Copying with CryptoPro CSP. How to install a personal certificate in crypto pro How to copy a private key to the registry

Often people come to us with a question, how to install a certificate through CryptoPo CSP... Situations are different: a director or chief accountant has changed, a new certificate has been received from a certification center, etc. It used to work, but now it doesn't. Here's what you need to do to install a personal digital certificate on your computer.

You can install a personal certificate in two ways:

1. Through the CryptoPro CSP menu "View certificates in the container"

2. Through the CryptoPro CSP menu "Install personal certificate"

If the operating system Windows 7 without SP1 is used at the workplace, then the certificate should be installed according to the recommendations of option No. 2.

Option number 1. Install through the menu "View certificates in the container"

To install a certificate:

1. Select Start -> Control Panel -> CryptoPro CSP -> Service tab and click the "View certificates in container" button.

2. In the window that opens, click the "Browse" button. Select a container and confirm your choice with the OK button.


If the message “There is no public encryption key in the private key container” appears, proceed to the installation of the digital certificate using option # 2.

4. If “CryptoPro CSP” version 3.6 R2 (product version 3.6.6497) or higher is installed on your computer, then in the window that opens, click on the “Install” button. Then agree to the proposal to replace the certificate.

If the “Install” button is not present, in the “Certificate for viewing” window, click the “Properties” button.


5. In the “Certificate” window -> “General” tab, click on the “Install certificate” button.


6. In the Certificate Import Wizard window, select Next.

7. If you have installed “CryptoPro CSP” version 3.6, then in the next window it is enough to leave the switch on the item “Automatically select storage based on the type of certificate” and click “Next”. The certificate will be automatically installed in the Personal store.



Option 2. Install through the "Install personal certificate" menu

To install, you will need, in fact, the certificate file itself (with the .cer extension). It can be located, for example, on a floppy disk, on a token, or on a computer's hard drive.

To install a certificate:

1. Select Start -> Control Panel -> CryptoPro CSP -> Service tab and click the “Install Personal Certificate” button.


2. In the “Personal Certificate Installation Wizard” window, click the “Next” button. In the next window, to select the certificate file, click “Browse”.


3. Specify the path to the certificate and click on the "Open" button, then "Next".


4. In the next window, you can view information about the certificate. Click Next.


5. In the next step, enter or specify the private key container that corresponds to the selected certificate. To do this, use the “Browse” button.



If you have installed CryptoPro CSP version 3.6 R2 (product version 3.6.6497) or higher, check the “Install certificate to container” checkbox.


8. Select the "Personal" vault and click OK.


9. The repository you have selected. Now click Next, then Finish. After that, a message may appear:


In this case, click “Yes”.

10. Wait for the message that the personal certificate was successfully installed on the computer.

That's it, you can sign documents using the new certificate.

If none of the solutions suggested below fix the problem, the key medium may have been damaged and needs to be repaired (see). There is no way to recover data from a damaged smart card or registry.

If there is a copy of the key container on another medium, then you must use it for work, having previously installed the certificate.

Diskette

If a floppy disk is used as a key container, you must perform the following steps:

1. Make sure that at the root of the floppy there is a folder containing the files: header, masks, masks2, name, primary, primary2. The files must have a .key extension and the folder name must have the following format: xxxxxx.000.

the private key container has been damaged or deleted

2. Make sure that the "Drive X" reader is configured in CryptoPro CSP (for CryptoPro CSP 3.6 - "All removable drives"), where X is the drive letter.

  • Select "Start" menu> "Control Panel"> "CryptoPro CSP";

?).

3. In the CryptoPro CSP window "Select a key container" set the radio button "Unique names".

4.

  • Select "Start" menu> "Control Panel"> "CryptoPro CSP";
  • Go to the "Service" tab and click on the "Delete remembered passwords" button;

5. How can I copy a container with a certificate to another medium?).

Flash drive

If a flash drive is used as a key carrier, you must perform the following steps:

1. Make sure that in the root of the media there is a folder containing the files: header, masks, masks2, name, primary, primary2 . The files must have a .key extension and the folder name format must be: xxxxxx.000 .

If any files are missing or are not in the correct format, then the private key container may have been damaged or deleted. You also need to check if this folder with six files is contained in other media.

2. Make sure that the "Drive X" reader is configured in CryptoPro CSP (for CryptoPro CSP 3.6 - "All removable drives"), where X is the drive letter.

  • Select "Start" menu> "Control Panel"> "CryptoPro CSP";
  • Go to the "Equipment" tab and click on the "Configure readers" button.

If there is no reader, it must be added (see How to configure readers in CryptoPro CSP?).

3.

4. Delete memorized passwords. For this:

  • Select "Start" menu> "Control Panel"> "CryptoPro CSP";
  • Mark the item "User" and click on the "OK" button.

5. Make a copy of the key container and use it for work (see How to copy a container with a certificate to another medium?).

6. If CryptoPro CSP version 2.0 or 3.0 is installed at the workplace, and Drive A (B) is present in the list of key media, then it must be removed. For this:

  • Select "Start" menu> "Control Panel"> "CryptoPro CSP";
  • Go to the "Equipment" tab and click on the "Configure readers;"
  • Select the reader "Drive A" or "Drive B" and click on the "Delete" button.

After deleting this reader, it will be impossible to work with the floppy disk.

Rutoken

If a Rutoken smart card is used as a key carrier, the following steps must be followed:

1. Make sure the light on the rutoken is on. If the light is off, then you should use the following recommendations.

2. Make sure that the "Rutoken" reader is configured in CryptoPro CSP (for CryptoPro CSP 3.6 - "All smart card readers").

  • Select "Start" menu> "Control Panel"> "CryptoPro CSP";
  • Go to the "Equipment" tab and click on the "Configure readers" button.

If there is no reader, it must be added (see How to configure readers in CryptoPro CSP?).

3. In the window "Select a key container" set the radio button "Unique names".

4. Delete memorized passwords. For this:

  • Select "Start" menu> "Control Panel"> "CryptoPro CSP" ;
  • Go to the "Service" tab and click on the "Delete remembered passwords" button;
  • Mark the item "User" and click on the "OK" button.

5. Update support modules required for Rutoken to work. For this:

  • Disconnect the smart card from the computer;
  • Select "Start"> "Control Panel"> "Add or Remove Programs" (for Windows Vista \ Seven "Start"> "Control Panel"> "Programs and Features");
  • Select "Rutoken Support Modules" from the list that opens and click on the "Remove" button.

After removing the modules, you need to restart the computer. .

  • Download and install the latest support modules. The distribution kit is available for download on the site of the Aktiv company.

After installing the modules, you need to restart your computer.

6. You should increase the number of containers displayed in CryptoPro CSP on Rutoken using the following instruction .

7. Update the Rutoken driver (see How do I update the Rutoken driver?).

8. Make sure Rutoken contains key containers. To do this, you need to check the amount of free memory on the media by following these steps:

  • Open "Start" ("Settings")> "Control Panel"> "Rutoken Control Panel" (if this item is missing, then you should update the Rutoken driver).
  • In the opened window "Rutoken Control Panel" in the "Readers" item, select "Activ Co. ruToken 0 (1,2) "and click on the" Information "button.

If the rutoken is not visible in the "Readers" item or when you press the "Information" button, the message "The ruToken memory state has not changed" appears, then the medium has been damaged, you need to contact the service center for an unplanned replacement of the key.

  • Check what value is indicated in the "Free memory (byte)" line.

As a key carrier, service centers issue rutokens with a memory capacity of about 30,000 bytes. One container takes up about 4 Kb. The free memory of a rootken containing one container is about 26,000 bytes, two containers - 22,000 bytes, etc.

If the amount of free memory of a rootken is more than 29-30,000 bytes, then there are no key containers on it. Therefore, the certificate is contained on a different medium.

Registry

If the Registry reader is used as a key carrier, you must perform the following steps:

1. Make sure that the "Registry" reader is configured in CryptoPro CSP. For this:

  • Select "Start" menu> "Control Panel"> "CryptoPro CSP";
  • Go to the "Equipment" tab and click on the "Configure readers" button.

If there is no reader, it must be added (see How to configure readers in CryptoPro CSP?).

2. In the window "Select a key container" set the radio button "Unique names".

3. Delete memorized passwords. For this:

  • Select "Start" menu> "Control Panel"> "CryptoPro CSP";
  • Go to tab « Service "and click on the button" Delete remembered passwords ";
  • Mark the item "User" and click on the "OK" button.

Copy using Windows

If a floppy disk or flash drive is used for work, you can copy the container with the certificate using Windows tools (this method is suitable for CryptoPro CSP versions of at least 3.0). Place the folder with the private key (and, if any, the certificate file - the public key) into the root of the floppy / flash drive (if placed outside the root, then work with the certificate will be impossible). It is recommended not to change the folder name when copying.

The folder with the private key should contain 6 files with the extension .key. As a rule, the private key contains the public key (the header.key file in this case will weigh more than 1 KB). In this case, copying the public key is optional. An example of a private key is a folder with six files and a public key is a file with the extension .cer.

Private key Public key

Copy to Diagnostics Profile

1. Go to the "Copy" Diagnostics profile using the link.

2. Insert the media to which you want to copy the certificate.

3. Press the "Copy" button on the required certificate.

If a password has been set for the container, the message “Enter the password for the device from which the certificate will be copied” will appear.

4. Select the medium where you want to copy the certificate and click "Next".

5. Give a name to the new container and click the Next button.

6. A message should appear stating that the certificate was copied successfully.

Bulk copy

  1. Download and run the utility. Wait until the entire list of containers / certificates is loaded and tick the necessary boxes.
  2. Select the "Bulk Actions" menu and click on the "Copy Containers" button.

3. Select the storage medium for the container copy and click OK. When copying to the registry, you can tick the box "Copy to the key container of the computer", then after copying the container will be available to all users of this computer.


4. After copying, click the "Update" button at the bottom left.
If you want to work with copied containers, you must.

Copying with CryptoPro CSP

Please select Start> Control Panel> CryptoPro CSP. Go to the "Service" tab and click on the "Copy" button.

In the window "Copy the private key container" click on the "Browse" button .

Select the container you want to copy and click on the "Ok" button, then "Next". If you copy from a rootken, an input window will appear, in which you should enter a pin-code. If you have not changed the pincode on the carrier, the standard pincode is 12345678.

Create and manually specify a name for the new container. Russian layout and spaces are allowed in the container name. Then click "Finish".

In the "Insert blank key media" window, select the medium on which the new container will be placed.


The new container will be prompted to set a password. We recommend that you set a password so that it is easy for you to remember it, but outsiders could not guess or guess it. If you do not want to set a password, you can leave the field blank and click "OK".

Do not store your password / pin code in places where unauthorized persons have access. If you lose your password / pin-code, you will not be able to use the container.


If you copy the container to a ruToken, the message sounds different. Enter the pin code in the input window. If you have not changed the pincode on the carrier, the standard pincode is 12345678.

After copying, the system will return to the "Service" tab of CryptoPro CSP. Copying completed. If you plan to use a new key container for work in the Extern,.

Installing the certificate and private key

We will describe the installation of an electronic signature certificate and a private key for Windows operating systems. During the configuration process, we need Administrator rights (so we may need a sysadmin, if you have one).

If you have not yet figured out what an electronic signature is, then please read Or if you have not received an electronic signature yet, contact the Certifying Center, we recommend SKB-Kontur.

Well, suppose you already have an electronic signature (token or flash drive), but OpenSRO reports that your certificate is not installed, this situation may arise if you decide to configure your second or third computer (of course, the signature does not "grow" only to one computer and it can be used on multiple computers). Usually, the initial setup is carried out with the help of the Certification Center's technical support, but let's say this is not our case, so let's go.

1. Make sure CryptoPro CSP 4 is installed on your computer

To do this, go to the menu Start CRYPTO-PRO CryptoPro CSP run it and make sure that the version of the program is not lower than 4th.

If it is not there, then download, install and restart your browser.

2. If you have a token (Rutoken for example)

Before the system can work with it, you need to install the correct driver.

  • Drivers Rutoken: https://www.rutoken.ru/support/download/drivers-for-windows/
  • Drivers eToken: https://www.aladdin-rd.ru/support/downloads/etoken
  • Drivers JaCarta: https://www.aladdin-rd.ru/support/downloads/jacarta

The algorithm is as follows: (1) Download; (2) Install.

3. If the private key is in the form of files

The private key can be in the form of 6 files: header.key, masks.key, masks2.key, name.key, primary.key, primary2.key

There is subtlety here if these files are written to the hard disk of your computer, then CryptoPro CSP will not be able to read them, therefore, all actions must be performed by first writing them to a USB flash drive (removable media), and you need to place them in a first-level folder, for example: E: \ Andrey \ ( files), if located in E: \ Andrey \ keys\ (files) will not work.

(If you are not afraid of the command line, then removable media can be emulated like this: subst x: C: \ tmp a new drive (X :) will appear, it will contain the contents of the C: \ tmp folder, it will disappear after a reboot. This method can be used if you plan to install keys to the registry)

We found the files, wrote them down to a USB flash drive, and proceed to the next step.

4. Installing a certificate from a private key

Now we need to get a certificate, you can do it as follows:

  1. We open CryptoPro CSP
  2. Go to the tab Service
  3. Push the button View certificates in container, press Overview and here (if we did everything right in the previous steps) we will have our container. Push the button Further, information about the certificate will appear and then click the button Install(the program may ask a question whether to put a link to the private key, answer "Yes")
  4. After that, the certificate will be installed in the storage and it will be possible to sign documents (at the same time, at the time of signing the document, it will be necessary that the flash drive or token be inserted into the computer)

5. Using an electronic signature without a token or flash drive (installation in the registry)

If the speed and convenience of work for you is a little higher than security, then you can install your private key in the Windows registry. To do this, you need to do a few simple steps:

  1. Prepare the private key as described in points (2) or (3)
  2. Next, open CryptoPro CSP
  3. Go to the tab Service
  4. Push the button Copy
  5. Using the button Overview choose our key
  6. Push the button Further, then we'll come up with some name, for example "Pupkin, Romashka LLC" and press the button Ready
  7. A window will appear in which you will be asked to select a media, select Registry, we press OK
  8. The system will ask Set password for the container, create a password, click OK

Important note: The OpenSRO portal will not "see" the certificate if it has expired.

Electronic document management more and more densely enters our life.
Today, this issue concerns not only office employees of enterprises and individual entrepreneurs, work with electronic documents increasingly facilitates the solution of everyday problems for ordinary citizens and in everyday life. Of course, with the expansion of the use of electronic documents, the distribution of electronic digital signature, in abbreviated form - EDS.
It is about increasing the convenience in working with EDS that will be discussed further, namely, we will consider, how to add an EDS key to the CryptoPro registry on the computer.

What is EDS and private key certificate

Electronic digital signature is used in many software products: 1C: Enterprise (and other programs for conducting business or accounting), VLSI ++ , Contour.extern (and other solutions for working with accounting and tax reporting) and others. Also, EDS has found application in servicing individuals when resolving issues with government agencies.

EDS is, in a way, a guarantor in the world of electronic document management, similar to conventional signatures and seals on paper

As with the signing of paper documents, the process of signing electronic media is associated with " editing"primary source.

Electronic digital signature of documents carried out by converting an electronic document using the owner's private key, this process is called document signing

Today private key certificates most often they are distributed either on ordinary USB-sticks, or on special protected media with the same USB interface ( Rutoken , eToken etc).
Moreover, every time there is a need to sign documents (or user identification), we need to insert the medium with the key into the computer, and then manipulate the certificate. Accordingly, after the completion of the work, it is enough for us to simply remove the media from the computer so that no one else can use our signature. This method is quite safe, but not always convenient.

If you use EDS at home, then every time connect / disconnect token quickly gets bored. In addition, the carrier will occupy one USB port, which are not always enough to connect all the necessary peripherals.
If you use an EDS at work, then it happens that the key is issued by the certification center, but different people must sign documents... It is also not convenient to carry the container back and forth, and there are also cases when several specialists work with the certificate at the same time.
In addition, at home, and especially at work, it happens that on one computer it is necessary to perform actions using immediately multiple digital signature keys.

It is in those cases where the use of the physical medium of the certificate is inconvenient, you can register the EDS key in the CryptoPro registry(you can read more about the Windows registry in general terms in the corresponding article: Changing Windows Registry Settings) and use the certificate without connecting the media to a USB port on your computer.

Adding Registry reader to CryptoPro CSP

First of all, in order for our CryptoPro to be able to work with locally registered keys, it is necessary to add the version of such a reader itself.

To install a new media type in the CSP utility, run the program as administrator with the right mouse button or from the utility menu on the General tab

Now go to the Hardware tab and click on the button Configure Readers ...
If there is no option in the window that opens Registry, then to display it here, click on the Add button ...

  1. Click the Next button in the first window.
  2. From the list of readers from all manufacturers, select the option Registry and click Next again.
  3. Enter an arbitrary name for the reader, you can leave the default name. Click Next.
  4. In the last window, we see a notification that after completing the configuration of the reader, it is recommended to restart the computer. Click the Finish button and reboot the machine yourself.

The first stage has been completed. Registry reader added , as evidenced by the corresponding item in the window Reader management (remind that this window is called along the path CryptoPro - Equipment - Configure readers ...)

Copying the key to the CryptoPro CSP Registry

To register the key container in local storage, we connect the physical medium with the key to the computer.

Now launch the CryptoPro utility again, open the Service tab and click on the Copy button ...
Next in the window Copy Private Key Container Wizard click the Browse button (or By certificate ...) and select our key carrier, confirming the selection with the OK button, and then proceed to the next window with the Next button.

In a new window, set an arbitrary friendly name for the key container being created and click the Finish button. Then, to write the key, select the reader type we created earlier. Registry, confirming the selection with the OK button.
After confirmation, we need to set a Password for the created key container, by default, most often they use a password 12345678 , but for a more secure operation, the password can be set more difficult. After entering the password, click on the OK button.

Everything, key container has been added to the CryptoPro Registry .

Installing the CryptoPro CSP private key certificate

At the end of setting up the signing of documents without connecting the key carrier to the computer, we only have to install private key certificate from the container of the created media.

To install a certificate in CryptoPro, you need to do the following:

  1. In the CSP utility on the Service tab, click on the button View certificates in container ...
  2. In the window that opens, click on the Browse button, where, according to the name we specified, select the desired medium, confirming the selection with the OK button. Click Next.
  3. In the final window, we check the correctness of the certificate selection and confirm the decision with the Install button.

Now we have installed Private key certificate from local media Registry .

Configuring CryptoPro is complete, but you should remember that many software products will also require overwrite a new key in the system settings.
After the actions taken, we can sign documents without connecting a key, be it Rutoken, eToken or some other physical medium.