SEFLRU4gSW50ZXJtZWRpYXRlIENBIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC AATXEEZfOD4d6FnCYEcvzXAMpFyyP8F1fGefqfxy+R22euER5DvlXYg0vRiyF1hD KC/hvM7eC74evVeiNgpWB3j+o4IBJzCCASMwDgYDVR0PAQH/BAQDAgGGMA8GA1Ud EwEB/wQFMAMBAf8wHQYDVR0OBBYEFK6hc1GIKVcRygyp9LEKbk64S00HMB8GA1Ud IwQYMBaAFBzpokb/fffddddngvRijv4Fon/PMBcGA1UdIAQQMA4wDAYKYIZIAYb/ CQEBATCBpgYDVR0fBIGeMIGbMIGYoDqgOIY2aHR0cHM6Ly9hdXRoZW50aWNhdGUt YXBpLmljb25lY3Rpdi5jb20vZvvvvvvvYWQvdjEvY3JsolqkWDBWMQswCQYDVQQG EwJVUzELMAkGA1UECAwCTkoxFDASBgNVBAcMC0JyaWRnZXdhdGVyMQ8wDQYDVQQK DAZTVEktUEExEzARBgNVBAMMClNUSS1QQSBDUkwwCgYIKoZIzj0EAwIDSAAwRQIg GkVAngGoauAcC66weTZ39bchjkWjkJKdZifjcqqM/y0CIQCmG8NEcrd6aC92TjHp N2/d38qvM8vvvvv+smqhcg== -----END CERTIFICATE----- ``` You can decrypt the content of the certificate to get the information about the origination carrier using Openssl command: > openssl x509 -text -noout -in cert\_file\_path You should get back a response similar to the following: ``` Certificate: Data: Version: 3 (0x2) Serial Number: 48:9f:c1:51:13:ee:17:de:aa:da:af:46:80:10:e1:94 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, O=Peeringhub Inc, OU=Certification Authorities, CN=Peeringhub Inc SHAKEN Intermediate CA 2 Validity Not Before: Aug 24 05:05:30 2022 GMT Not After : Sep 12 11:11:55 2022 GMT Subject: C=US, ST=DE, L=CLAYMONT, O=ABC, CN=ABC SHAKEN 123H Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:62:da:fd:d6:aa:0b:bb:66:04:9c:3b:9b:69:c5: 91:ab:ac:69:aa:56:76:85:9c:d6:e8:38:a6:bf:f0: de:b9:bf:0d:dd:12:46:cf:f4cca3:41:a6:ec:2c:34: 2f:65:a3:49:84:c6:e9:ed:b0:b7:cd:b4:c3:da:ea: 67:9a:e0:97:d2 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: C3:5F:9A:F7:1C:7E:dd:6F:3B:bb:BC:cc:F0:DF:4C:39:FD:F7:24:dd X509v3 Authority Key Identifier: keyid:AE:A1:73:51:88:29:57:22:CA:0C:A9:F4:B1:4A:6E:4E:B8:4B:4D:07 X509v3 Certificate Policies: Policy: 2.16.840.1.114569.1.1.1 1.3.6.1.5.5.7.1.26: 0.....123H X509v3 CRL Distribution Points: Full Name: URI:https://authenticate-api.iconectiv.com/download/v1/crl CRL Issuer: DirName: L = Bridgewater, ST = NJ, CN = STI-PA CRL, C = US, O = STI-PA Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:f4:5c:16:11:f9:a9:a1:a2:6b:51:7f:f9:0b: 49:22:33:2d:2d:15:3c:1b:33:b9:91:89:58:09:73:74:48:98: dc:02:20:2b:76:67:a3:28:44:60:73:6b:5a:9d:05:a8:b9:b8: cc:b4:05:e2:17:6c:6a:bf:f5:bd:59:eb:00:8e:7c:b1:a3 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://doc.peeringhub.io/guides/verify-a-stir-shaken-certificate.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.