Skip to content

KAZOO Support Channels

This documentation is curated by 2600Hz as part of the KAZOO open source project. Join our community forums here for peer support. Only features in the docs.2600hz.com/supported space are included as part of our 2600Hz Support Services plan.

Certificates

Generating a new Certificate for Sprint Web Services#

Some of the instructions below were taken from Sprint's website. However, some steps were missing which led to creating this instruction list.

Requirements:#

  • You need to have Java JDK (version 1.7 or higher) installed, in order to use the keytool command that comes with it.
  • You need to have PHP installed, in order to use the openssl command that comes with it.
  • You need to download the Sprint Trusted Certs from this link.

Instructions:#

Step 1 - Get the Common Name (CN) to use from Sprint#

Sprint should provide us with a Common Name (e.g. 2600Hz-03) to use for the certificate. This Common Name should be used everywhere there's the placeholder <common_name> in the command lines below.

Step 2 - Create the Keystore#
keytool -genkey -alias <common_name> -dname "cn=<common_name>,ou=TPA,ou=BMP,ou=Projects,o=Sprint,c=us" -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore <common_name>.jks
Step 3 - Convert the Keystore to PKCS#12 format#
keytool -importkeystore -srckeystore <common_name>.jks -destkeystore <common_name>.jks -deststoretype pkcs12
Step 4 - Generate the Certificate Signing Request (CSR)#
keytool -certreq -alias <common_name> -keystore <common_name>.jks -file <common_name>.csr
Step 5 - Send the CSR to Sprint#

Sprint should then send back a signed certificate named <common_name>.cer.

Step 6 - Import the Trusted Certificates:#
keytool -import -trustcacerts -alias root -file "Sprint Nextel Root Authority.cer" -keystore <common_name>.jks
keytool -import -trustcacerts -alias intermediate -file "Sprint Application Issuing 2 Intermediate.cer" -keystore <common_name>.jks
Step 7 - Import the Certificate signed by Sprint (following the CSR):#
keytool -import -alias <common_name> -file <common_name>.cer -keystore <common_name>.jks
Step 8 - Generate the PEM file from the Keystore:#
openssl pkcs12 -in <common_name>.jks -out <common_name>.pem
Step 9 - Remove passphrase from PEM:#
openssl rsa -in <common_name>.pem -out 2600hz.sprint.pem
openssl x509 -in <common_name>.pem >>2600hz.sprint.pem
Step 10 - Rename the Certificate#

The two files (PEM and CER) need to be respecitvely named 2600hz.sprint.pem and 2600hz.sprint.cer. The Step 9 already took care of the PEM file, so the only things you need to do is rename the <common_name>.cer into 2600hz.sprint.cer.

Final Step - Add those files to the database#

Replace those files in the MVNO document in the database, and try to call an API (like the validate device API) to make sure it works. Preferably test it on the dev environment first to make sure there's no downtime on prod if something went wrong.

Possible issues:#

If the API returns the error Rejected by policy. (from client), it means that the CER and PEM files are at least in a valid format, and that the request is hitting Sprint's servers. When this occured previously, it was a naming error on their end where they provided us with the common name "2600Hz-03" but they used "2600hz-03". If this is the case, they should be able to update it on their end fairly easily.