How to install a personal certificate? The “Select Key Container” window is empty or the required container is not displayed in it Cryptopro does not create a container
1. Open the menu Start - Control Panel - CryptoPro CSP.
2. In the window programsCryptoPro CSP go to the tab Service and press the button View certificates in a container:
Review to select a container to view (in our example, the container is on the JaCarta smart card):
4. After selecting the container, click the button OK, then Further.
* If after pressing the button Further You see this message:
"There is no public encryption key in the private key container," you should install the certificate according to the recommendations described in section Option 2.
5. In the window Certificate for viewing click the button Install:
6. If the message “ This certificate is already present in the certificate store. Replace the existing certificate with a new one, with a link to the private key?", click Yes:
7. Wait for the successful installation message:
8. The certificate is installed. You can close all open CryptoPro windows.
Option 2. Installation via the “Install personal certificate” menu.
To install a certificate using this method, you will need a certificate file (a file with the .cer extension). It can be located, for example, on removable media or on the computer’s hard drive (if you made a copy of the certificate or it was sent to you by email).
If the certificate file is missing, write a letter describing the problem to technical support at pu@skbkontur.ru.
1. Open the menu Start - Control Panel - CryptoPro CSP.
2. In the window programsCryptoPro CSP go to the tab Service and press the button Install a personal certificate:
3. In the next window, click the button Review to select the certificate file:
4. Specify the path to the certificate file and click the button Open(in our example, the certificate file is located on the Desktop):
6. Check the box Find container automatically(in our example the container is on the JaCarta smart card) and click Further:
7. In the next window, check the box Install the certificate (certificate chain) into the container and press
Copying the private key container is a mandatory action when reinstalling the SBS on another computer. You can also copy the certificate if you want to create a spare digital signature key.
Copying a private key container to a flash drive, floppy disk or token is a rather complicated process to avoid errors it is important to strictly follow our instructions.
CryptoPro: certificate copying
Step 1. Opening the CryptoPro program
To open the program follow this path:
Click menu Start, then go to Programs⇒ CryptoPro⇒ CryptoPro CSP and enable the tab Service.
In an open window Service click the button Copy container.
Rice. 1.
Step 2: Copy the private key container
After pressing the button Copy container, the system will display the window Copying the private key container.
Rice. 2
In the open window you need to fill in the field Key container name.
Step 3. Entering the key container
There are 3 ways to fill out the field Key container name:
Manual input
Select from the list by clicking the Browse button
Search by digital signature certificate
In addition to filling out the Key container name field, you must fill in the remaining search options:
- - the switch is set to position User or Computer, depending on what storage the container is located in;
- Select CSP to search for key containers - the required crypto provider (CSP) is selected from the proposed list.
After all fields are filled in, click the button Further.
If a password is set for access to the private key, the system will ask you to enter it. Enter your password and click the button OK.
Step 4. Entering a new key container
The system will display the window again Copying a private key container, in which you need to enter the name of the new key container and set the switch The name entered specifies the key container to position User or Computer, depending on in which storage you want to place the copied container.
After entering, click the button Ready.
Step 5: Select media for the copied container
A window will appear on your screen in which you need to select the media for the copied container.
Insert the media (token, flash drive, floppy disk) into the reader and press the button OK.
Step 6. Set a password
The system will display a window for setting a password to access the private key.
Enter your password, confirm it, and check the box if necessary Remember your password.
If this box is checked, the password will be saved in a special storage on the local computer, and when accessing the private key, the password will be automatically read from this storage rather than entered by the user.
After entering the required data, click the button OK. The CryptoPro CSP cryptographic information protection tool will copy the private key container.
If you have any questions, you can order a consultation with a specialist.
An electronic digital signature is a set of special characters intended for:
- Ensuring control of the integrity of information and data transmitted in electronic documents
- Ensuring the protection of information from interception and unauthorized use
- Ability to identify the author and sender of a document
In order to start using the electronic signature key certificate for its intended purpose - as a legally significant requisite of an electronic document, you need to install the digital signature certificate on the computer or computers where you will work with electronic documents and directly with the electronic signature.
Public and private keys
It is necessary to clarify that any digital signature consists of two types of keys - a private key, it is also called a key container, it is due to it that the document is signed and encrypted, and a public key, or, more simply, a personal certificate.
A personal certificate is presented in the form of files with the extension .cer. Here you can view all the data about the owner of the electronic signature. Such a public key is necessary in order to verify the authenticity of documents. You can and should install an electronic digital signature certificate for a public key on all computers that will receive electronic correspondence.
The private key contains six files, each with a .key extension. If this folder is lost or damaged, the private key will not work and you will have to contact the CA to reissue the electronic signature certificate.
Digital signature storage
EDS keys, as a rule, are stored on special key media; previously, ordinary magnetic floppy disks were used for this purpose, but time has shown their unreliability and fragility, so today certified media such as RuToken are increasingly used. The Rutoken is protected by a special password, so that access to the information on it is provided only directly to the owner of the certificate, who knows this code.
Installation of digital signature certificate
In order to install an EDS certificate on your computer, the user needs to go to the Control Panel tab in the CryptoPro program, select the tab called Service, and then click View certificates in the container. In the window that appears, select the Browse button and select the certificate that needs to be added. Click Next, a pop-up Certificate tab appears in the Properties window, click Install Certificate.
Then the Certificate Import Wizard appears in front of the user, in it we select the Place value and select certificates and the storage for them; if everything was done correctly, a window should appear in front of the user informing that the certificate was successfully installed.
All Tariffs for electronic signatures you can see
In chapter .
Hi all! Since I work in the government. institution, I could not avoid using the program for working with cryptokeys “CryptoPro”. Now everything seems simple and quite logical to me, but at the beginning of my career I had many questions about using this program.
Read about how to copy the Crypto Pro key container and install the user’s personal certificate
I think many people know about the well-known sites zakupki.gov and bus.gov... the first is used for posting applications for electronic trading, and the second is for posting information about the organization, however, both require the user’s electronic signature, and it can only work if you have Crypto Pro.
When you generate an electronic signature, it is MANDATORY! should be saved to external media, but this may not always be convenient and not always reliable. Unfortunately, many organizations refuse to keep up with the times and still use floppy disks as a digital signature carrier. I don’t think it’s worth explaining that a floppy disk is a very unreliable option for storing information. Therefore, it is better to have a copy of the key, so that if the media fails, you can recover, rather than generate a new one, because if a new one is generated, you will have to wait for the certificate (At least one day).
When else might this be needed? For example, your chapter. boom a bunch of electronic signatures (ours has 4 of them) and constantly sticking one by one is not always convenient, and the confusion is constant, so all these keys can be copied to the registry of your computer, and the real keys can be hidden away in a safe. Of course, you need to understand that having the keys in the registry, you don’t need the key itself to sign a document - you only need access to the computer where they are installed, so be sure! when copying, set the password for the key container
Let's begin. Launching CryptoPros CSP (issued by your local treasury office) and go to the “Service” tab, click the “Copy…” button
In the next window we should click “Browse” and select the location of our key container, in my case it is a USB flash drive that has the letter F in the system (Drive F)
Now that the container has been selected, we proceed to the process of copying it, make sure that you have selected the correct key and click “Next”
Enter his name
And indicate where to copy it, in my case I copied it to the registry so as not to paste it every time...
If you copied the key to the registry like I did, be sure to create a password!
That’s all, a copy of the key container has been created on the media specified by you 😉 now let’s move on to the next step...
Unlike regular certificates, our certificate must be associated with a private key, so simply clicking the “Install Certificate” button will not work; installing a certificate in CryptoPro differs from the usual procedure.
Open the program, go to the “Services” tab and click “Install personal certificate...”
Click “Browse” and select the user certificate
...and indicate where our key is located (in my case I selected the key copied to the registry)
Checking that everything is selected correctly
Select the certificate storage “Personal”
We check whether we have done everything correctly and click “Finish”, this completes the installation of the cryptopro certificate.
Good afternoon!. The last two days I had an interesting task of finding a solution to this situation: there is a physical or virtual server, probably well-known to many people, CryptoPRO, is installed on it. Connected to the server , which is used to sign documents for VTB24 DBO. Everything works locally on Windows 10, but on the server platform Windows Server 2016 and 2012 R2, Cryptopro does not see the JaCarta key. Let's figure out what the problem is and how to fix it.
Description of the environment
There is a virtual machine on Vmware ESXi 6.5, Windows Server 2012 R2 is installed as the operating system. The server is running CryptoPRO 4.0.9944, the latest version at the moment. A JaCarta dongle is connected from a USB network hub using USB over ip technology. Key in the system it seems, but not in CryptoPRO.
Algorithm for solving problems with JaCarta
CryptoPRO very often causes various errors in Windows, a simple example (Windows installer service could not be accessed). This is what the situation looks like when the CryptoPRO utility does not see the certificate in the container.
As you can see in the UTN Manager utility, the key is connected, it is seen in the system in smart cards as a Microsoft Usbccid (WUDF) device, but CryptoPRO does not detect this container and you do not have the opportunity to install the certificate. The token was connected locally, everything was the same. We began to think about what to do.
Possible reasons with container definition
- Firstly, this is a problem with the drivers, for example, in Windows Server 2012 R2, JaCarta should ideally be defined in the list of smart cards as JaCarta Usbccid Smartcard, and not Microsoft Usbccid (WUDF)
- Secondly, if the device is seen as Microsoft Usbccid (WUDF), then the driver version may be outdated, which is why your utilities will not detect a protected USB drive.
- Outdated version of CryptoPRO
How to solve the problem that cryptopro does not see the USB key?
We created a new virtual machine and began installing the software sequentially.
Before installing any software that works with USB drives that contain certificates and private keys. Need to NECESSARILY disable the token, if inserted locally, then disable it, if over the network, terminate the session
- First of all, we update your operating system with all available updates, since Microsoft fixes many errors and bugs, including drivers.
- The second point is, in the case of a physical server, to install all the latest drivers on the motherboard and all peripheral equipment.
- Next, install the Unified JaCarta Client.
- Install the latest version of CryptoPRO
Installing a single JaCarta PKI client
Single JaCarta Client is a special utility from the Aladdin company for proper work with JaCarta tokens. You can download the latest version of this software product from the official website, or from my cloud, if suddenly you can’t get it from the manufacturer’s website.
Next, you unpack the resulting archive and run the installation file for your Windows architecture, mine is 64-bit. Let's start installing the Jacarta driver. A single Jacarta client, it’s very easy to install (I REMIND you that your token must be disabled at the time of installation). On the first window of the installation wizard, simply click next.
Accept the license agreement and click "Next"
In order for the JaCarta token drivers to work correctly for you, you just need to perform a standard installation.
If you choose "Custom installation", be sure to check the following boxes:
- JaCarta Drivers
- Support modules
- Support module for CryptoPRO
After a couple of seconds, Jacarta Unified Client is successfully installed.
Be sure to restart the server or computer so that the system sees the latest drivers.
After installing JaCarta PKI, you need to install CryptoPRO, to do this, go to the official website.
https://www.cryptopro.ru/downloads
Currently, the latest version of CryptoPro CSP is 4.0.9944. Run the installer, leave the "Install root certificates" checkbox and click "Install (Recommended)"
The installation of CryptoPRO will be performed in the background, after which you will see a prompt to restart the browser, but I advise you to reboot completely.
After reboot, connect your JaCarta USB token. My connection is via the network, from a DIGI device, via . In the Anywhere View client, my Jacarta USB drive is successfully detected, but as Microsoft Usbccid (WUDF), and ideally it should be defined as JaCarta Usbccid Smartcard, but you need to check it anyway, since everything can work like that.
Having opened the Jacarta PKI Unified Client utility, no connected token was found, which means there is something wrong with the drivers.
Microsoft Usbccid (WUDF) is a standard Microsoft driver that is installed by default on various tokens, and sometimes it works, but not always. The Windows operating system by default puts them in mind due to its architecture and settings; I personally don’t need this at the moment. What we do is we need to remove the Microsoft Usbccid (WUDF) drivers and install the drivers for the Jacarta media.
Open Windows Device Manager, find "Smart card readers", click Microsoft Usbccid (WUDF) and select "Properties". Go to the "Drivers" tab and click Uninstall
Agree to remove the Microsoft Usbccid (WUDF) driver.
You will be notified that a system reboot is required for the changes to take effect; we must agree.
After rebooting the system, you can see the installation of the ARDS Jacarta device and drivers.
Open the device manager, you should see that your device is now identified as JaCarta Usbccid Smartcar and if you go to its properties, you will see that the jacarta smart card is now using driver version 6.1.7601 from ALADDIN R.D.ZAO, this is how it should be .
If you open the Jacarta unified client, you will see your electronic signature, which means that the smart card has been correctly identified.
We open CryptoPRO, and we see that CryptoPRO does not see the certificate in the container, although all the drivers have been identified as needed. There is one more trick.
- In the RDP session you will not see your token, only locally, that’s how the token works, or I haven’t found how to fix it. You can try following the recommendations to resolve the "Unable to connect to the smart card management service" error.
- You need to uncheck one box in CryptoPRO
BE SURE to uncheck the "Do not use outdated cipher suites" checkbox and reboot.
After these manipulations, CryptoPRO saw my certificate and the jacarta smart card became working, you can sign documents.
You can also see your JaCarta device in devices and printers,
If you, like me, have the jacarta token installed in a virtual machine, then you will have to install the certificate through the console of the virtual machine, and also give the rights to it to the responsible person. If this is a physical server, then you will have to give rights to the management port, which also has a virtual console.
When you have installed all the drivers for Jacarta tokens, you may see the following error message when connecting via RDP and opening the Jacarta PKI Unified Client utility:
- The smart card service is not running on the local machine. The architecture of the RDP session developed by Microsoft does not provide for the use of key media connected to the remote computer, so in the RDP session the remote computer uses the smart card service of the local computer. It follows from this that starting the smart card service inside an RDP session is not enough for normal operation.
- The smart card management service on the local computer is running, but is not available to the program within an RDP session due to Windows and/or RDP client settings.\
How to fix the error "Unable to connect to the smart card management service."
- Start the smart card service on the local machine from which you are initiating the remote access session. Configure it to start automatically when you start your computer.
- Allow the use of local devices and resources during the remote session (particularly smart cards). To do this, in the "Remote Desktop Connection" dialog, select the "Local Resources" tab in the parameters, then in the "Local devices and resources" group, click the "More details..." button, and in the dialog that opens, select "Smart cards" and click "OK", then "Connect".
- Make sure your RDP connection settings are safe. By default, they are saved in the Default.rdp file in the “My Documents” directory. Make sure that this file contains the line “redirectsmartcards:i:1”.
- Make sure that Group Policy is not activated on the remote computer to which you are making an RDP connection
-[Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow smart card reader redirection]. If it is Enabled, then disable it and reboot the computer. - If you have Windows 7 SP1 or Windows 2008 R2 SP1 installed and you are using RDC 8.1 to connect to computers running Windows 8 or higher, then you need to install the operating system update https://support.microsoft.com/en-us/ kb/2913751
This was the troubleshooting for setting up the Jacarta token, CryptoPRO on the terminal server, for signing documents in VTB24 RBS. If you have any comments or corrections, write them in the comments.
