How to install a personal certificate in crypto pro. How to install a personal certificate in crypto pro Copying on the Diagnostics profile

Electronic document management is entering our lives more and more tightly.
Today, this issue concerns not only office employees of enterprises and individual entrepreneurs; working with electronic documents increasingly makes it easier for ordinary citizens to solve everyday problems in everyday life. Of course, with the increasing applicability of electronic documents, the distribution of electronic digital signature, abbreviated as EDS.
It is about increasing the convenience of working with digital signatures that we will discuss further, namely, we will consider how to add a digital signature key to the CryptoPro registry on the computer.

What is digital signature and private key certificate

Electronic digital signature is used in many software products: 1C: Enterprise (and other programs for business or accounting), VLSI++ , Contour.Extern (and other solutions for working with accounting and tax reporting) and others. EDS has also found application in servicing individuals when resolving issues with government agencies.

EDS- this is a kind of guarantor in the world of electronic document management, similar to a regular signature and seals on paper

As with signing paper documents, the process of signing electronic media involves " editing"primary source.

Electronic digital signature of documents carried out by converting an electronic document using the owner’s private key, this process is called document signing

To date private key certificates most often distributed either on regular USB flash drives or on special protected media with the same USB interface ( Rutoken , eToken and so on).
At the same time, every time there is a need to sign documents (or identify a user), we need to insert the media with the key into the computer, and then manipulate the certificate. Accordingly, after completing the work, we simply need to remove the media from the computer so that no one else can use our signature. This method is quite safe, but not always convenient.

If you use digital signature at home, then every time connect/disconnect token gets boring quickly. In addition, the carrier will occupy one USB port, which are not always enough to connect all the necessary peripherals.
If you use digital signature at work, it happens that the certification center issued only one key, and different people must sign documents. Carrying a container back and forth is also not convenient, and there are also cases when Several specialists work with a certificate at the same time.
In addition, both at home and, especially, at work, it happens that on one computer it is necessary to perform actions using immediately multiple digital signature keys.

It is in cases where the use of a physical certificate medium is inconvenient that you can register the digital signature key in the CryptoPro registry(you can read more about the Windows registry in a general sense in the corresponding article: Changing Windows registry settings) And use the certificate without connecting the media to the computer's USB port.

Adding a Registry reader to CryptoPro CSP

First of all, in order for our CryptoPro to be able to work with locally registered keys, we need to add a version of such a reader.

In order to set the new media type in the CSP utility, run the program as an administrator with the right mouse button or from the menu of the utility itself on the General tab

Now go to the Hardware tab and click on the button Configure readers...
If there is no option in the window that opens Registry, then to display it here, click on the Add button...

Click the Next button in the first window.
From the list of readers from all manufacturers, select the option Registry and click Next again.
Enter a custom reader name, you can leave the default name. Click Next.
In the last window we see a notification that after completing the reader setup, it is recommended to restart the computer. Click the Finish button and reboot the machine yourself.

The first stage is completed. Registry reader added , as evidenced by the corresponding item in the window Reader management (We remind you that this window is called up along the path CryptoPro - Equipment - Configure readers...)

Copying the key to the CryptoPro CSP Registry

To register the key container in local storage, connect the physical media with the key to the computer.

Now run the CryptoPro utility again, open the Service tab and click on the Copy button...
Next in the window Copy Private Key Container Wizards Click the Browse button (or According to the certificate...) and select our key media, confirming the selection with the OK button, then proceed to the next window with the Next button.

In the new window, set an arbitrary friendly name for the key container being created and click the Finish button. Then, to record the key, select the reader type we created earlier Registry, confirming your choice with the OK button.
After confirmation, we need to set a Password for the created key container; by default, most often, a password is used 12345678 , but for more secure operation the password can be set more complex. After entering the password, click on the OK button.

All, key container added to the CryptoPro Registry .

Installing a CryptoPro CSP private key certificate

To complete the setup of signing documents without connecting the key carrier to the computer, all we have to do is install private key certificate from the created media container.

To install a certificate in CryptoPro you need to do the following:

In the CSP utility, on the Service tab, click on the button View certificates in container...
In the window that opens, click on the Browse button, where we select the desired media using the name we specified, confirming the selection with the OK button. Click Next.
In the final window, we check that the certificate has been selected correctly and confirm the decision with the Install button.

Now we have installed Private key certificate from local storage Registry .

Setting up CryptoPro is complete, but you should remember that many software products will also require re-register a new key in the system settings.
After these steps we can sign documents without connecting a key, be it Rutoken, eToken or some other physical medium.

If a flash drive or floppy disk is used for work, copying can be done using Windows (this method is suitable for versions of CryptoPro CSP no lower than 3.0). The folder with the private key (and the certificate file, if any) must be placed in the root of the flash drive (floppy disk). It is recommended not to change the folder name when copying.

The private key folder should contain 6 files with the extension .key. Below is an example of the contents of such a folder.

Container copying can also be done using the CryptoPro CSP crypto provider. To do this you need to follow these steps:

1. Select Start / Control Panel / CryptoPro CSP.

2. Go to the Tools tab and click on the Copy button. (see Fig. 1).

Rice. 1. “CryptoPro CSP Properties” window

3. In the window Copying a private key container press the button Review(see Fig. 2).

Rice. 2. Copying the private key container

4. Select a container from the list, click on the button OK, then Further.

Rice. 3. Key container name

6. In the “Insert and select media to store the private key container” window, you must select the media on which the new container will be placed (see Figure 4).

Rice. 4. Selecting a blank key media

7. You will be prompted to set a password for the new container. Setting a password is optional, you can leave the field blank and click on the button OK(see Fig. 5).

Rice. 5. Setting a password for the container

If copying to media Rutoken, the message will sound different (see Fig. 6)

Rice. 6. Pin code for container

Please note: if you lose your password/pin code, using the container will become impossible.

8. After copying is completed, the system will return to the tab Service in the window CryptoPro CSP. Copying is complete. If you plan to use a new key container to work in the Kontur-Extern system, you must install a personal certificate (see How to install a personal certificate?).

For bulk copying, download and run the Certfix utility.

When installing a personal certificate through the “Install personal certificate” menu, after selecting a key container, the error message “The private key in the container does not match the public key” appears.

To solve this problem, you must complete the following steps (after completing each step, install the certificate again)

1. If a floppy disk is used as a key media, you should check whether it is write-protected (on a write-protected floppy disk, both slots located in the corners of the media are open).

3. Make a copy of the key container and install the certificate from the duplicate (see How to copy a container with a certificate to another medium?).

4. If your workplace uses Crypto Pro CSP 3.6 R2 or R3 (product version 3.6.6497 and higher), then you need to install the certificate through the Install personal certificate menu and in the “Private key container” window (point 5 of the instructions) check the box “Find container automatically” fields.

The version of the installed crypto provider is indicated on the "General" tab ("Start" menu > "Control Panel" > "CryptoPro CSP").

5. Key containers generated on CryptoPro CSP 3.0 or 3.6 will not work on CryptoPro CSP 2.0.

If CryptoPro CSP 2.0 is installed, and the certificate request was made on a workstation with CryptoPro CSP 3.0 or 3.6, then the following solutions are possible:

Otherwise, go to step 6.

6. The public key certificate (file with the .cer extension) may be damaged. You must contact technical support at: [email protected] to receive a copy. When applying, be sure to indicate the TIN and KPP of the organization.

7. The private key container may be damaged. If a floppy disk or flash card is used as the key media, it is recommended to perform data recovery (see.

Installing the certificate and private key

We will describe the installation of an electronic signature certificate and private key for Windows operating systems. During the setup process we will need Administrator rights (so we may need a system administrator if you have one).

If you have not yet figured out what an Electronic Signature is, then please read Or if you have not yet received an electronic signature, contact the Certification Center, we recommend SKB-Kontur.

Well, suppose you already have an electronic signature (token or flash drive), but OpenSRO reports that your certificate is not installed, this situation may arise if you decide to configure your second or third computer (of course, the signature does not “grow” to only one computer and it can be used on multiple computers). Usually the initial setup is carried out with the help of the technical support of the Certification Center, but let’s say this is not our case, so let’s go.

1. Make sure that CryptoPro CSP 4 is installed on your computer

To do this, go to the menu Start CRYPTO-PRO CryptoPro CSP run it and make sure that the program version is not lower than 4.

If it is not there, then download, install and restart the browser.

2. If you have a token (Rutoken for example)

Before the system can work with it, you will need to install the necessary driver.

Drivers Rutoken: https://www.rutoken.ru/support/download/drivers-for-windows/
Drivers eToken: https://www.aladdin-rd.ru/support/downloads/etoken
Drivers JaCarta: https://www.aladdin-rd.ru/support/downloads/jacarta

The algorithm is as follows: (1) Download; (2) Install.

3. If the private key is in the form of files

The private key can be in the form of 6 files: header.key, masks.key, masks2.key, name.key, primary.key, primary2.key

There is a subtlety here if these files are written to the hard drive of your computer, then CryptoPro CSP will not be able to read them, so all actions must be performed by first writing them to a flash drive (removable media), and you need to place them in a first-level folder, for example: E:\Andrey\( files) if located in E:\Andrey\ keys\(files), then it will not work.

(If you are not afraid of the command line, then removable storage can be emulated something like this: subst x: C:\tmp a new disk (X:) will appear, it will contain the contents of the C:\tmp folder, it will disappear after a reboot. This method can be used if you plan to install keys in the registry)

We found the files, recorded them on a flash drive, and move on to the next step.

4. Installing a certificate from a private key

Now we need to get a certificate, we can do this as follows:

Opening CryptoPro CSP
Go to the tab Service
Press the button View certificates in a container, press Review and here (if we did everything correctly in the previous steps) we will have our container. Press the button Further, information about the certificate will appear and then click the button Install(the program may ask whether to provide a link to the private key, answer “Yes”)
After this, the certificate will be installed in the storage and it will be possible to sign documents (at the same time, at the time of signing the document, it will be necessary for the flash drive or token to be inserted into the computer)

5. Using an electronic signature without a token or flash drive (installation in the registry)

If speed and ease of use are a little higher for you than security, then you can install your private key in the Windows registry. To do this you need to do a few simple steps:

Perform the private key preparation described in steps (2) or (3)
Next we open CryptoPro CSP
Go to the tab Service
Press the button Copy
Using a button Review choose our key
Press the button Further, then we’ll come up with some name, for example “Pupkin, LLC Romashka” and press the button Ready
A window will appear in which you will be asked to select the media, select Registry, click OK
The system will ask Set password for the container, come up with a password, click OK

Important Note: the OpenSRO portal will not “see” the certificate if its validity period has expired.

Good afternoon!. We continue our topic with certificates and working with them. Last time I told you in detail how to get a cryptopro test certificate, look at this very interesting article. Agree that for testing you may need not one certificate, but much more, and it is very convenient to be able to work with them, without being tied to physical tokens, for example, on Vmware virtual machines. For such tasks, it is possible place CryptoPRO certificates in the Windows registry, which is what you and I will do.

When to copy CryptoPRO certificates to the registry

There are a number of tasks when it is convenient to have your digital signature in the Windows registry:

1. When testing the configured environment for trading platforms, for which an electronic digital signature is used to enter.
2. When you have a virtual infrastructure and there is no way to forward USB devices over the local network
3. Situations when CryptoPRO does not see the USB token
4. Situations when there are a lot of USB keys and you need to work simultaneously with 5 or more keys, an example would be a VLSI reporting program

How to copy a certificate to the CryptoPRO registry

CryptoPRo allows installation with copying private key(certificate) to the Windows registry.

I want to immediately warn you that from a security point of view, this is not very reliable and your private keys can be stolen if you do not organize the appropriate level of security

And so, I have a SafeNet USB token, for which I issued a test digital signature; I will transfer it along with the private key to the Windows registry. Open the CryptoPRO utility with administrator rights.

Go to the "Service" tab and click "copy"

The “Private Key Container” window will open; here you need to click the “Browse” button to select your certificate that you want to copy to the registry.

As a result, you will see a gibberish name in the “Key container name” field.

You will see a window asking you to enter the pin code from your USB token.

Now you need to set a name for the copied certificate in the Windows registry; fortunately, CryptoPRO allows this. I called it "Copy of the certificate in the registry (Semin Ivan)"

Now you need to put the CryptoPRO certificates into the registry; to do this, select the appropriate item and click “Ok”.

In the next step, you will be asked to set a new password for your container with the private key; I advise you to set it, preferably something more complex.

Installing the private key into the registry

Now that your private key is in the registry, let's install the personal certificate. To do this, open the “View certificate in container” button on the “Service” tab.

And select a certificate from the registry, it will have the name that you gave it.

After which the private key is installed in the registry using the appropriate button.

We see that the certificate was installed in the current user's Personal store. As you can see, it was very easy to copy the private key to the operating system registry.

Where is the private key stored in the Windows Registry?

After the procedure for adding a certificate to the CryptoPRO registry, I would like to show you where you can look at the whole thing. Earlier I told you about how to add the certificates snap-in. We will be interested in the "User Certificates - Personal" section.

Or you can go to Internet Explorer properties to the "Content" tab. Then go to the “Certificates” item, where you will see all your SSL certificates, and those that CryptoPRO copied to the operating system registry.

If you need to find a registry branch with a private key, then I already gave you an example in the article when I transferred digital signature from computer to computer.

\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Crypto Pro\Settings\Users\Your SID, how to determine it, read the link\Keys\Copy of the certificate in the registry (Semin Ivan)

We have discussed copying digital signatures with private keys, but now the situation is reversed.

How to copy digital signature from the registry to a flash drive

Suppose that you have the task of copying a container from the registry, since it is already there, it is exportable, for this we open cryptopro, “Service-Copy”