appliedbits
LIBRARY  ·  tools TOOL

STI Certificate & TNAuthList Decoder

Decode a STIR/SHAKEN certificate and — the part that matters — interpret its TNAuthList: an SPC for a provider cert, or a TN / range for a delegate cert.

Runs entirely in your browser; no libraries, no network. ● client-side only   Decoding a PASSporT? PASSporT & Identity decoder →

Input

Paste a PEM certificate, or a base64 x5c value, or an x5u URL to fetch (via a CORS proxy on this site) — or drag a .pem / .cer / .der file onto the page. Links from the PASSporT decoder pre-fill this automatically.

How STI certificates work

The certificate is what makes a PASSporT trustworthy. A PASSporT's x5u points here; a verifier fetches the cert, checks the signature, and — crucially — checks what the cert is authorized for via the TNAuthList extension (OID 1.3.6.1.5.5.7.1.26, RFC 8226).

Provider (SPC) certificate — SHAKEN. The TNAuthList carries a Service Provider Code (SPC): a 4-character OCN (Operating Company Number) for a carrier, or a 5-character RespOrg ID for a toll-free responsible org. It says "this provider is authorized to sign," and pairs with the origid in the PASSporT.

Delegate certificate — RFC 9060. Instead of an SPC, the TNAuthList carries a specific TN or TN range. It lets an entity (often an enterprise, for branded/RCD calling) sign on behalf of the numbers it has been delegated — authority scoped to numbers, not to a provider code.

This tool decodes a single certificate and reads its TNAuthList. Verifying it chains to a valid STIR/SHAKEN trusted root and isn't revoked (CRL) against the STI-PA trust list is a separate, planned tool.