Where to get the password for the key container. PIN-code for tokens: a password with special rules. Where to get an EDS for free

Option 1:

The default settings are used, the PIN-code of the token is remembered by the system. Least secure option. To do this, at the first request for a PIN-code, you must check the "Remember pin-code" checkbox:

In this case, the PIN code will no longer be requested on this computer; for signing, you will just need to select the certificate with which we are signing once. The PIN-code will be remembered for all actions with the electronic signature, until in the Crypto Pro-Service settings - Passwords of private keys - Delete memorized passwords ... they will not be deleted.

Option 2:

Using the cached private key containers mode.

In the Crypto Pro settings, you must enable the use of the key storage service and caching. Changes to Crypto Pro parameters are made by a user with Administrator rights.

When enabled, the PIN code must be entered when entering the site, then the PIN code will not be requested until the browser is restarted. If you click the "Exit" button on the site, and then go to it again under the same user without closing the browser, the PIN code will not be requested. If you close the browser and open it again, or go to the site in another browser, the PIN code is requested (checked in Google Chrome, Internet Explorer).
According to "ЖТЯИ.00087-01 92 01. Instructions for use. Windows.pdf" - Setting security parameters - page 43:"When storing keys in the key storage service, it is possible to use caching of containers of private keys. Caching means that the keys read from the media remain in the service's memory. The key from the cache is available both after removing the key application key. Each key from the cache is available to any application that runs under the same account as the application that placed this key in the cache. All keys from the cache are available until the key storage service is shut down. When the cache overflows, the next key is written in place an early key cached.
Container caching allows you to increase application performance due to faster access to the private key. the key is read only once.
The cache size specifies the number of keys that can be simultaneously stored in memory.
In order to enable caching, set the flag in the Enable caching field. You must also specify the size of the cache in the appropriate input field. ".

In order for these modes to be enabled, it is necessary to install the "Key storage service" component when installing Crypto Pro on a computer, by default this service is not installed.

Option 3: (Using this option is not recommended when working on the ETP, since when signing an electronic contract, more than 100 files can be signed)

The default settings are used, the highest security. In this case, when signing contractual documents, a window will be called for entering the PIN code for signing each document (contract, applications, specifications, etc.).

This page contains answers to frequently asked questions that arise when working with digital signatures. Select the question you are interested in, open it and clearly follow the instructions.

WOscripts.com - JavaScript - Contractible Headers Script

1. Obtaining an EDS

To obtain an EDS, you can fill out a registration card on our website (in the section "Receiving EDS"), or on the website where you learned about us, or contact the nearest CA.

When contacting the CA, you must have the following documents with you:

identity documents (standard - a copy of the passport);

documents confirming the existence of the legal entity (TIN certificate, USRLE, etc.);

a power of attorney for the FL on vesting him with the authority to perform certain actions from the organization;

upon receipt of an EDS for the head, an order for appointment to a position (decision on election).

Additional information required by the CA in accordance with its regulations is not regulated by law. In practice, each CA has its own list of documents for obtaining an EDS.

2. EDS does not work

1. The private key on the specified container does not match the public key in the certificate. We check all closed containers, perhaps you have chosen the wrong one. If we do not find the required container, you need to contact the CA to reissue the EDS

2. The certificate is not valid Install the EDS according to the instructions of the CA

3. There is no trust in this certificate. You need to install the root certificates of your CA according to the instructions. To do this, you can download them on the AETP website or find them on digital media supplied with the EDS.

4. The validity period of CryptoPro has expired. You must enter the license key of the CryptoPro program from the documents supplied with the digital signature of your CA.

5. Capicom is not installed Download Capicom and install it with a closed browser and configure the browser according to the instructions of the TP on which you plan to work.

6. No valid certificates were found (or the certificate selection is not displayed)

Install the EDS according to the instructions of the CA

Check the expiration date of the certificate (it may have expired)

Install the root certificate of your CA

Install CAPICOM with closed browser

3. Is there a possibility of hacking or counterfeiting the EDS?

According to most experts, it is impossible to forge (hack) an EDS - this requires a huge amount of calculations that cannot be implemented with the modern level of computing technology and mathematics in an acceptable time, that is, as long as the information contained in the signed document remains relevant.

Additional protection against counterfeiting is provided by certification by a certification authority of the public key of the signature.

4. An EDS user with administrator rights has quit. How to be?

5. Forgot your EDS password. How to recover a key?

Standard passwords: Rutoken 12345678, Etoken 1234567890

If you have forgotten the password on the Rootken, you need to use the Rutoken console, which is installed along with the driver and is accessible from the Control Panel (Windows). This applies to the case if the User knows the password (pin-code) of the Administrator, and he needs to unlock the token (reset the counter of the number of incorrectly entered passwords to 0).

If the carrier is Etoken, you need to contact the CA.

6. How to digitally sign a word file

A document created in Microsoft Office Word is signed with an EDS, the private key of which was generated by the EDS tool not earlier than the Crypto-Pro 3.0 version. Before signing, you need to check the Crypto-Pro core (Start / Control Panel / Crypto-Pro / General. The tab will indicate the version of Crypto-Pro and then “build” - this is the core). It is advisable to install the latest build product.

Now we sign the document itself

The document must first be saved. In the menu, select Tools / Options / Security / Digital Signatures / Certificate, click "OK" and sign the document. If the certificate is not registered in Personal, the document cannot be signed. Save your document. Select Office button / Prepare / Add digital signature / Specify the purpose of signing the document (for example, accreditation) / Select signature / sign. The message "This document contains a digital signature" appears. A red emblem will appear on the panel.

7. Where can I get an EDS for free?

Free EDS is received only by state. organizations in the divisions of the Federal Treasury

8. Can an individual get an electronic signature?

An individual can also receive an EDS. Currently, this service is most in demand for individuals to participate in trading on electronic trading platforms for bankruptcy (sale of bankruptcy property). To obtain an EDS, individuals need to contact the CA, having with them:

Passport of a citizen of the Russian Federation;

TIN assignment certificate.

9. Is there a universal EDS for general use?

There is currently no universal EDS that would work in electronic auctions (both state and commercial) and with which it would be possible to submit reports.

10. Where to get training on working with EDS?

You can take training at the training center of the Association of Electronic Trading Platforms. Seminars are held regularly on the territory of most of the constituent entities of the Russian Federation.

11. How many days does an EDS take?

12. Can I give my EDS to a colleague during my vacation?

No. Responsibility, according to the Federal Law on EDS, is borne personally by its owner.

13. Help! I deleted the signature from the flash drive, what should I do?

Contact the CA for EDS restoration and reissue

14. Will the contract be valid if I sign it today (my EDS expires tomorrow), and my partner in a week (at the time of signing by the partner, my signature will no longer be valid, but when I signed it, it was still working)?

If the document is signed in accordance with all the rules and the EDS validity period at the time of signing has not expired, the agreement will be valid, but it will be impossible to make changes to it after signing.

15. Can a digital signature issued for tax reporting be used on marketplaces?

No. EDS for tax reporting is not suitable for electronic trading.

16. How do you get an EDS?

EDS is received only personally by the owner of the certificate

17. How to rewrite a signature from a disk to a USB flash drive?

Copying the private key container:

To copy the private key container, go to Start - Programs - CryptoPro - CryptoProCSP and go to the Service tab. Click the Copy button.

The system will display the Copy Private Key Container window

In this window, fill in the following input field: Key container name - entered manually or selected from the list by clicking the Browse button

Search options:

The entered name sets the key container - the switch is set to User or Computer, depending on which storage the container is located in;

Select CSP to search for key containers - the required Crypto Service Provider (CSP) is selected from the list provided.

You can also select the container corresponding to the certificate installed in the system. To do this, instead of the Browse button, click By certificate and select from the list of certificates installed in the user's personal stores, or, if you have administrator rights for the local computer, the certificate whose container you want to copy;

If a password is set for access to the private key, the system will ask you to enter it. Enter your password and click OK.

The system will display the "Copy private key container" window, in which you must enter the name of the new key container and select the radio button. The entered name sets the key container to User or Computer, depending on which storage you want to place the copied container in.

After entering, click the Finish button. The system will display a window in which you need to select the media for the copied container.

Insert the media into the reader and click the OK button. The system will display a window for setting a password to access the private key. Enter the password, confirm it, if necessary, set the Remember password flag (if this flag is set, the password will be saved in a special storage on the local computer and when accessing the private key, the password will be automatically read from this storage, and not entered by the user).

If you liked the material, you can post a link to it on social networks:

Tokens, electronic keys for accessing important information, are becoming increasingly popular in Russia. A token is now not only a means for authentication in the operating system of a computer, but also a convenient device for storing and presenting personal information: encryption keys, certificates, licenses, and certificates. Tokens are more reliable than the standard “login / password” pair due to the two-factor identification mechanism: that is, the user must not only have a storage medium (the token itself), but also know the PIN code.

There are three main form factors in which tokens are issued: USB token, smart card and key fob. PIN protection is most commonly found in USB tokens, although recent USB tokens are available with RFID tag capability and LCD display to generate one-time passwords.

Let's dwell on the principles of functioning of tokens with a PIN code. A PIN is a specially assigned password that breaks down the authentication procedure into two stages: attaching a token to a computer and entering the actual PIN.

The most popular token models on the modern electronic market of Russia are Rutoken, eToken from Aladdin, and an electronic key from Aktiv. Let's consider the most frequently asked questions regarding PIN codes for a token using the example of tokens from these manufacturers.

1. What is the default PIN?

The table below provides information on the default PIN codes for Rutoken and eToken tokens. The default password is different for different owner levels.

2. Do I need to change the default PIN? If so, at what point in the work with the token?

3. What to do if the PIN-codes on the token are unknown, but the default PIN-code has already been reset?

The only way out is to completely clear (format) the token.

4. What if the user's PIN is blocked?

You can unblock the user's PIN through the token control panel. To perform this operation, you need to know the Administrator PIN.

5. What if the Admin PIN is blocked?

You cannot unlock the Admin PIN. The only way out is to completely clear (format) the token.

6. What security measures have been taken by manufacturers to reduce the risk of brute-forcing a password?

The main points of the security policy for PIN-codes of USB-tokens of the Aladdin and Aktiv companies are presented in the table below. After analyzing the data in the table, we can conclude that the eToken will presumably have a more secure PIN code. Rutoken, although it allows you to set a password of just one character, which is unsafe, in other parameters is not inferior to the product of the Aladdin company.

The importance of keeping the PIN-code secret is known to all those who use tokens for personal purposes, store their electronic signature on it, trust the electronic key with information not only of a personal nature, but also the details of their business projects. The tokens of the companies "Aladdin" and "Aktiv" have predefined protective properties and together with a certain degree of precaution, which will be shown by the user, they reduce the risk of guessing a password to a minimum.

Rutoken and eToken software products are presented in various configurations and form factors. The offered assortment will allow you to choose exactly the token model that best suits your requirements, be it

1. What is an electronic signature?

An electronic signature (electronic digital signature) is a requisite of an electronic document that allows you to establish the absence of distortion of information in an electronic document from the moment of its signing and to check whether the signature belongs to the owner of the electronic signature key certificate. The value of the attribute is obtained as a result of cryptographic transformation of information using the private key of the signature. An electronic signature is analogous to a handwritten signature. The use of electronic signatures in Russia is regulated by Federal Law No. 63-FZ of April 6, 2011.

2. How to create an electronic signature?

You can create your own electronic signature using the "Key Management" section of the main menu of the system if you have a code word, which you must indicate in the Client Questionnaire when visiting our office personally or in the process of opening an account online.

To create and use an EDS in the system, you must also sign an Agreement on the use of documents in electronic form at the company's office or in any other possible way.

3. How to change the electronic signature?

The electronic signature cannot be changed. However, you can create a new electronic signature key using the "Key Management" section of the main menu of the system. To do this, you need to enter your code word. After creating a new electronic signature key, your old key is canceled.

4. How secure is it to use an electronic signature?

An electronic signature is almost impossible to forge. However, you must take some precautions. Keep the electronic signature key in places inaccessible to unauthorized persons! Do not give anyone the key file and password to access it! If you have any suspicions that your electronic signature key may be used by other persons, immediately inform the Company about it by phone: +7 812 635 68 65. The client is fully responsible for the safety of the electronic signature key and passwords.

5. I have forgotten my e-signature key password, what should I do?

The electronic signature key password cannot be recovered. If you have forgotten it, create a new electronic signature using the "Key Management" section of the main menu of the system. To do this, you need to enter your code word. After creating a new electronic signature key, your old key is canceled.

If you suspect that your electronic signature keys could be changed by third parties, immediately inform the customer service department by phone. +7 812 635-68-65 to block access to your account and revoke the electronic signature key.

6. I forgot the code word, what should I do?

The code word cannot be recovered. We cannot send it to your e-mail address or speak by phone. To change the code word, you must personally come to one of our offices. Check again how you enter your code word. It must be entered exactly as you wrote it in the Client Questionnaire. Check the case of letters (small or large) and the keyboard layout (input language, etc.).

7. Requirements for a computer for signing documents with an electronic signature

The component Java Virtual Machine (JVM, Java virtual machine) must be installed on your computer and enabled in the browser settings, which is needed to launch and operate the applets (loadable program modules) for generating keys and electronic signatures for documents.

Microsoft Internet Explorer usually comes with Microsoft's Java machine, the Microsoft VM. You can also install a similar component from SUN (SUN Java Virtual Machine browser plug-in), which can be downloaded from the SUN website.

After downloading the file, double-click the mouse to start the installation of the component. After the component is installed, you need to restart your computer.

The service works correctly with components 3 Microsoft VM version 5.0 and higher, as well as Sun Java browser plug-in version 1.4.2_03 and higher, 1.5.0 and higher, 1.6.0 and higher.

You can view information about the installed Java VM component (as well as enable / disable it) in the browser menu "Tools" -> "Internet Options" on the "Advanced" tab, in the window that opens, look for the section about VM (Microsoft VM or Java (Sun)).

The version of the Microsoft VM component can be viewed in the View -> Java console menu if the Java console enabled option is enabled in the Advanced tab.

If you have both components installed and enabled in the browser: both the Microsoft VM and the Sun Java plug-in, then one of them must be disabled.

If you are using a browser other than Microsoft Internet Explorer, we recommend choosing the browser installation package with Java or additionally installing a Java machine from Sun.

For Linux users, we recommend that you install a Java machine from Sun version 1.5.0 or higher, which can be downloaded from

When generating requests for a certificate and keys in the "AWS for generating keys" program, a window appears where this program (or rather Crypto Pro) prompts you to enter a password (Fig. 8). Offers, but does not force the same. If the fields are left blank, no password will be set. But users probably think differently and, of course, fill in these fields. Everything would be fine, but then they happily forget what password they entered during generation, and when the first time they have to sign something, the person falls into a stupor. Then, of course, there is a call to the Treasury with a request for help.

Today, in this article, I will show you how you can remove or change this password. There are two options for removing a password. The first is when the user remembers the old password, the second is when he does not remember. Let's start with the first one. As I mentioned at the beginning of the article, the Crypto Pro program is responsible for the password for the key container. Let's run it by going to the computer control panel (Fig. 1):

To open the same window as mine, in the upper right corner of the window select the "Small icons" view mode. Launch Crypto Pro, a window opens (Fig. 2):

Click on the "Service" tab to get into the following window (Fig. 3):

At the bottom of the window there is a button labeled "Change Password". Click on it and get into the next window (Fig. 4):

Here we are offered to select a key container using the "Browse" button. Beforehand, do not forget to insert a USB flash drive or other media into your computer with your keys. When you click on the button, the following window will open (Fig. 5):

Select the key carrier we need and click "OK". The following window will open (fig. 6):

Make sure that we have indeed selected the container of the private key we need, and click the "Finish" button, after which the password entry window will open (Fig. 7):

Here you need to enter the password that you entered when generating keys and requesting a certificate in the "AWS for generating keys" program. It is assumed that you remember it :). Enter, click "OK", you do not need to check the "Remember password" checkbox, and we get to the window for entering a new password (Fig. 8):

Here you can not only change the password, but also delete it if you leave the fields blank. If you want to change the password, then come up with and enter it twice.

We figured out the case when the user remembers the old password for the container. Let's try to remove the password from the container when it is safely forgotten. Here we will be helped by the csptest.exe utility, which is included in the installation kit of the Crypto Pro program starting from version 3.6. If you have this program installed, then you have this utility and it is located along the program installation path, i.e. C: \ Program Files (x86) \ Crypto Pro \ CSP (I have a 64-bit OS, if you have 32 bit, then (x86) will be absent in the path). We need to run it from the command line.

To open the command line in Windows 7, you need to get to the desired folder through the explorer, press the "Shift" key on the keyboard, and while holding it, right-click on the desired folder. Everything is illustrated in the picture below (Fig. 9):

In the context menu that appears, select "Open command window" with the left mouse button. In the command window, you must first enter the following command: without square brackets, of course. This command will show us all the available private key containers as: [\\. \ media name \ container name]... When we know the name of our private key container, we need to enter one more command: ... Again, no square brackets. In quotes, you must enter the name of your private key container, which you learned in the previous step. Enter quotation marks NECESSARILY... This command will show us the saved password, knowing it, we can use the first method to remove or change the password.

All of the above actions were done by me, as evidenced by Figure 10:

I would like to note right away that I was not able to "find out" the password using this method (red line in Fig. 10). But I think this is due to the fact that the container that I indicated in the second command was obtained by copying from media to media using the "Copy" menu item of the Crypto Pro program (Fig. 3). The private keys were generated on a different medium that was no longer available to me. But the method is working.

If you also fail to remove the password in this way, then the only way remains is to revoke the current certificate and generate new keys and a new certificate request. And if you are more serious about password protection, then passwords will not be "forgotten". That's all. Good luck!

And finally ... If you liked this article and you learned something new from it for yourself, then you can always express your gratitude in monetary terms. The amount can be anything. This does not oblige you to anything, everything is voluntary. If you nevertheless decided to support my site, then click on the "Thanks" button, which you can see below. You will be redirected to the page of my website, where you can transfer any amount of money to my wallet. In this case, a gift awaits you. After a successful money transfer, you can download it.