The circuit does not see the certificate on the flash drive. What to do if the computer does not see the digital signature

As paper document flow is replaced by electronic one, such a tool as an electronic signature is becoming increasingly important and increasingly widespread. Already, many departments exchange documents exclusively in electronic form, with each legally significant document signed with an electronic signature. It is used when working on electronic trading platforms, when interacting with government information systems (such as GIS GMP, GIS Housing and Communal Services and others) and can even be used for authorization on government portals (such as gosuslugi.ru). There is no doubt that the scope of application of electronic signatures will continue to expand in the future, and therefore it is extremely important for specialists in the field of information technology to understand the principle of operation of an electronic signature and be able to take the necessary steps to install and configure software for working with an electronic signature.

Of course, studying this issue would be worth starting with the federal law “On Electronic Signatures” ( http://www.consultant.ru/document/cons_doc_LAW_112701/ ), which provides definitions of concepts, the legal status of an electronic signature, the procedure for its use and other useful information. However, the purpose of this article is to show how quickly, without going into details, to install an electronic signature, which in some cases, in cases where there is no time for proper study, will be very useful.
We will perform the installation on a computer running the Windows 7 Professional operating system, a private key for an electronic signature on eToken media, and we will use CryptoPro CSP as a crypto provider.
Let's start by installing the necessary software:
- CryptoPro CSP version 3.6 or higher;
- Media driver (when using eToken or Rutoken).
The driver for eToken can be downloaded for free from the following link http://www.aladdin-rd.ru/support/downloads/etoken/ , the driver for Rutoken is available for download here http://www.rutoken.ru/support/download/drivers-for-windows/ .
Other devices, such as a flash drive, smart card or registry, can also be used as a carrier of key information, but their use is not recommended as they do not provide a sufficient level of protection of key information from unauthorized access.

Installing an electronic signature key certificate.

After the eToken driver (Rutoken) and the crypto provider CryptoPro CSP are installed, we can begin installing the electronic signature verification key certificate.
Launch the CryptoPro CSP program, go to the “Service” tab and click the “View certificates in the container” button.

In the window that opens, click “Browse”, select the desired owner and click “OK”.

In the next window, do not change anything, click “Next”.


A window will open in which we can see brief information about the user’s certificate (information about the owner, the validity period of the certificate and its serial number).


To view detailed information, click “Properties”. If the root certificate of the certification authority has not yet been installed (as in our case), then in the general tab we will see a message as in the figure below. The current root certificate of a certification authority is usually available for download on the website of the certification authority (the organization that issued the electronic signature).

Return to the previous window and click “Install” to continue installing the user certificate. A message appears indicating that the certificate is being installed. Confirm the installation by clicking the “Yes” button.


A message from eToken PKI will also appear, asking you to write the certificate to eToken. We refuse, click “Cansel”.


The certificate is installed in the certificate store. Click “Finish” to complete the installation.

Installing the root certificate of the certification authority.

Open the file of the root certificate of the certification authority (with the .cer extension) by double-clicking the mouse and clicking the “Install certificate” button.

The Certificate Import Wizard will open. Click “Next”. Then check the “Place the certificate in the following storage” checkbox.


Through “Browse” we specify the “Trusted Root Certification Authorities” folder.

Click “Ok” and complete the installation. A message appears indicating that the operation was successful.

Now, when we open the properties of the user certificate, we will not see the same error.

All we have to do is test the private key container.

Testing.

Open CryptoPro CSP, and in the “Service” tab, click “Test”.

We find the key container through “Browse” or using the corresponding certificate and click “Next”. You will be prompted to enter a pin code for the container. Enter the password and click “Ok”. If you check the “Remember pin code” checkbox, the system will not request it whenever you access the key container (including when signing a document), which is not recommended in order to protect against unauthorized access.
Next, a window will open with information about the presence or absence of errors.

Installing an electronic signature in the register.

It is possible that the private key of an electronic signature needs to be duplicated in order to be used on several computers. In such cases, the optimal solution would be to install the private key of the electronic signature in the registry. For a container created in the registry, you can set a password and thereby limit access to the private key of the electronic signature, which is stored in the container. Removable media, after installation, can be transferred to another user. I note that such a measure is justified in cases where, for example, several employees of one organization (department) use the same signature (for example, the signature of an authority). In other cases, resorting to such measures is not recommended.

Installation of the “Register” reader.

The first thing you need to do is install the reader. This is quite easy to do using the reader installation wizard (adding and removing readers is performed under an account with administrator rights). If, when installing CryptoPro CSP, you checked the “Register reader “Registry”” checkbox, as in the figure below, and it is present in the list of readers, you can immediately proceed to copying the private key container to the registry.


Launch CryptoPro CSP, in the “Equipment” tab, click the “Configure readers” button.

In the window that opens, click “Add”.

The reader installation wizard will start, click “Next”.


From the list in the window on the right, select “Registry” and click “Next”.


Then we set the name of the reader, or leave it unchanged as in our example and click “Next”.


We complete the wizard and click “Finish”.

Copying the private key container to the registry.

The reader is prepared, now you need to copy the container with key information from the eToken removable media to the registry. To do this, go to the main menu of CryptoPro CSP and in the “Service” tab, click the “Copy” button. Through “Browse” we indicate the container that we want to copy to the registry.


The system will then request a password to access the container on removable media (eToken). Enter the password, and in the next window set the name for the key container that will be created in the registry.


In the next window, the program will prompt you to select the media on which you want to burn the container. Select “Registry” and click “Ok”.


Now we need to set a password for the container that we placed in the registry.

Enter the password, confirm and click “OK”.
Now, having launched the function of testing the private key container, in addition to the container on removable media, we will see the created container on the “Registry” reader.
We complete the container testing procedure. If no errors are found, proceed to installing the electronic signature key certificate (if it has not been done previously). The procedure for installing a certificate from the registry is similar to the installation procedure from removable media, and if the owner’s certificate has already been installed from removable media, then installing it again after copying the container to the registry is not required.

Validation difficulties on the RTS-Tender website arise due to the fact that the EDS browser Plug-In does not see the RuToken key or only the signing certificate. To find out why the PC does not see the electronic signature key, instructions from the supplier of specialized software, a thematic forum on the Federal Tax Service website or resources dedicated to digital signatures, as well as specialists from the technical support service of the crypto-software manufacturer will help.

How it should work

Why doesn't the computer see the digital signature? It seems that there is a key in the form of a flash drive (the same RuToken), and the Crypto-Pro utility is installed, but the electronic signature is not checked. The main reason is that the PC initially does not see the digital signature flash drive. This usually occurs because they are trying to run the key on a device with an unsupported OS. After all, each flash drive key is made for its own environment, and a banal OS update can lead to loss of compatibility with the existing digital signature key (flash drive).

When the installation of a crypto provider is completed on a supported device, according to the instructions, but the computer still does not see the digital signature, the problem may be in the key itself. To find out, please contact support. There you will be asked for screenshots:

• CSP versions/builds (General tab);
• errors when connecting the digital signature container.

In addition, indicate to the specialists where you received the digital signature, on what media you have the container installed (rutoken, etoken, flash drive or registry) and what OS is used (bit size, build).

The computer does not see the digital signature certificate: first steps

If the computer does not see the electronic signature certificate, then in the Windows operating system you need to go to:

Start - Control Panel - CryptoPRO CSP - Service - Test - By certificate. This way you can understand whether the certificate is installed in the user’s Personal Storage linked to RuToken.

If the user’s browser does not see the digital signature and he cannot register on the site or connect a digital signature, you need to determine whether the site of interest has been added to the trusted list:
Start - All programs - CRYPTO-PRO - Digital signature settings browser Plug-In.

It is better to use the Internet Explorer browser, as the java script may not work correctly in other browsers.

If the computer does not see the digital signature, then first of all you need to visit the thematic forum of the CryptoPro company. If the issue cannot be resolved on your own, then contact the support service (send there the event logs of the system and applications, indicate the version/build of CSP, OS).

The key/certificate is not installed

Why may CryptoPro CSP not see the keys? You should check the following parameters:

• whether the program is installed correctly (whether the Windows Installer service is running);
• there is access to the network;
• The correct key was issued by a certified center.

When installing, it is advisable to do this:

install a personal certificate following the installation wizard

indicate via “Browse” the location of the certificate file with the extension .cer

select the private key container (via “Browse” select the certificate on the reader - flash drive / floppy disk)

If the previous keys were once installed incorrectly and the new media is not installed, then you need to clean the registry (Windows). To do this, there is a button “Delete remembered passwords” in the CSP panel.

If there were no errors in application events, but the event logs showed them in the system, you need to check the Sfc/scannow files, and then re-register the MSIExec/unregister components, then MSIExec/regserver.

Difficult case

If the computer does not see the digital signature, what should I do? In this case, the plugin does not see the certificate, but it is installed and the site is added to the trusted list. The error is rare, but sometimes it occurs even for those users who have fulfilled all the requirements of the instructions for using CIPF. For example, we installed a root certificate. The procedure is described in detail on page 35 in paragraph 2.5.2, which is called “Viewing and installing a personal certificate stored in a private key container.” If, after all the requirements have been met, the computer still does not see the electronic signature (no certificate on cryptopro.ru), then the problem is most likely in the certificate revocation list of the certification authority (CA). If the company operating the digital signature accessed the Internet through a proxy server, then in online mode the program will not see the installed certificate in the revocation directory. Everything will work if you install this directory locally on your computer.

My CryptoPro CSP license has expired/I can’t enter the license?

CryptoPro CSP is a paid product and requires the purchase of a license. After receiving the electronic signature, you are given a set of documents with an SKPEP revocation card, which indicates the type of license and serial number, if it was purchased.

The license is:

• built-in (valid for 1 year, produced and valid with a signature, does not require entering a license number)
• annual (valid for 1 year, requires entering a license number)
• permanent (perpetual – unlimited in terms of use, requiring entering a license number).

The built-in license is recognized by versions of CryptoPro CSP 3.9 R4 and all versions 4.0.

The serial number of the annual or permanent license must be entered if this has not been done previously.

The serial number must match the product version. The product version can be viewed in the CryptoPro CSP program on the “General” tab at the top right (4040Х- ХХХХХ- ХХХХХ- ХХХХХ- ХХХХХ for the CryptoPro CSP 4.0 version and 3939Х- ХХХХХ- ХХХХХ- ХХХХХ- ХХХХХ for CryptoPro CSP 3.9).




• CryptoPro CSP does not see the signature?

  Make sure the signature is installed on your computer.

  Launch CryptoPro CSP => Service tab => View certificates in container button => Browse button. If the list is empty, try another USB port on your computer. If this does not help, then you need to install the driver in accordance with the media type and the bit depth of the Windows system. The media type is written on the media body: eToken or ruToken, and the system bitness can be viewed by right-clicking on the computer icon and selecting Properties: 32 or 64 Windows bit system.

  You can download drivers here.

  Does the site/portal not see the signature?

  Launch CryptoPro CSP => Service tab => "View certificates in container" button => "Browse" button.

  If the signature is undecided, then see the answer to question No. 2 above.

  If the signature is determined, then click the “Next” button, then the “Properties” button, open the “Certification Path” tab. The chain of certificates must consist of the Certification Authority and the full name of the owner of the digital signature (certificates should not have crosses or exclamation marks).

  If the CA certificate has a red cross, you need to select it, click on it, click View certificate, then click “Install” (in the import wizard you must specify the Trusted Root Certification Authorities store).

  If the certificate has an exclamation mark, the certificate of the certification authority must be downloaded //here and also installed in trusted certification authorities.

  If the cross does not disappear, you need to update the version of CryptoPro CSP (for Windows 10 there is //a special version of CryptoPro CSP 4.0)

  If the certificate chain is displayed correctly in CryptoPro CSP, it means there is a problem with the InternetExplorer settings (see the answer to question No. 4 below).

  
  

• Setting up Internet Explorer (IE)?

  For InternetExplorer to work correctly, a plugin for working with electronic signatures must be installed (you can download it //here)

  InternetExplorer automatic updating must be turned off, otherwise the settings will be lost. You can turn it off in the Help menu => About the program => uncheck Install new versions automatically.

  ActiveX settings must be enabled on your computer, this can be done from the Start menu => type in the search bar Internet Options and select this item => in the window that opens, select the Security tab => click on the Trusted sites (nodes) zone so that it is highlighted => then click the Other button (find the list of ActiveX controls and connection modules and set the option for each to Enable).

  We go to a site where an electronic signature is required for work, and add this page to Trusted sites/nodes through the Internet Options, Security tab, highlighting the Trusted sites/nodes zone and clicking the Sites/nodes button. The Add button must be active, you need to click on it, on the checkbox: For all sites in this zone, server verification is required (https:), you must uncheck the box. If the Add button is gray (inactive), then the page has already been added to the list of websites and does not need to be added again. Close properties. Refresh the page in the browser with the F5 key. If messages about add-ons appear at the bottom or top of the browser, you need to allow them to run.

  I can’t log into the site (the certificate is not matched/authorized)?

  Review question No. 3, if the problems are not related to the settings, then when you enter the site you will see a message: The client certificate is not associated with the system user (or the selected electronic signature is not authorized).

  It is possible that you have not been accredited on the site; if this is the case, then see //instructions for accreditation on the electronic site. If accreditation is nevertheless passed, but you receive a new signature, for example, due to the fact that the old signature has expired, then it must be linked to your personal account; for this you must fill out an application to add a new user on the site and attach it to the application the following documents:

  For a legal entity: either a decision to appoint a manager, if the signature is for the head of the organization, or a power of attorney for an employee of the organization, if the signature is for an employee (in this case, an archive with the decision to appoint a manager and a power of attorney from the manager for the employee is attached to the site). For commercial sites, you may additionally need a copy of the organization’s TIN.

  For individual entrepreneurs/individuals: passport, TIN.

  Examples of the page for adding participants on popular platforms:

  Sberbank-AST (in the Members section => Registration => Adding a new user) http://www.sberbank-ast.ru/freeregister.aspx

  Order of the Russian Federation (in the Registration section => Registration of a new user of the organization) http://web.zakazrf.ru/Participant/RegistrationUser

  MICEX (in the Participants section => Registration of power of attorney) https://app.rts-tender.ru/supplier/lk/Accreditation/EmployeeRequest.aspx

  RTS-Tender (button Login => Accreditation => Submit a request to add a new user) https://app.rts-tender.ru/supplier/lk/Accreditation/EmployeeRequest.aspx

  Roseltorg – on this site you must first log in using your login and password or using your old, still valid electronic signature; information with the name of the organization and user name with icons will appear at the top right. You need to click on the pencil next to the user name, a menu with buttons will appear, among which you need to find the button: Link a new digital signature.

  B2b-center - you need to log into your personal account (using your login and password or your old valid signature). Select in your personal account Information about the organization => My electronic signatures => Upload a certificate through the tab => Registration of certificates. You must check the checkbox: The certificate is already installed on the computer.

  Fabrikant - you need to log into your personal account (using your login and password or your old valid signature). Select the Certificates line in your personal account. Upload the certificate through the Upload a new electronic signature tab.

  What is the container password for my signature?

  When you use an electronic signature for the first time, a window pops up: Enter the password for the container

  The default password is 12345678.

  The container password can be changed. If you have a ruToken carrier, then you need to install //the Rutoken control panel. After launching the program, enter the administrator's PIN code in the Administration tab (by default, the administrator's PIN code is 87654321). Next, click the Unblock => Change button, select a user and set a password.

  If you have an eToken carrier, then you need to install // the eToken driver in accordance with the bitness of the Windows system (the bitness of the system can be viewed by right-clicking on the computer icon and selecting Properties: 32 or 64 bit Windows). Launch eTokenProperties, click on Detail View (gear icon at the top right). Select the eToken name from the list on the left (the name will be displayed before the eTokenPKIClient Settings line). In the window that appears on the right, you need to click on the icon: Change password (in the form of a pencil and keyboard).

  How to register for GIS-Housing and Communal Services?

  The GIS Housing and Communal Services service authorizes organizations through the government services portal. Therefore, all accounts must be created on the gosuslugi.ru website. First, you must register the manager as an individual. The created account is activated using an electronic signature issued to the organization. After activation of an individual, you can add an organization. Confirmation is carried out using the same digital signature. If necessary, you can add employees of the organization (they must also have an individual account on the gosuslugi.ru website, confirmed by the same electronic signature). After this, the head of the organization needs to log into his personal account using an electronic digital signature and, having selected the role of the organization, add an employee from the legal entity’s account. In the organization's personal account, the manager can assign administrator rights.

  How to understand what type of signature is needed to work on a particular site?

  Tell the consultant the exact name of the site (email address of the site) for which you need an electronic signature.

  How long does it take to produce an EDS?

  An electronic signature is produced within 1 business day after receipt of payment and provision of a minimum package of documents (copies of passport and SNILS).

  Is it possible to update an electronic signature remotely without visiting an electronic signature issuing center?

  Issuing and re-issuing an electronic signature remotely is impossible. This contradicts the safety requirements established by the current legislation of the Russian Federation. To obtain an electronic signature, it is necessary to verify the identity of the recipient at // any electronic signature issuing center.

  How to sign a document using an electronic signature?

  Word documents can be signed electronically in the following cases:

  1. If the document was created in Microsoft Office 2003/2007, then no additional software is required.

  2. If the document was created in Microsoft Office 2010/2013, then you will need to additionally install the CryptoARM program - this is a program that meets the requirements of Russian legislation in terms of ensuring legally significant status. After signing the document, a file with the .sig extension is created, which clearly confirms the fact that the document was signed.

  What is a certificate chain?

  The certificate chain is used to confirm the authenticity of the electronic signature certificate. The chain includes certificates of the main certification authority, intermediate certification authorities (including the CA that issued the user's digital signature certificate) and the user's certificate. If the chain of certificates is not built correctly (in the certificate properties window on the “Certification Path” tab, the certificates of the head and intermediate certification authorities are missing or marked with a cross), then the end-user certificate is considered unreliable and cannot be used.

  What is Capicom/Cadescom?

  Capicom and Cadescom are extension programs for InternetExplorer. They are necessary to work with electronic signatures in the browser. CryptoPro EDS BrowserPlug-in includes both of these extensions.

  How to add a site to trusted nodes (sites)?

  In order to add the site of an electronic platform to trusted nodes in the browser, go to the site site through the Internet Explorer browser and open “Browser Options”. On the “Security” tab, click on the “Trusted Sites” zone and click the “Sites” button. Uncheck “All sites in this zone require server verification (https:).” Click the "Add" button, then close the "Trusted Sites" and "Internet Options" windows and refresh the browser page by pressing Ctrl + F5.

  How do I enable ActiveX options?

  Go to the site's website using the InternetExplorer browser and open the browser properties. On the Security tab, click on the Trusted Sites zone (Trusted Sites in InternetExplorer 8) and click the Other button. In the list of options, find the section “ActiveX controls and plug-ins.” For all options in this section, select Enable. Click “Ok” and confirm the request to save the settings. Close the Internet Options window and refresh the page by pressing Ctrl + F5.

  Is CryptoPro CSP a free program?

  CryptoProCSP is a paid product. The free trial period for the product is three months from the date of first installation. After this period, you must purchase a license to continue working with the program.

  What to do if the license for CryptoPro CSP has expired?

  After the CryptoPro CSP license expires, you must purchase a new license. As a rule, the validity period of the license expires along with the validity period of the electronic signature, so you may encounter such a situation extremely rarely. However, if you encounter a problem, then you have a choice of three types of licenses for CryptoProCSP:

  • Annual, license validity period is 1 year.
  • Indefinite, valid continuously.
  • Built into the electronic signature, it is valid for the entire validity period of the electronic signature and cannot be used separately from it.

• How to enter the serial number of the CryptoPro CSP license?

  To enter the serial number of the CryptoProCSP license, run the program. On the General tab, click the Enter License button. Enter the license number in the Serial Number field.

  What should I do if I can’t enter the serial number of my CryptoPro CSP license?

  If you are unable to enter the serial number of the CryptoProCSP license, then your serial number does not match the version of the installed program. The CryptoProCSP license serial number must match the product version. For version 3.9, the serial number must begin with the numbers 3939, for version 4.0 - with the numbers 4040. You must install the version of CryptoProCSP for which your license number is suitable.

  How to remove CryptoPro CSP?

  Removing CryptoProCSP occurs in two stages. First, uninstall the program using standard means, through the Control Panel, then run the cspclean.exe utility. After completing the utility, you must restart your computer.

  How to update CryptoPro CSP?

  To install a newer version of CryptoProCSP, run the installer and confirm the update request. There is no need to remove the currently installed version of the product.

  How to copy an electronic signature?

  To copy the electronic signature, launch CryptoProCSP, go to the “Service” tab and click the “Copy” button. By clicking Browse, select the signature you want to copy. Click "Ok" then "Next". Enter the name of the container to create. It must differ from the name of the original container by at least one character. Click "Done." In the list of media, select “Registry” and click “OK”. You can set a password for the new container or leave the password fields blank.

  In what cases is it necessary to reissue an electronic signature?

  Unscheduled reissue is carried out in cases where the data contained in the signature changes. For legal entities, such data is: abbreviated name of the legal entity, legal address, INN/KPP/OGRN, full name of the user, his position, SNILS and email. For individual entrepreneurs: full name, INN/OGRNIP, registration address, SNILS, email. For individuals: full name, tax identification number, registration address, SNILS, email. If the data has changed, you can still use the signature, but it loses legal force, so you may be rejected at electronic auctions with such a signature.

  How to reissue a signature?

  The procedure for re-issuing (renewing) an electronic signature is the same as for the initial production of an electronic signature. You need to re-submit copies of documents and, upon receipt of a signature, verify your identity in our office.

The introduction of modern means of personal identification is a huge step in the development of electronic document management. Many believe that the development of such a direction has no practical meaning, that the use of such tools is necessary only for a small number of users, and nothing will exceed a simple signature in reliability and convenience, but this is far from the case.

An electronic digital signature allows you to determine the authenticity of your identity in digital document flow, which significantly increases its efficiency and saves time and money.

An electronic digital signature (or EDS) is, in essence, electronic props, which allows you to protect the digital version of a document from forgery. The legislator defines an electronic signature as an analogue of a handwritten signature, which is used for the purpose of identifying a person in electronic document management.

In practice, several variants of digital signature are used.

Does not contain cryptographic protection elements. Security is ensured by using login, password and connection codes.

In general, it is used only for the actual identification of the user, but is not used to protect a specific document.

Such a signature can still certify documents, however, this requires fulfillment certain conditions:

• adding to a specific document;
• use complies with internal document flow rules;
• availability of information about the identity of the sender of the file.

Unskilled refers to an enhanced signature, but its degree of protection is less than that of a qualified signature. However, in this case, cryptographic protection methods are already used. Using such a signature allows you not only to sign a document, but also to make changes to it and then confirm them.

Qualified I am considered the most secure option. Cryptographic protection methods are used, which are confirmed by special authorities. Use in practice is difficult, but there is an undoubted advantage - reliability. You can connect such a signature only in a special certification center.

When signed with such a seal, the document is equivalent to a paper counterpart signed by an official with a special seal.

Test methods, services and results

Using digital signature is undoubtedly practical and convenient. However, each user must have the skills to verify its accuracy, which protects against possible violations by counterparties.

It is not difficult to check. To do this, just use one of several services. So, you can verify the authenticity of a document signed using an electronic digital signature by uploading it to the website crypto.kontur.ru.

This service will allow you to quickly analyze a document and get the result. To use it, you need to configure your computer accordingly, but it is not difficult, you just need to follow the instructions on the site.

If you cannot install the electronic signature on your computer yourself, you should contact certification centers. Upon completion of their work, an installation certificate for the electronic signature facility is drawn up.

The second service provided by the State Services portal is also easy to use. Using the link www.gosuslugi.ru/pgu/eds you can download a file signed with an electronic digital signature, and the service will verify its authenticity.

Using the service www.iecp.ru/ep/ep-verification, you can no longer verify the document, but the signature itself. You need to upload a file of the appropriate format, the system will check:

1. Certificate validity period.
2. Is the signature on the list of revoked signatures?
3. Is the digital signature one of those issued by accredited centers?

The most popular verification method is checking through the State Services portal. However, there are many more services that are approximately the same in their effectiveness.

In general, verification methods can be divided into two types:

1. Verification of a document signed with digital signature.
2. Checking the digital signature itself.

For best results, it is recommended to use both methods. In addition, it is periodically necessary to check the digital signature itself in order to exclude its invalidity.

Another way to check your digital signature is to install the appropriate program on your PC. Typically used CryptoPro due to the many full-fledged functions for working with digital signatures.

The result of any check is confirmation or non-confirmation of the authenticity of the digital signature or the document signed by it. Such services simply need to be used for work, as they fully ensure the security of electronic document management.

If work is carried out on an ongoing basis, it is recommended to use software from CryptoPro.

How to install digital signature

To install the electronic signature on a PC, you will need to download the appropriate software and follow the instructions.

Programs

First of all, you need to install it on your computer CryptoPro CSP program. Further:

1. Run the program in any of the ways. As an option, open the Control Panel, the “Programs” menu and find what you need there, or find it through a search if the location is not known. Run as administrator.
2. After starting the program, a window will appear in which you need to find the “Service” tab.
3. Next, look for the “View certificates in container” menu.
4. The Browse window appears, where you can view information about the container name and reader. Click OK.
5. In the next window, “Certificates in the private key container,” you do not need to perform any actions. Just skip it by clicking Next.
6. A window with user data will appear. You need to select "Properties".
7. We install a new Certificate, to do this, select “Install Certificate”.
8. In the next window we don’t do anything and just click “Next”.
9. Next, you need to select the “Place all certificates in one storage” item, to do this, click “Browse” and select the “Personal” folder.
10. The last step is to click “Finish”.

Plugins

There is also a useful plugin from CryptoPro that allows you to create and verify signatures on web pages. CryptoPro EDS Browser plug-in can work with any modern browser, including Chrome and Yandex.

Many people believe that it is necessary to use Internet Explorer to work with digital signatures, but this is not so. It is enough that the Internet browser supports Java.

This plugin allows you to:

1. Sign documents for electronic document management.
2. Validate web form data.
3. Certify any files sent from the user's computer.
4. Sign messages.

Using the plugin, you can check both regular and improved electronic signatures. An important advantage is that it is distributed completely free of charge.

To install the plugin, you don’t need any special skills; everything happens automatically. You just need to run the installer file, then select “Run”, “Next” and “Ok”. The program will do everything itself.

If you encounter any difficulties with installing or operating the program, you can always contact the company where the signature was purchased for help. In most cases, they provide detailed instructions and provide assistance over the telephone.

Setup and activation

For the digital digital signature to fully operate, it must be properly configured and activated. To do this, in addition to installing the CryptoPro program and the corresponding plugin, you need to install a number of system programs and drivers, which will ensure stable operation.

1. First of all, Rutoken drivers are installed. To do this, you need to run the installer file, and before doing this, remove the electronic identifier from the USB. After launch, follow the program instructions.
2. After installation, you should restart your computer and connect the ID. The system will automatically detect it.
3. Next, CryptoPro CSP is installed. This step was described in the previous section.
4. After these manipulations, you need to install the root certificate. It must be downloaded from the certification center website. After that, you need to find the cacer.p7b file among the downloaded files, right-click on it, and select “Install certificate.” Click Next, then select “Place certificates in one store,” then “Browse” and select “Trusted Root Certification Authorities.” Then “Next” and “Done”.
5. If a pop-up window appears, you will need to click “Yes” several times, then “OK”.
6. The next step is to install a personal certificate. Click on Start and look for CryptoPro CSP. Select “Service” and “View certificates...”, then “Browse”. We choose and accept. After acceptance, a pop-up window will appear in which you must enter the PIN code of the electronic media, and then click “Install”.
7. The next important step is binding the key to the certificate. As a rule, it occurs automatically; if not, then you should follow the instructions of the certification center.
8. You should also install CAPICOM, which is distributed free of charge on the Microsoft website. You need to run the installer file and follow the instructions.

Correctly setting up the electronic signature will help you avoid many problems. Therefore, all steps must be completed very carefully. If you have any questions, it is better to contact the certification center again.

Detailed instructions for installing and activating the CryptoPro program can be found below.

FAQ

How reliable is the use of digital signature?

The reliability of using an electronic signature is at a fairly high level; a regular digital signature is equivalent to a handwritten signature. It is almost impossible to hack the system, and the chance of forging it is much lower than the chance of forging a handwritten signature.

Is it relevant for an individual to obtain an ES?

The Federal Law can use a signature in any electronic document flow. In addition, the use of such a signature significantly expands the capabilities of the government services portal.

How much does an EDS cost?

The cost of an electronic signature is not very high. It will cost an individual about 1,000 rubles, the maximum cost for a legal entity is up to 2,500 rubles.

You will learn how to install and configure Rutoken from this video.

Good afternoon!. The last two days I had an interesting task of finding a solution to this situation: there is a physical or virtual server, probably well-known to many people, CryptoPRO, is installed on it. Connected to the server , which is used to sign documents for VTB24 DBO. Everything works locally on Windows 10, but on the server platform Windows Server 2016 and 2012 R2, Cryptopro does not see the JaCarta key. Let's figure out what the problem is and how to fix it.

Description of the environment

There is a virtual machine on Vmware ESXi 6.5, Windows Server 2012 R2 is installed as the operating system. The server is running CryptoPRO 4.0.9944, the latest version at the moment. A JaCarta dongle is connected from a USB network hub using USB over ip technology. Key in the system it seems, but not in CryptoPRO.

Algorithm for solving problems with JaCarta

CryptoPRO very often causes various errors in Windows, a simple example (Windows installer service could not be accessed). This is what the situation looks like when the CryptoPRO utility does not see the certificate in the container.

As you can see in the UTN Manager utility, the key is connected, it is seen in the system in smart cards as a Microsoft Usbccid (WUDF) device, but CryptoPRO does not detect this container and you do not have the opportunity to install the certificate. The token was connected locally, everything was the same. We began to think about what to do.

Possible reasons with container definition

1. Firstly, this is a problem with the drivers, for example, in Windows Server 2012 R2, JaCarta should ideally be defined in the list of smart cards as JaCarta Usbccid Smartcard, and not Microsoft Usbccid (WUDF)
2. Secondly, if the device is seen as Microsoft Usbccid (WUDF), then the driver version may be outdated, which is why your utilities will not detect a protected USB drive.
3. Outdated version of CryptoPRO

How to solve the problem that cryptopro does not see the USB key?

We created a new virtual machine and began installing the software sequentially.

Before installing any software that works with USB drives that contain certificates and private keys. Need to NECESSARILY disable the token, if inserted locally, then disable it, if over the network, terminate the session

• First of all, we update your operating system with all available updates, since Microsoft fixes many errors and bugs, including drivers.
• The second point is, in the case of a physical server, to install all the latest drivers on the motherboard and all peripheral equipment.
• Next, install the Unified JaCarta Client.
• Install the latest version of CryptoPRO

Installing a single JaCarta PKI client

Single JaCarta Client is a special utility from the Aladdin company for proper work with JaCarta tokens. You can download the latest version of this software product from the official website, or from my cloud, if suddenly you can’t get it from the manufacturer’s website.

Next, you unpack the resulting archive and run the installation file for your Windows architecture, mine is 64-bit. Let's start installing the Jacarta driver. A single Jacarta client, it’s very easy to install (I REMIND you that your token must be disabled at the time of installation). On the first window of the installation wizard, simply click next.

Accept the license agreement and click "Next"

In order for the JaCarta token drivers to work correctly for you, you just need to perform a standard installation.

If you choose "Custom installation", be sure to check the following boxes:

• JaCarta Drivers
• Support modules
• Support module for CryptoPRO

After a couple of seconds, Jacarta Unified Client is successfully installed.

Be sure to restart the server or computer so that the system sees the latest drivers.

After installing JaCarta PKI, you need to install CryptoPRO, to do this, go to the official website.

https://www.cryptopro.ru/downloads

Currently, the latest version of CryptoPro CSP is 4.0.9944. Run the installer, leave the "Install root certificates" checkbox and click "Install (Recommended)"

The installation of CryptoPRO will be performed in the background, after which you will see a prompt to restart the browser, but I advise you to reboot completely.

After reboot, connect your JaCarta USB token. My connection is via the network, from a DIGI device, via . In the Anywhere View client, my Jacarta USB drive is successfully detected, but as Microsoft Usbccid (WUDF), and ideally it should be defined as JaCarta Usbccid Smartcard, but you need to check it anyway, since everything can work like that.

Having opened the Jacarta PKI Unified Client utility, no connected token was found, which means there is something wrong with the drivers.

Microsoft Usbccid (WUDF) is a standard Microsoft driver that is installed by default on various tokens, and sometimes it works, but not always. The Windows operating system by default puts them in mind due to its architecture and settings; I personally don’t need this at the moment. What we do is we need to remove the Microsoft Usbccid (WUDF) drivers and install the drivers for the Jacarta media.

Open Windows Device Manager, find "Smart card readers", click Microsoft Usbccid (WUDF) and select "Properties". Go to the "Drivers" tab and click Uninstall

Agree to remove the Microsoft Usbccid (WUDF) driver.

You will be notified that a system reboot is required for the changes to take effect; we must agree.

After rebooting the system, you can see the installation of the ARDS Jacarta device and drivers.

Open the device manager, you should see that your device is now identified as JaCarta Usbccid Smartcar and if you go to its properties, you will see that the jacarta smart card is now using driver version 6.1.7601 from ALADDIN R.D.ZAO, this is how it should be .

If you open the Jacarta unified client, you will see your electronic signature, which means that the smart card has been correctly identified.

We open CryptoPRO, and we see that CryptoPRO does not see the certificate in the container, although all the drivers have been identified as needed. There is one more trick.

1. In the RDP session you will not see your token, only locally, that’s how the token works, or I haven’t found how to fix it. You can try following the recommendations to resolve the "Unable to connect to the smart card management service" error.
2. You need to uncheck one box in CryptoPRO

BE SURE to uncheck the "Do not use outdated cipher suites" checkbox and reboot.

After these manipulations, CryptoPRO saw my certificate and the jacarta smart card became working, you can sign documents.

You can also see your JaCarta device in devices and printers,

If you, like me, have the jacarta token installed in a virtual machine, then you will have to install the certificate through the console of the virtual machine, and also give the rights to it to the responsible person. If this is a physical server, then you will have to give rights to the management port, which also has a virtual console.

When you have installed all the drivers for Jacarta tokens, you may see the following error message when connecting via RDP and opening the Jacarta PKI Unified Client utility:

1. The smart card service is not running on the local machine. The architecture of the RDP session developed by Microsoft does not provide for the use of key media connected to the remote computer, so in the RDP session the remote computer uses the smart card service of the local computer. It follows from this that starting the smart card service inside an RDP session is not enough for normal operation.
2. The smart card management service on the local computer is running, but is not available to the program within an RDP session due to Windows and/or RDP client settings.\

How to fix the error "Unable to connect to the smart card management service."

• Start the smart card service on the local machine from which you are initiating the remote access session. Configure it to start automatically when your computer starts.
• Allow the use of local devices and resources during the remote session (particularly smart cards). To do this, in the "Remote Desktop Connection" dialog, select the "Local Resources" tab in the parameters, then in the "Local devices and resources" group, click the "More details..." button, and in the dialog that opens, select "Smart cards" and click "OK", then "Connect".

• Make sure your RDP connection settings are safe. By default, they are saved in the Default.rdp file in the “My Documents” directory. Make sure that this file contains the line “redirectsmartcards:i:1”.
• Make sure that Group Policy is not activated on the remote computer to which you are making an RDP connection
  -[Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow smart card reader redirection]. If it is Enabled, then disable it and reboot the computer.
• If you have Windows 7 SP1 or Windows 2008 R2 SP1 installed and you are using RDC 8.1 to connect to computers running Windows 8 or higher, then you need to install the operating system update https://support.microsoft.com/en-us/ kb/2913751

This was the troubleshooting for setting up the Jacarta token, CryptoPRO on the terminal server, for signing documents in VTB24 RBS. If you have any comments or corrections, please write them in the comments.