How to install a personal certificate in crypto pro. How to install a personal certificate in crypto pro If the private key is in the form of files


Digital signatures(EDS) have long and firmly come into use as government institutions and in private companies. The technology is implemented through security certificates, both general for the organization and personal. The latter are most often stored on flash drives, which imposes some restrictions. Today we will tell you how to install such certificates from a flash drive to a computer.

Despite their reliability, flash drives can also fail. In addition, it is not always convenient to insert and remove the drive for work, especially for a short period of time. The certificate from the key media can be installed on the production machine to avoid these problems.

The procedure depends on the version of Cryptopro CSP that is used on your machine: for latest versions Method 1 is suitable, for older ones - Method 2. The latter, by the way, is more universal.

Method 1: Automatic installation

The latest versions of Cryptopro DSP have a useful function of automatically installing a personal certificate from an external media to HDD. To enable it, do the following.

  1. The first step is to launch CryptoPro CSP. Open menu "Start", in it go to "Control Panel".


    Left-click on the marked item.
  2. The program's working window will open. Open "Service" and select the option to view certificates marked in the screenshot below.

  3. Click the review button.


    The program will prompt you to select the location of the container, in our case a flash drive.


    Select the one you want and click "Further"..
  4. A preview of the certificate will open. We need its properties - click on the desired button.


    In the next window, click on the certificate installation button.

  5. The certificate import utility will open. To continue, press "Further".


    You have to select a storage location. In the latest versions of CryptoPro, it is better to leave the default settings.


    Finish working with the utility by pressing "Ready".

  6. A message indicating that the import was successful appears. Close it by clicking "OK".


    The problem is solved.

This method is the most common today, but in some certificate options it is impossible to use it.

Method 2: Manual installation method

Outdated versions of CryptoPro only support manual installation of a personal certificate. In addition, in some cases, the latest versions of the software can take such a file into use through the import utility built into CryptoPro.

  1. First of all, make sure that the flash drive that is used as a key contains a certificate file in CER format.

  2. Open CryptoPro DSP in the same way as described in Method 1, but this time choosing to install certificates.

  3. Will open "Personal Certificate Installation Wizard". Proceed to select the location of the CER file.


    Select your flash drive and the folder with the certificate (as a rule, such documents are located in the directory with the generated encryption keys).


    After making sure that the file is recognized, press "Further".

  4. The next step is to review the certificate properties to ensure that you have chosen the correct one. After checking, press "Further".

  5. Next steps are to specify the key container for your CER file. Click on the appropriate button.


    In the pop-up window, select the location you need.


    Returning to the import utility, click again "Further".

  6. Next you need to select the storage for the imported digital signature file. Click "Review".


    Since our certificate is personal, we need to mark the corresponding folder.

    Attention: if you use this method on the latest CryptoPro, then do not forget to check the box “Install a certificate (certificate chain) into the container”!

  7. Finish with the import utility.

  8. We're about to replace the key with a new one, so feel free to click "Yes" in the next window.


    The procedure is over, you can sign the documents.

    9. This method is somewhat more complicated, but in some cases this is the only way to install certificates.

To summarize, let us remind you: install certificates only on trusted computers!

Installing the certificate and private key

We will describe the installation of the certificate electronic signature and a private key for Windows operating systems. During the setup process we will need Administrator rights (so we may need a system administrator if you have one).

If you have not yet figured out what an Electronic Signature is, then please read Or if you have not yet received an electronic signature, contact the Certification Center, we recommend SKB-Kontur.

Well, suppose you already have an electronic signature (token or flash drive), but OpenSRO reports that your certificate is not installed, this situation may arise if you decide to configure your second or third computer (of course, the signature does not “grow” to only one computer and it can be used on multiple computers). Usually the initial setup is carried out with the help of technical support of the Certification Center, but let’s say this is not our case, so let’s go.

1. Make sure that CryptoPro CSP 4 is installed on your computer

To do this, go to the menu Start CRYPTO-PRO CryptoPro CSP run it and make sure that the program version is not lower than 4.

If it is not there, then download, install and restart the browser.

2. If you have a token (Rutoken for example)

Before the system can work with it, you will need to install the necessary driver.

  • Drivers Rutoken: https://www.rutoken.ru/support/download/drivers-for-windows/
  • Drivers eToken: https://www.aladdin-rd.ru/support/downloads/etoken
  • Drivers JaCarta: https://www.aladdin-rd.ru/support/downloads/jacarta

The algorithm is as follows: (1) Download; (2) Install.

3. If the private key is in the form of files

The private key can be in the form of 6 files: header.key, masks.key, masks2.key, name.key, primary.key, primary2.key

There is a subtlety here if these files are written to the hard drive of your computer, then CryptoPro CSP will not be able to read them, so all actions must be performed by first writing them to a flash drive (removable media), and you need to place them in a first-level folder, for example: E:\Andrey\( files) if located in E:\Andrey\ keys\(files), then it will not work.

(If you are not afraid of the command line, then removable storage can be emulated something like this: subst x: C:\tmp a new disk (X:) will appear, it will contain the contents of the C:\tmp folder, it will disappear after a reboot. This method can be used if you plan to install keys in the registry)

We found the files, recorded them on a flash drive, and move on to the next step.

4. Installing a certificate from a private key

Now we need to get a certificate, we can do this as follows:

  1. Opening CryptoPro CSP
  2. Go to the tab Service
  3. Press the button View certificates in a container, press Review and here (if we did everything correctly in the previous steps) we will have our container. Press the button Further, information about the certificate will appear and then click the button Install(the program may ask whether to provide a link to private key, answer "Yes")
  4. After this, the certificate will be installed in the store and become possible signing documents (at the same time, at the time of signing the document, it will be necessary for the flash drive or token to be inserted into the computer)

5. Using an electronic signature without a token or flash drive (installation in the registry)

If speed and ease of use are a little higher for you than security, then you can install your private key in the Windows registry. To do this you need to do a few simple steps:

  1. Perform private key preparation described in steps (2) or (3)
  2. Next we open CryptoPro CSP
  3. Go to the tab Service
  4. Press the button Copy
  5. Using a button Review choose our key
  6. Press the button Further, then we’ll come up with some name, for example “Pupkin, LLC Romashka” and press the button Ready
  7. A window will appear in which you will be asked to select the media, select Registry, click OK
  8. The system will ask Set password for the container, come up with a password, click OK

Important Note: the OpenSRO portal will not “see” the certificate if its validity period has expired.

We are often asked the question: how to install a certificate via CryptoPpo CSP. Situations can be different: the director or chief accountant has changed, they received new certificate at a certification center, etc. Everything worked before, but now it doesn't. We tell you what you need to do to install a personal digital certificate on your computer.

You can install personal certificate two ways:

1. Through the CryptoPro CSP menu “View certificates in container”

2. Through the CryptoPro CSP menu “Install personal certificate”

If your workplace uses the Windows 7 operating system without SP1, then install the certificate according to the recommendations of option No. 2.

Option No. 1. Install through the “View certificates in container” menu

To install a certificate:

1. Select Start -> Control Panel -> CryptoPro CSP -> Tools tab and click the “View certificates in the container” button.

2. In the window that opens, click on the “Browse” button. Select a container and confirm your choice with the OK button.


If the message “There is no private key in the container” appears public key encryption”, proceed to installation digital certificate according to option No. 2.

4. If the version of “CryptoPro CSP” 3.6 R2 (product version 3.6.6497) or higher is installed on your computer, then in the window that opens, click on the “Install” button. After this, agree to the proposal to replace the certificate.

If the “Install” button is missing, in the “Certificate for viewing” window, click the “Properties” button.


5. In the “Certificate” window -> “General” tab, click on the “Install certificate” button.


6. In the “Certificate Import Wizard” window, select “Next”.

7. If you have installed version “CryptoPro CSP” 3.6, then in the next window just leave the switch on the “Automatically select storage based on certificate type” item and click “Next”. The certificate will be automatically installed in the “Personal” storage.



Option 2. Install through the “Install personal certificate” menu

To install, you will need, in fact, the certificate file itself (with the .cer extension). It can be located, for example, on a floppy disk, on a token, or on the computer's hard drive.

To install a certificate:

1. Select Start -> Control Panel -> CryptoPro CSP -> Tools tab and click the “Install personal certificate” button.


2. In the “Personal Certificate Installation Wizard” window, click the “Next” button. In the next window, to select the certificate file, click “Browse”.


3. Specify the path to the certificate and click on the “Open” button, then “Next”.


4. In the next window, you can view the certificate information. Click “Next”.


5. In the next step, enter or specify the private key container that corresponds to the selected certificate. To do this, use the “Browse” button.



If you have installed CryptoPro CSP 3.6 R2 (product version 3.6.6497) or higher, check the “Install certificate into container” checkbox.


8. Select the “Personal” storage and click OK.


9. The storage you have chosen. Now click “Next”, then “Finish”. After this, a message may appear:


In this case, click “Yes”.

10. Wait for a message that the personal certificate has been successfully installed on your computer.

That's it, you can sign documents using the new certificate.

Many components of modern IT infrastructure are quite closely tied to the use of certificates. What should you do if the certificate is damaged or created without a correctly generated private key? Network services such as Exchange, IIS, etc. will not work correctly with such a “naked” certificate file.
Therefore, I decided to compile instructions for re-creating the private key for the installed certificate:

  • Open the Certificates management console ( Start > Run > MMC > Add/Remove Snap-in > Certificates > Computer Account > Local Computer)
  • Expand Certificates (Local Computer) > Personal > Certificates
  • Open the properties of the certificate for which you want to regenerate the private key. On the Details tab, select a field Serialnumber.
  • Copy the serial number to the clipboard:
  • From a command prompt with administrator rights, type the following command:
certutil -repairstore my "<Серийный номер>"

The result of executing the command will be something like this, the main thing is that it contains the following line “ repairstore command completed successfully»:

After which a small golden key will appear in the certificate window, indicating that you have a private key and the inscription “ You have a private key that corresponds to this certificate«.

If none of the solutions suggested below fix the problem, the key media may have been damaged and requires recovery (see). It is impossible to recover data from a damaged smart card or registry.

If there is a copy of the key container on another medium, then you must use it for work, having first installed the certificate.

Diskette

If you are using a floppy disk as the key container, you must complete the following steps:

1. Make sure that in the root of the floppy disk there is a folder containing the files: header, masks, masks2, name, primary, primary2. Files must have a .key extension and the folder name format must be xxxxxx.000.

the private key container has been corrupted or deleted

2. Make sure that the “Disk drive X” reader is configured in CryptoPro CSP (for CryptoPro CSP 3.6 - “All removable drives”), where X is the drive letter. To do this:

  • Select the “Start” menu > “Control Panel” > “CryptoPro CSP”;

?).

3. In the CryptoPro CSP window “Selecting a key container”, select the “Unique names” radio button.

4.

  • Select the “Start” menu > “Control Panel” > “CryptoPro CSP”;
  • Go to the “Service” tab and click on the “Remove remembered passwords” button;

5. How to copy a container with a certificate to another medium?).

Flash drive

If a flash drive is used as the key media, you must perform the following steps:

1. Make sure that in the root of the media there is a folder containing the files: header, masks, masks2, name, primary, primary2 . Files must have a .key extension and the folder name format must be as follows: xxxxxx.000 .

If any files are missing or their format is incorrect, then the private key container may have been damaged or deleted. You also need to check whether this folder contains six files on other media.

2. Make sure that the “Disk drive X” reader is configured in CryptoPro CSP (for CryptoPro CSP 3.6 - “All removable drives”), where X is the drive letter. To do this:

  • Select the “Start” menu > “Control Panel” > “CryptoPro CSP”;
  • Go to the “Equipment” tab and click on the “Configure readers” button.

If the reader is missing, you need to add it (see How to configure readers in CryptoPro CSP?).

3.

4. Remove remembered passwords. For this:

  • Select the “Start” menu > “Control Panel” > “CryptoPro CSP”;
  • Select the “User” item and click the “OK” button.

5. Make a copy of the key container and use it for work (see How to copy a container with a certificate to another medium?).

6. If CryptoPro is installed at your workplace CSP versions 2.0 or 3.0, and Drive A (B) is present in the list of key media, then it must be removed. For this:

  • Select the “Start” menu > “Control Panel” > “CryptoPro CSP”;
  • Go to the “Equipment” tab and click on the “Configure readers;” button
  • Select the reader “Disk Drive A” or “Disk Drive B” and click on the “Delete” button.

After removing this reader, working with the floppy disk will be impossible.

Rutoken

If a Rutoken smart card is used as a key carrier, you must complete the following steps:

1. Make sure that the light on the rutoken is on. If the light does not light, then you should use the following recommendations.

2. Make sure that the “Rutoken” reader is configured in CryptoPro CSP (for CryptoPro CSP 3.6 - “All smart card readers”). To do this:

  • Select the “Start” menu > “Control Panel” > “CryptoPro CSP”;
  • Go to the “Equipment” tab and click on the “Configure readers” button.

If the reader is missing, you need to add it (see How to configure readers in CryptoPro CSP?).

3. In the “Select a key container” window, select the “Unique names” radio button.

4. Remove remembered passwords. For this:

  • Select the “Start” menu > “Control Panel” > “CryptoPro CSP” ;
  • Go to the “Service” tab and click on the “Remove remembered passwords” button;
  • Select the “User” item and click the “OK” button.

5. Update the support modules required for Rutoken to work. For this:

  • Disconnect the smart card from the computer;
  • Select the “Start” menu > “Control Panel” > “Add or Remove Programs” (for Windows Vista\Seven “Start” > “Control Panel” > “Programs and Features”);
  • Select “Rutoken Support Modules” from the list that opens and click on the “Delete” button.

After removing modules you need to restart your computer .

  • Download and install the latest version of support modules. The distribution is available for download on the Aktiv website.

After installing the modules, you must restart your computer.

6. You should increase the number of Rutoken containers displayed in CryptoPro CSP using the following instructions .

7. Update the Rutoken driver (see How to update the Rutoken driver?).

8. You should make sure that Rutoken contains key containers. To do this, you need to check the amount of free memory on the media by following these steps:

  • Open “Start” (“Settings”) > “Control Panel” > “Rutoken Control Panel” (if this item is missing, you should update the Rutoken driver).
  • In the “Rutoken Control Panel” window that opens, in the “Readers” item, select “Activ Co. ruToken 0 (1,2)" and click on the "Information" button.

If the rutoken is not visible in the “Readers” item or when you click on the “Information” button, the message “ruToken memory status has not changed” appears, then the media has been damaged, you need to contact the service center for an unscheduled key replacement.

  • Check what value is indicated in the line “Free memory (bytes)”.

Service centers issue root tokens with a memory capacity of about 30,000 bytes as key media. One container takes up about 4 KB. The amount of free memory of a rootken containing one container is about 26,000 bytes, two containers - 22,000 bytes, etc.

If the free memory of a root token is more than 29-30,000 bytes, then there are no key containers on it. Therefore, the certificate is contained on a different medium.

Registry

If the Registry reader is used as a key medium, you must perform the following steps:

1. Make sure that the “Register” reader is configured in CryptoPro CSP. For this:

  • Select the “Start” menu > “Control Panel” > “CryptoPro CSP”;
  • Go to the “Equipment” tab and click on the “Configure readers” button.

If the reader is missing, you need to add it (see How to configure readers in CryptoPro CSP?).

2. In the “Select a key container” window, select the “Unique names” radio button.

3. Remove remembered passwords. For this:

  • Select the “Start” menu > “Control Panel” > “CryptoPro CSP”;
  • Go to tab « Service" and click on the "Delete remembered passwords" button;
  • Select the “User” item and click the “OK” button.