If none of the solutions suggested below fix the problem, the key media may have been damaged and requires recovery (see). It is impossible to recover data from a damaged smart card or registry.
If there is a copy of the key container on another medium, then you must use it for work, having first installed the certificate.
Diskette
If you are using a floppy disk as the key container, you must complete the following steps:
1. Make sure that in the root of the floppy disk there is a folder containing the files: header, masks, masks2, name, primary, primary2. Files must have a .key extension and the folder name format must be xxxxxx.000.
the private key container has been corrupted or deleted
2. Make sure that in CryptoPro CSP the "Disk Drive X" reader is configured (for CryptoPro CSP 3.6 - "All removable drives"), where X is the drive letter. To do this:
- Select the “Start” menu > “Control Panel” > “CryptoPro CSP”;
?).
3. In the CryptoPro CSP window “Selecting a key container”, select the “Unique names” radio button.
4.
- Select the “Start” menu > “Control Panel” > “CryptoPro CSP”;
- Go to the “Service” tab and click on the “Remove remembered passwords” button;
5. How to copy a container with a certificate to another medium?).
Flash drive
If a flash drive is used as the key media, you must perform the following steps:
1. Make sure that in the root of the media there is a folder containing the files: header, masks, masks2, name, primary, primary2 . Files must have a .key extension and the folder name format must be as follows: xxxxxx.000 .
If any files are missing or their format is incorrect, then the private key container may have been damaged or deleted. You also need to check whether this folder contains six files on other media.
2. Make sure that the “Disk drive X” reader is configured in CryptoPro CSP (for CryptoPro CSP 3.6 - “All removable drives”), where X is the drive letter. To do this:
- Select the “Start” menu > “Control Panel” > “CryptoPro CSP”;
- Go to the “Equipment” tab and click on the “Configure readers” button.
If the reader is missing, you need to add it (see How to configure readers in CryptoPro CSP?).
3.
4. Remove remembered passwords. For this:
- Select the “Start” menu > “Control Panel” > “CryptoPro CSP”;
- Select the “User” item and click the “OK” button.
5. Make a copy of the key container and use it for work (see How to copy a container with a certificate to another medium?).
6. If CryptoPro CSP version 2.0 or 3.0 is installed at the workplace, and in the list key media Drive A (B) is present, then it must be removed. For this:
- Select the “Start” menu > “Control Panel” > “CryptoPro CSP”;
- Go to the “Equipment” tab and click on the “Configure readers;” button
- Select the reader “Disk Drive A” or “Disk Drive B” and click on the “Delete” button.
After removing this reader, working with the floppy disk will be impossible.
Rutoken
If a Rutoken smart card is used as a key carrier, you must complete the following steps:
1. Make sure that the light on the rutoken is on. If the light does not light, then you should use the following recommendations.
2. Make sure that the “Rutoken” reader is configured in CryptoPro CSP (for CryptoPro CSP 3.6 - “All smart card readers”). To do this:
- Select the “Start” menu > “Control Panel” > “CryptoPro CSP”;
- Go to the “Equipment” tab and click on the “Configure readers” button.
If the reader is missing, you need to add it (see How to configure readers in CryptoPro CSP?).
3. In the “Select a key container” window, select the “Unique names” radio button.
4. Remove remembered passwords. For this:
- Select the “Start” menu > “Control Panel” > “CryptoPro CSP” ;
- Go to the “Service” tab and click on the “Remove remembered passwords” button;
- Select the “User” item and click the “OK” button.
5. Update the support modules required for Rutoken to work. For this:
- Disconnect the smart card from the computer;
- Select the “Start” menu > “Control Panel” > “Add or Remove Programs” (for Windows Vista\Seven “Start” > “Control Panel” > “Programs and Features”);
- Select “Rutoken Support Modules” from the list that opens and click on the “Delete” button.
After removing modules you need to restart your computer .
- Download and install the latest version of support modules. The distribution is available for download on the Aktiv website.
After installing the modules, you must restart your computer.
6. The number displayed in CryptoPro should be increased CSP containers on Rutoken using the following instructions .
7. Update the Rutoken driver (see How to update the Rutoken driver?).
8. You should make sure that Rutoken contains key containers. To do this, you need to check the amount of free memory on the media by following these steps:
- Open “Start” (“Settings”) > “Control Panel” > “Rutoken Control Panel” (if this item is missing, you should update the Rutoken driver).
- In the “Rutoken Control Panel” window that opens, in the “Readers” item, select “Activ Co. ruToken 0 (1,2)" and click on the "Information" button.
If the rutoken is not visible in the “Readers” item or when you click on the “Information” button, the message “ruToken memory status has not changed” appears, then the media has been damaged, you need to contact the service center for an unscheduled key replacement.
- Check what value is indicated in the line “Free memory (bytes)”.
As a key carrier in service centers root tokens with a memory capacity of about 30,000 bytes are issued. One container takes up about 4 KB. The amount of free memory of a rootken containing one container is about 26,000 bytes, two containers - 22,000 bytes, etc.
If the free memory of a root token is more than 29-30,000 bytes, then there are no key containers on it. Therefore, the certificate is contained on a different medium.
Registry
If the Registry reader is used as a key medium, you must perform the following steps:
1. Make sure that the “Register” reader is configured in CryptoPro CSP. For this:
- Select the “Start” menu > “Control Panel” > “CryptoPro CSP”;
- Go to the “Equipment” tab and click on the “Configure readers” button.
If the reader is missing, you need to add it (see How to configure readers in CryptoPro CSP?).
2. In the “Select a key container” window, select the “Unique names” radio button.
3. Remove remembered passwords. For this:
- Select the “Start” menu > “Control Panel” > “CryptoPro CSP”;
- Go to tab « Service" and click on the "Delete remembered passwords" button;
- Select the “User” item and click the “OK” button.
Good afternoon!. For the last two days I have had an interesting task of finding a solution to this situation, whether there is a physical or virtual server, it probably has the well-known CryptoPRO installed on it. Connected to the server , which is used to sign documents for VTB24 DBO. Everything works locally on Windows 10, but on the server platform Windows Server 2016 and 2012 R2, Cryptopro does not see the JaCarta key. Let's figure out what the problem is and how to fix it.
Description of the environment
There is a virtual machine on Vmware ESXi 6.5, Windows Server 2012 R2 is installed as the operating system. The server is running CryptoPRO 4.0.9944, the latest version at the moment. WITH network USB hub, using USB over ip technology, a JaCarta dongle is connected. Key in the system it seems, but not in CryptoPRO.
Algorithm for solving problems with JaCarta
CryptoPRO very often causes various errors in Windows, a simple example (Windows installer service could not be accessed). This is what the situation looks like when the CryptoPRO utility does not see the certificate in the container.
As you can see in the UTN Manager utility, the key is connected, it is seen in the system in smart cards as a Microsoft Usbccid (WUDF) device, but CryptoPRO does not detect this container and you do not have the opportunity to install the certificate. The token was connected locally, everything was the same. We began to think about what to do.
Possible reasons with container definition
- Firstly, this is a problem with the drivers, for example, in Windows Server 2012 R2, JaCarta should ideally be defined in the list of smart cards as JaCarta Usbccid Smartcard, and not Microsoft Usbccid (WUDF)
- Secondly, if the device is seen as Microsoft Usbccid (WUDF), then the driver version may be outdated, which is why your utilities will not detect a protected USB drive.
- Outdated version of CryptoPRO
How to solve the problem that cryptopro does not see the USB key?
We created a new virtual machine and began installing the software sequentially.
Before installing any software working with USB drives containing certificates and private keys. Need to NECESSARILY disable the token, if inserted locally, then disable it, if over the network, terminate the session
- First of all, we update your operating system, everyone available updates, since Microsoft fixes many errors and bugs, including drivers.
- The second point is, in the case of a physical server, to install all the latest drivers on the motherboard and all peripheral equipment.
- Next, install the Unified JaCarta Client.
- Install the latest version of CryptoPRO
Installing a single JaCarta PKI client
Single JaCarta Client- This special utility from the Aladdin company, for proper work with JaCarta tokens. You can download the latest version of this software product from the official website, or from my cloud, if suddenly you can’t get it from the manufacturer’s website.
Next, you unpack the resulting archive and run it installation file, for my Windows architecture, mine is 64-bit. Let's start installing the Jacarta driver. Single client Jacarta, installation is very simple (I REMIND you that your token must be disabled at the time of installation). On the first window of the installation wizard, simply click next.
We accept license agreement and click "Next"
For JaCarta token drivers to work correctly for you, just run standard installation.
If you choose "Custom installation", be sure to check the following boxes:
- JaCarta Drivers
- Support modules
- Support module for CryptoPRO
After a couple of seconds, Jacarta Unified Client is successfully installed.
Be sure to restart the server or computer so that the system sees the latest drivers.
After JaCarta installations PKI, you need to install CryptoPRO, for this go to the official website.
https://www.cryptopro.ru/downloads
Currently the most latest version CryptoPro CSP 4.0.9944. Run the installer, leave the "Install root certificates" checkbox and click "Install (Recommended)"
Installation of CryptoPRO will be performed in background, after which you will see a proposal to restart the browser, but I advise you to reboot completely.
After reboot, connect your JaCarta USB token. My connection is via the network, from a DIGI device, via . In the Anywhere View client, my Jacarta USB drive is successfully detected, but as Microsoft Usbccid (WUDF), and ideally it should be defined as JaCarta Usbccid Smartcard, but you need to check it anyway, since everything can work like that.
Having opened the Jacarta PKI Unified Client utility, no connected token was found, which means there is something wrong with the drivers.
Microsoft Usbccid (WUDF) is a standard Microsoft driver that is installed by default on various tokens, and sometimes it works, but not always. operating room Windows system by default, sets them in view of its architecture and settings, I personally like this moment this is not necessary. What are we doing, we need to delete Microsoft drivers Usbccid (WUDF) and install drivers for Jacarta media.
Open the manager Windows devices, find the item "Smart card readers" click on Microsoft Usbccid (WUDF) and select "Properties". Go to the "Drivers" tab and click Uninstall
Agree to remove the Microsoft Usbccid (WUDF) driver.
You will be notified that a system reboot is required for the changes to take effect; we must agree.
After rebooting the system, you can see the installation of the ARDS Jacarta device and drivers.
Open the device manager, you should see that your device is now identified as JaCarta Usbccid Smartcar and if you go to its properties, you will see that the jacarta smart card is now using driver version 6.1.7601 from ALADDIN R.D.ZAO, this is how it should be .
If you open the Jacarta unified client, you will see your electronic signature, which means that the smart card has been correctly identified.
We open CryptoPRO, and we see that CryptoPRO does not see the certificate in the container, although all the drivers have been identified as needed. There is one more trick.
- In the RDP session you will not see your token, only locally, that’s how the token works, or I haven’t found how to fix it. You can try following the recommendations to resolve the "Unable to connect to the smart card management service" error.
- You need to uncheck one box in CryptoPRO
BE SURE to uncheck the "Do not use outdated cipher suites" checkbox and reboot.
After these manipulations, CryptoPRO saw my certificate and the jacarta smart card became working, you can sign documents.
You can also see your JaCarta device in devices and printers,
If you, like me, have the jacarta token installed in the virtual machine, then you will have to install the certificate via console virtual machine, and also give the rights to it to the responsible person. If this is a physical server, then you will have to give rights to the management port, which also has a virtual console.
When you have installed all the drivers for Jacarta tokens, you may see the following error message when connecting via RDP and opening the Jacarta PKI Unified Client utility:
- The smart card service is not running on the local machine. The architecture of the RDP session developed by Microsoft does not provide for the use of key media connected to the remote computer, so in the RDP session the remote computer uses the smart card service of the local computer. It follows from this that starting the smart card service inside an RDP session is not enough for normal operation.
- The smart card management service on the local computer is running, but is not available to the program within the RDP session due to Windows settings and/or RDP client.\
How to fix the error "Unable to connect to the smart card management service."
- Start the smart card service on the local machine from which you are initiating the remote access session. Configure it to start automatically when your computer starts.
- Allow the use of local devices and resources during the remote session (particularly smart cards). To do this, in the "Remote Desktop Connection" dialog, in the parameters, select the "Local Resources" tab, then in the " Local devices and resources" click the "More details..." button, and in the dialog that opens, select "Smart cards" and click "OK", then "Connect".
- Make sure your RDP connection settings are safe. By default, they are saved in the file Default.rdp in the "My Documents" directory. Make sure that in this file there was a line "redirectsmartcards:i:1".
- Make sure that the remote computer, to which you are making an RDP connection, is not activated group policy
-[Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow smart card reader redirection]. If it is Enabled, then disable it and reboot the computer. - If you have Windows 7 SP1 or Windows 2008 R2 SP1 installed and you are using RDC 8.1 to connect to computers running Windows control 8 and higher, then you need to install an update for the operating system https://support.microsoft.com/en-us/kb/2913751
This was the troubleshooting for setting up the Jacarta token, CryptoPRO on the terminal server, for signing documents in VTB24 RBS. If you have any comments or corrections, please write them in the comments.
- built-in (valid for 1 year, produced and valid with a signature, does not require entering a license number)
- annual (valid for 1 year, requires entering a license number)
- permanent (perpetual – unlimited in terms of use, requiring entering a license number).
CryptoPro CSP does not see the signature?
Make sure the signature is installed on your computer.
Launch CryptoPro CSP => Service tab => View certificates in container button => Browse button. If the list is empty, try another USB port on your computer. If this does not help, then you need to install the driver in accordance with the media type and the bit depth of the Windows system. The media type is written on the media body: eToken or ruToken, and the system bitness can be viewed by right-clicking on the computer icon and selecting Properties: 32 or 64 bit system Windows.
You can download drivers here.
Does the site/portal not see the signature?
Launch CryptoPro CSP => Service tab => "View certificates in container" button => "Browse" button.
If the signature is undecided, then see the answer to question No. 2 above.
If the signature is determined, then click the “Next” button, then the “Properties” button, open the “Certification Path” tab. The chain of certificates must consist of the Certification Authority and the full name of the owner of the digital signature (certificates should not have crosses or exclamation marks).
If the CA certificate has a red cross, you need to select it, click on it, click View certificate, then click “Install” (in the import wizard you must specify the Trusted Root Certification Authorities store).
If the certificate says Exclamation point The certificate of the certification authority must be downloaded //here and also installed in trusted certification authorities.
If the cross does not disappear, you need to update the version of CryptoPro CSP (for Windows 10 there is //a special version of CryptoPro CSP 4.0)
If the certificate chain is displayed correctly in CryptoPro CSP, it means there is a problem with the InternetExplorer settings (see the answer to question No. 4 below).
Settings Internet Explorer(IE)?
For correct operation InternetExplorer must have a plugin installed to work with electronic signatures (you can download it //here)
InternetExplorer automatic updating must be turned off, otherwise the settings will be lost. You can turn it off in the Help menu => About the program => uncheck Install new versions automatically.
ActiveX settings must be enabled on your computer, this can be done from the Start menu => type in the search bar Internet Options and select this item => in the window that opens, select the Security tab => click on the Trusted sites (nodes) zone so that it is highlighted => then click the Other button (find a list ActiveX controls and connection modules and set the parameter for each to Enable).
We go to a site where an electronic signature is required for work, and add this page in Trusted sites/sites through Internet Options, Security tab, highlighting the Trusted sites/sites zone and clicking the Sites/sites button. The Add button must be active, you need to click on it, on the checkbox: For all sites in this zone, server verification is required (https:), you must uncheck the box. If the Add button is gray (inactive), then the page has already been added to the list of websites and does not need to be added again. Close properties. Refresh the page in the browser with the F5 key. If messages about add-ons appear at the bottom or top of the browser, you need to allow them to run.
I can’t log into the site (the certificate is not matched/authorized)?
Review question No. 3, if the problems are not related to the settings, then when you enter the site you will see a message: The client certificate is not associated with the system user (or the selected electronic signature is not authorized).
It is possible that you have not been accredited on the site; if this is the case, then see //instructions for accreditation on the electronic site. If accreditation is nevertheless passed, but you receive a new signature, for example, due to the fact that the old signature has expired, then it must be linked to your personal account; for this you must fill out an application to add a new user on the site and attach it to the application the following documents:
For a legal entity: either a decision to appoint a manager, if the signature is for the head of the organization, or a power of attorney for an employee of the organization, if the signature is for an employee (in this case, an archive with the decision to appoint a manager and a power of attorney from the manager for the employee is attached to the site). For commercial sites, you may additionally need a copy of the organization’s TIN.
For individual entrepreneurs/individuals: passport, TIN.
Examples of the page for adding participants on popular sites:
Sberbank-AST (in the Members section => Registration => Adding a new user) http://www.sberbank-ast.ru/freeregister.aspx
Order of the Russian Federation (in the Registration section => Registration of a new user of the organization) http://web.zakazrf.ru/Participant/RegistrationUser
MICEX (in the Participants section => Registration of power of attorney) https://app.rts-tender.ru/supplier/lk/Accreditation/EmployeeRequest.aspx
RTS-Tender (button Login => Accreditation => Submit a request to add a new user) https://app.rts-tender.ru/supplier/lk/Accreditation/EmployeeRequest.aspx
Roseltorg – on this site you must first log in using your login and password or using your old, still valid electronic signature; information with the name of the organization and username with icons will appear at the top right. You need to click on the pencil next to the user name, a menu with buttons will appear, among which you need to find the button: Link a new digital signature.
B2b-center - you need to log into your personal account (using your login and password or your old valid signature). Select in personal account Information about the organization => My electronic signatures => Upload a certificate through the tab => Registration of certificates. You must check the checkbox: The certificate is already installed on the computer.
Fabrikant - you need to log into your personal account (using your login and password or your old valid signature). Select the Certificates line in your personal account. Upload the certificate through the Upload a new electronic signature tab.
What is the container password for my signature?
When you use an electronic signature for the first time, a window pops up: Enter the password for the container
The default password is 12345678.
The container password can be changed. If you have a ruToken carrier, then you need to install //the Rutoken control panel. After launching the program, enter the administrator's PIN code in the Administration tab (by default, the administrator's PIN code is 87654321). Next, click the Unblock => Change button, select a user and set a password.
If you have an eToken carrier, then you need to install // the eToken driver in accordance with the bitness of the Windows system (the bitness of the system can be viewed by right-clicking on the computer icon and selecting Properties: 32 or 64 bit Windows). Launch eTokenProperties, click on Detail View (gear icon at the top right). Select the eToken name from the list on the left (the name will be displayed before the eTokenPKIClient Settings line). In the window that appears on the right, you need to click on the icon: Change password (in the form of a pencil and keyboard).
How to register for GIS-Housing and Communal Services?
The GIS Housing and Communal Services service authorizes organizations through the government services portal. Therefore, all accounts must be created on the gosuslugi.ru website. First, you must register the manager as an individual. The created account is activated using an electronic signature issued to the organization. After activation of an individual, you can add an organization. Confirmation is carried out using the same digital signature. If necessary, you can add employees of the organization (they must also have an individual account on the gosuslugi.ru website, confirmed by the same electronic signature). After this, the head of the organization needs to log into his personal account using an electronic digital signature and, having selected the role of the organization, add an employee from the legal entity’s account. In the organization's personal account, the manager can assign administrator rights.
How to understand what type of signature is needed to work on a particular site?
Tell the consultant the exact name of the site ( email address platform) for which you need an electronic signature.
How long does it take to produce an EDS?
An electronic signature is produced within 1 business day after receipt of payment and provision of a minimum package of documents (copies of passport and SNILS).
Is it possible to update an electronic signature remotely without visiting an electronic signature issuing center?
Issuing and re-issuing an electronic signature remotely is impossible. This contradicts the safety requirements established by the current legislation of the Russian Federation. To obtain an electronic signature, it is necessary to verify the identity of the recipient at // any electronic signature issuing center.
How to sign a document using an electronic signature?
Word Documents You can sign with an electronic signature in the following cases:
1. If the document was created in Microsoft Office 2003/2007, then no additional software is required.
2. If the document was created in Microsoft Office 2010/2013, then you will need to install the additional program CryptoARM - this is a program that meets the requirements of Russian legislation in terms of ensuring legal significant status. After signing the document, a file with the .sig extension is created, which clearly confirms the fact that the document was signed.
What is a certificate chain?
The certificate chain is used to confirm the authenticity of the electronic signature certificate. The chain includes certificates of the main certification authority, intermediate certification authorities (including the CA that issued the user's ES certificate) and the user's certificate. If the chain of certificates is not built correctly (in the certificate properties window on the “Certification Path” tab, the certificates of the head and intermediate certification authorities are missing or marked with a cross), then the end-user certificate is considered unreliable and cannot be used.
What is Capicom/Cadescom?
Capicom and Cadescom are extension programs for InternetExplorer. They are necessary to work with electronic signatures in the browser. CryptoPro EDS BrowserPlug-in includes both of these extensions.
How to add a site to trusted nodes (sites)?
In order to add the site of an electronic platform to trusted nodes in the browser, go to the site site through the Internet Explorer browser and open “Browser Options”. On the “Security” tab, click on the “Trusted Sites” zone and click the “Sites” button. Uncheck “All sites in this zone require server verification (https:).” Click the "Add" button, then close the "Trusted Sites" and "Internet Options" windows and refresh the browser page by pressing Ctrl + F5.
How do I enable ActiveX options?
Go to the site's website using the InternetExplorer browser and open the browser properties. On the Security tab, click on the Trusted Sites zone (Trusted Sites in InternetExplorer 8) and click the Other button. In the list of options, find the section “ActiveX controls and plug-ins.” For all options in this section, select Enable. Click “Ok” and confirm the request to save the settings. Close the Internet Options window and refresh the page by pressing Ctrl + F5.
CryptoPro CSP free program?
CryptoProCSP is a paid product. The free trial period for the product is three months from the date of first installation. After this period, you must purchase a license to continue working with the program.
What to do if the license for CryptoPro CSP has expired?
After the CryptoPro CSP license expires, you must purchase a new license. As a rule, the validity period of the license expires along with the validity period of the electronic signature, so you may encounter such a situation extremely rarely. However, if you encounter a problem, then you have a choice of three types of licenses for CryptoProCSP:
- Annual, license validity period is 1 year.
- Indefinite, valid continuously.
- Built into the electronic signature, it is valid for the entire validity period of the electronic signature and cannot be used separately from it.
How to enter the serial number of the CryptoPro CSP license?
To enter the serial number of the CryptoProCSP license, run the program. On the General tab, click the Enter License button. Enter the license number in the Serial Number field.
What should I do if I can’t enter the serial number of my CryptoPro CSP license?
If you are unable to enter the serial number of your CryptoProCSP license, then your serial number does not match the version installed program. The CryptoProCSP license serial number must match the product version. For version 3.9, the serial number must begin with the numbers 3939, for version 4.0 - with the numbers 4040. You must install the version of CryptoProCSP for which your license number is suitable.
How to remove CryptoPro CSP?
Removing CryptoProCSP occurs in two stages. Uninstall the program first standard means, through the “Control Panel”, then run the cspclean.exe utility. After completing the utility, you must restart your computer.
How to update CryptoPro CSP?
To install a newer version of CryptoProCSP, run the installer and confirm the update request. Delete current installed version no product required.
How to copy an electronic signature?
To copy the electronic signature, launch CryptoProCSP, go to the “Service” tab and click the “Copy” button. By clicking Browse, select the signature you want to copy. Click "Ok" then "Next". Enter the name of the container to create. It must differ from the name of the original container by at least one character. Click "Done." In the list of media, select “Registry” and click “OK”. You can set a password for the new container or leave the password fields blank.
In what cases is it necessary to reissue an electronic signature?
Unscheduled reissue is carried out in cases where the data contained in the signature changes. For legal entities such data are: abbreviated name of the legal entity, legal address, INN/KPP/OGRN, user’s full name, position, SNILS and email. For individual entrepreneurs: full name, INN/OGRNIP, registration address, SNILS, email. For Individuals: Full name, INN, registration address, SNILS, email. If the data has changed, you can still use the signature, but it loses legal force, so you may be rejected at electronic auctions with such a signature.
How to reissue a signature?
The procedure for re-issuing (renewing) an electronic signature is the same as for the initial production of an electronic signature. You need to re-submit copies of documents and, upon receipt of a signature, verify your identity in our office.
My CryptoPro CSP license has expired/I can’t enter the license?
CryptoPro CSP is a paid product and requires the purchase of a license. After receiving electronic signature You are given a set of documents with a SKPEP revocation card, which indicates the type of license and serial number, if it was purchased.
The license is:
The built-in license is recognized by versions of CryptoPro CSP 3.9 R4 and all versions 4.0.
The serial number of the annual or permanent license must be entered if this has not been done previously.
The serial number must match the product version. The product version can be viewed in the CryptoPro CSP program on the “General” tab at the top right (4040Х- ХХХХХ- ХХХХХ- ХХХХХ- ХХХХХ for the CryptoPro CSP 4.0 version and 3939Х- ХХХХХ- ХХХХХ- ХХХХХ- ХХХХХ for CryptoPro CSP 3.9).
List of documents for a legal entity:
1. Extract from the Unified State Register of Legal Entities (USRLE) no older than 30 days.
2. Passport
3. Company details
4. SNILS (Insurance certificate of state pension insurance)
5. TIN certificate
List of documents for an Individual Entrepreneur (IP):
1. Extract from the Unified State Register of Individual Entrepreneurs (USRIP)
2. Passport
3. SNILS (Insurance Certificate of State Pension Insurance)
4. TIN certificate
List of documents for an individual:
1. Passport
2. TIN certificate
2. SNILS (Insurance certificate of state pension insurance)
2. A window pops up: "Error! The CAPICOM library cannot be loaded, possibly due to low access rights on this local machine."
If, when working on the website roseltorg.ru, a window pops up: “Error! The CAPICOM library cannot be loaded, possibly due to low access rights on this local machine” You need:
1. Click on the yellow bar under the site address with the text “This website is trying to install the following add-on: “CAPICOM User Download v2.1.0.2” from “Microsoft Corporation”. If you trust this website and add-on and want to install it , click here...";
2. Select "Install ActiveX control";
3. Click on the "Install" button; This procedure must be performed until the window with this message stops popping up (this is individual for each computer). This is a one-time setup.
3. How to install a personal certificate?
Installing a personal certificate (your organization's certificate) can be done in the following way:
Via the "View certificates in container" menu
1. Select Start / Control Panel / CryptoPro CSP, go to the Service tab and click on the button View certificates in a container(see Fig. 1).
Rice. 1. “CryptoPro CSP Properties” window
2. In the window that opens, click the Browse button to select a container to view. After selecting the container, click on the OK button (see Fig. 2).
Rice. 2. Window for selecting a container to view
3. In the next window, click on the Next button.
Rice. 3. “Selected container” window private key»
4. If the version of CryptoPro CSP 3.6 R2 (product version 3.6.6497) or higher is installed, then in the window that opens, click on the Install button, and then respond affirmatively to the notification about replacing the certificate (if it appears).
Rice. 4. Certificate viewing window
5. In the window that appears about the successful installation of the certificate, click OK
Rice. 5. Window “Message about successful certificate installation”
6. then press the ready button
Rice. 6. Window for viewing the selected certificate
5. Close the CryptoPro CSP window by clicking OK
Detailed information on installing the certificate is available at the following link.
4. How to set up email.
Configuring security settings for Outlook Express is carried out according to the following scheme:
1. Select the menu item Tools -> Accounts/ Accounts and open the Mail tab.
2. In the displayed list of accounts, select the one you want to configure and click the Properties button.
3. In the displayed dialog, select the Security tab, which allows the user to specify his personal certificates, which will be used when selecting the user’s personal keys for generating an electronic digital signature and decrypting incoming messages. The certificate selection dialog displays only certificates that have a matching address Email and allowed for email protection
5. In the displayed dialog, select the Security tab:
6. In the displayed dialog, set the following modes:
a. Always encrypt messages when sending encrypted mail . Setting the enable mode allows the sender to decrypt the messages he has sent.
b. Include my digital ID when sending singed messages. Setting this mode to automatically add the sender's certificate to all messages. This mode allows you to exchange certificates using a signed message, and then use the resulting certificates to subsequently encrypt messages between recipients.
c. Send messages with an opaque signature / Encode message before signing. When Message Mode is enabled, all attachments will be combined into a single attachment with a digital signature included. If the mode is disabled, the signature is generated as one separate attachment for all attachments.
d. Automatically add sender certificate to address book/ Add senders certificates to my address book. When enabled, certificates sent as part of a signed message will be automatically added to the address book.
e. Check for revoked Digital Ds:
i. only when online. Installing a verification token means that each operation of generating or verifying an electronic digital signature will be accompanied by a certificate revocation check. To check for revocation, a Certificate Revocation List (CRL) is used, information about the location of which is recorded as an addendum in each user’s certificate. By default, this option is not enabled, and Outlook Express does not track whether user keys have been compromised.
ii. Never/Never.
No revocation check is performed.
5. How to sign a document.
There are 2 types of sending a signed document.
The first way is to sign the document itself and the second is to sign the entire letter.
To create and send a signed message:
1. Click the Create Mail button or select the menu item File -> New -> Mail message.
3. To send a signed message, check the status of the Sign button. It should be pressed and the signed message sign should be visible on the right side of the screen.
4. Once the message is ready to be sent, click on the Send button:
The second method is when the file itself is signed. Plastic bag Microsoft Office allows you to attach digital signatures to a specific document. To do this you need:
1. From the Tools menu, select Options, and then open the Security tab.
2. Click the Digital Signatures button.
3. Click the Add button.
4. Select the certificate you want, and then click OK.
For other data formats, you must use the CryptoArm program.
6. CryptoPro expires.
During installation, the product serial number was not entered according to the license you purchased.
7. Mail does not see the certificate.
When setting up email, at the stage of signing the document, the email does not find the required certificate. This happens when the email address that is specified when producing the digital signature does not match the current email address.
8. When installing CryptoPro at the last step, the system displays a message about the incorrect installation of the program and rolls back. What should I do?
The problem occurs due to incomplete (or incorrect) removal previous version Crypto Pro from a computer. To remove files remaining from the previous version, you must use the CryptoPro clear.bat trace cleaning program. You can download the program from here: ftp://ftp.cryptopro.ru/pub/CSP_3_6/clearing.zip
9. Where can I find the public digital signature signature key?
In all signatures issued by our company, the public key is located inside a container on a secure medium. In order to remove it from the container you need to:
When turned on system unit media Through the CryptoPro program Start à Control Panel à CryptoPro àService à View the certificates in the container. In the dialog box that appears, select the required container through the overview à Next. In the window for viewing digital signature public key data, select properties à “Composition” tab à Copy to file and specify the path to save the certificate.
10. CryptoPro does not see the container on the flash drive. Prompts you to select another media.
Depending on what type of media you use, the solutions are different. If you use smart cards such as Rutoken, MSKey, Etoken, then most likely you do not have the drivers installed to work correctly with the key.
If your key is on a USB 2.0 flash drive, then you need to look at the version of the CryptoPro kernel. If you are using CryptoPro 3.0, then you have lost your way. In order to configure it you need to:
When the media is included in the system unit Through the CryptoPro program Start à Control Panel à CryptoPro à Equipment Configure readers Add. In the Reader Installation Wizard window that appears, select Disk Drive on the right side of the screen (since in CryptoPro everything USB media defined as floppy disks). In the next window, select the correct name of the flash drive, that is, the name under which the flash drive is identified in “My Computer”.
If you are using CryptoPro 3.6 and the container is not visible, then the media is damaged. It should be provided to the office to determine the status of the key.
11. We have received an electronic signature, what to do next? How to register on the trading platform?
The entire procedure for accreditation, filing an application for participation in the auction and conducting the auction itself is described in the operating regulations of a specific electronic trading platform, which can be found on the website of this platform. There are also various supporting video materials and instructions for working in the system. Or you can contact us to purchase our accreditation assistance service on any electronic platform.
12. To check what operating system is installed on your computer
- Go to My Computer in Explorer.
— Right-click on the display and select “Properties” from the menu that appears.
— The window that appears contains information about your system.
13. To find out which version of Internet Explorer is installed on your computer
— Launch Internet Explorer.
— Select Help from the horizontal menu at the top of the browser.
— The window that appears contains information about current version browser.
— Possible option
14. To install a newer version of Internet Explorer 8
— Please indicate in command line the following address:
— In the window presented, click “Download for free.”
— Click “Run” in the window that appears.
- Then click “Run” again.
— When installation is complete, you must restart your computer.
What to do when an error occurs when sending reports in the SBIS++ Electronic Reporting program "A valid client certificate is missing" or "Access denied"? In this case, the report cannot be sent. The first thing that comes to mind is something with a certificate! However, there is no need to panic: you can fix this error yourself by checking the certificate and configuring the readers correctly. To do this, follow our instructions!
Error in SbiS++: The taxpayer "Name" LLC does not have a valid EDS (electronic digital signature) certificate.
Causes:
- Incorrect update systems "SBiS++ Electronic reporting";
- The carrier of the secret key is missing;
- One of the certificates in the certification chain is not dated;
- There is no valid EDS (electronic signature) certificate;
- The media is missing from the added CryptoPro readers.
Solution:
Checking the presence of digital signature on the media, reloading the certificate in SBS++, performing a system check.
Step 1: Checking the availability of digital signature media
First you need to check the presence of a certificate on the media. If the certificate is installed on removable media, then check the presence of media on the computer.
When you are convinced that the media is present on the computer or the certificate is installed in the computer's Registry, you can begin checking CryptoPro.
Step 2: Launch CryptoPro for verification
To check, you need to launch the CryptoPro program from the Control Panel.
If you have Windows XP, then there are two ways:
- Start\Settings\Control Panel\CryptoPro CSP.
If you have Windows Vista or Windows 7, then you need to look for the program here:
- Start\Control Panel\CryptoPro CSP;
- Start\Control Panel\System and Security\CryptoPro CSP.
The CryptoPro program shortcut is shown in Figure 2. Launch the verification program by double-clicking the left mouse button.
Step 3: Launch Administrator Rights
After the CryptoPro program window appears, you need to run it with administrator rights (this does not always happen automatically). To do this, click on the highlighted link in the lower half of the program window “Run with administrator rights.”
After launch, this inscription will disappear - this means that you launched the program with administrator rights. Now you can start checking the digital signature on the media.
Step 4: View the certificate in the container
To view the certificate, go to the service tab.
A window will open asking you to enter a name for the container. To select a certificate, click the Browse button.
A window will appear on your screen asking you to select a container. Select the container and click OK and Next.
Certificate information will appear in the “Certificates in the private key container” window.
If the viewport displays data necessary certificate, you can continue correcting the error. If not, you see the certificate data of another organization on the screen - browse the certificate, selecting other containers until you find necessary certificate. When the certificate is found, click “Finish” and close the CryptoPro window.
Step 5: Configuring Readers
If the required certificate was still not found in the container selection list, you can view the presence of your media in the added CryptoPro readers. To do this, you need to go to the “Equipment” tab in CryptoPro, click on the “Configure readers” button in the “Private key readers” section.
The “Manage Readers” window will open, click the “Add” button to check the media in the added readers.
The “Reader Installation Wizard” will start, in the first window click “Next”, a window will appear asking you to select a reader.
In the right half of the window, in the “Available Readers” section, see if your media is present in this list. If present, select it and click Next and then Finish. If the required reader is not in the list, it means that the media is already in the list of added ones. You can continue checking.
To reload the certificate, open the “SbiS++ Electronic Reporting” program in the main window, where the “Taxpayer Calendar” is located. Select the desired taxpayer in the “Taxpayer” section and click on the “Edit” panel (for an example, see Fig. 12).
Double-click on an employee and delete his valid certificate using the “Delete” key on the keyboard (for an example, see Fig. 14).
After deleting, double-click on the white field in the “Issued to” column. The “Certificate Creation Wizard” will appear, select “Install from media” and click “Next” (see Figure 15 for an example).
In the next window, select “Upload certificate”, a window will appear with the choice of container (for example, see Fig. 16).
If you click on a certificate with one click, all information about the certificate owner will appear. After selecting the certificate, click “Select” and “Finish”.
After completing the previously performed actions, it is advisable to conduct a full system check by clicking on top panel button “Service” and selecting “System check protocol”. During a communication session with an operator, windows may appear asking you to install a certificate; respond to all such offers. "Yes". If the system check protocol ends positively, then the system is ready for reporting. In this case, re-sign the report that you tried to send before the error occurred and send it again.
