• home
  •  > 
  • Utilities
  •  > 
  • Which gives enhanced control over the use of keys. Installation of the cryptopro csp distribution kit must be performed by a user with administrator rights

Which gives enhanced control over the use of keys. Installation of the cryptopro csp distribution kit must be performed by a user with administrator rights

Until 2018, budgetary organizations worked with electronic digital signatures issued in accordance with GOST R 34.10-2001. Starting from January 1, 2019, a transition to GOST R 34.10-2012 is planned - and CryptoPro CSP began to display a corresponding notification, which is sometimes completely impossible to disable using conventional methods.

We disable the notification about the transition to GOST R 34.10-2012

Recently, the crypto provider CryptoPro CSP began to carefully issue the following warning:

From January 1, 2019, the formation of an electronic signature using ES keys GOST R 34.10-2001 is prohibited. You need to switch to using EP GOST R 34.10-2012 keys. Continue using the EP GOST R 34.10-2001 key?

There, at the bottom, you can check the box so that this reminder does not appear for a month. However, it also happens that CryptoPro ignores this checkbox and pleases with a similar window every time it is used.

In order to PERMANENTLY disable these notifications, you must do the following:

Windows Vista, Windows Server 2008 and later:

Create two type parameters QWORD, and give them the value 1d4a164f03e4000 (in hexadecimal). The parameters should be located at the following address (at the end - the name of the parameter):

For 64-bit systems:

For 32-bit systems:


HKEY_LOCAL_MACHINE\SOFTWARE\Crypto Pro\Cryptography\CurrentVersion\Parameters\warning_time_gen_2001 HKEY_LOCAL_MACHINE\SOFTWARE\Crypto Pro\Cryptography\CurrentVersion\Parameters\warning_time_sign_2001

Windows XP or Windows Server 2003:

Create two type parameters DWORD, and set them to ffffffffff (in hexadecimal). The parameters should be located at the following address (at the end - the name of the parameter):

For 64-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Crypto Pro\Cryptography\CurrentVersion\Parameters\warning_time_gen_2001 HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Crypto Pro\Cryptography\CurrentVersion\Parameters\warning_time_sign_2001

For 32-bit systems:

HKEY_LOCAL_MACHINE\SOFTWARE\Crypto Pro\Cryptography\CurrentVersion\Parameters\warning_time_gen_2001 HKEY_LOCAL_MACHINE\SOFTWARE\Crypto Pro\Cryptography\CurrentVersion\Parameters\warning_time_sign_2001

Linux:

On Linux operating systems, you need to add two keys to the configuration file, which is located at the following address:

For 64-bit systems:

/etc/opt/cprocsp/config64.ini

For 32-bit systems:

/etc/opt/cprocsp/config.ini

The keys must be located in the already existing Parameters section, and must have the following content:

Warning_time_gen_2001=ll:131907744000000000 warning_time_sign_2001=ll:131907744000000000

Was this article helpful to you?

Yes No



Other articles:

  • An authentication error occurred. The specified function is not supported.…

How to install CryptoPro on a computer, installing CryptoPro 4.0

CryptoPro CSP is a crypto provider and provides the legal significance of electronic documentation and connection protection. This is a key product among CryptoPro products. How CryptoPro CSP install most questions arise. We suggest that you familiarize yourself with the information below to install the program correctly. To install this software on a computer, the user must have administrator rights. The software on the disk must be inserted into the drive or selected the distribution folder on the computer. After launching the Installation Wizard, you must select the language to use. During installation, it is also possible to select the protection level (class).

Further installation is carried out in accordance with the choice of actions specified by the Installation Wizard. Thus, you may need to specify a serial key, configure additional sensors, and adjust CIPF to use the key storage service. Installation can be complete or selective, depending on the user’s tasks. Custom installation will help you install additional required components. After installation, it is advisable to restart the computer for the program to work correctly.

Installation of CIPF CryptoPro CSP


Installation of the CryptoPro CSP CIPF distribution must be carried out by a user with administrator rights.

To install, insert the CD into the drive.

Figure 1. Installation of CIPF CryptoPro CSP

Select the installation language that is convenient for you and the distribution that matches the operating system you are using.

Before starting the installation wizard, a dialog box appears in which you can select the security level (the Options button).


Figure 2. Starting installation

CIPF CryptoPro implements protection classes KS1, KS2, KS3 in accordance with the requirements of the FSB of Russia.

Figure 3. Selecting a security level

Specify the required security level if it is different from the default. After this, you can proceed to the installation wizard.


Figure 4. Welcome window of the installation wizard


If an earlier version of the CryptoPro CSP CIPF was installed on the machine, information about the updated version will appear in the window:

Figure 5. Installation with component replacement To continue installing CryptoPro CSP, click Next.

Carefully read the license agreement that is displayed during the first installation.

Further installation is carried out in accordance with the messages issued by the wizard.

During the installation process you may be prompted to:

  • enter the serial number of the crypto provider's license;
  • register additional key information readers;
  • configure additional random number sensors (for levels KS2 and KS3);
  • configure the crypto provider to use the key storage service (for the KS1 level).

These parameters can be changed after installation is complete through the CryptoPro CSP properties panel.

For CryptoPro CSP to work correctly, after installation is complete, you must restart the computer if the user is prompted to reboot.

  • During the installation process, the wizard may suggest choosing the most suitable type of installation.


Figure 6. Selecting the installation type

By default (“Typical” installation type), only the main files for CIPF operation are installed (for Windows Server 2008, the “CSP Driver Library” is also installed by default). If necessary, you can change the set of components for installation:


Figure 7. Custom installation

Extended Product Compatibility – Provides compatibility with applications such as Microsoft Office, Outlook Express. Required to log in using smart cards.

Key Storage Service – Provides storage, use and caching of keys in a separate OS service. Enabled by default for security levels KS2 and KS3.


Revocation Provider - A mechanism for checking the current status of a certificate using OCSP. It is an addition to the standard Windows mechanism for checking certificate status based on a certificate revocation list (CRL). In addition, it provides the ability to use SOS issued according to the rules described in RFC 3280.

OS kernel level crypto provider – Required for the crypto provider to work in Windows services and kernel (TLS server, EFS, IPsec).

Compatible with CryptoPro CSP 3.6 - Registers provider names compatible with CryptoPro CSP 3.6. Only necessary if there are certificates installed with CryptoPro CSP 3.6 in the “Personal” storage.

Compatible with CryptoPro CSP 3.0 - Registers provider names compatible with CryptoPro CSP 3.0. Only necessary if there are certificates installed with CryptoPro CSP 3.0 in the “Personal” storage.


After clicking Next, the installation wizard prompts you to schedule or cancel the installation of reader support libraries, as well as decide whether to enable the functionality for accumulating information about used removable key media. In addition, you also need to enable the enhanced key control mode. This mode monitors the validity period of long-term electronic signature and key exchange keys, controls the power of attorney of electronic signature verification keys, and controls the correct use of the software random number sensor. The use of CIPF CryptoPro CSP 4.0 without enabling the enhanced key control mode is permitted for test purposes only.


Figure 8. Setting up enhanced key control

When installing CIPF with the enhanced key usage control mode enabled, data from the random number sensor will be requested. If there is an error in receiving data, a window will be displayed, an example of which is shown in Figure 9. In this case, when the user starts working in a system with CryptoPro CSP 4.0 CIPF installed, it is necessary to check that at least one physical random number sensor is registered (for example, a biological random number sensor, an external gamma or hardware DNG), and run the command:

csptest.exe -keyset -verifycontext -hard_rng.

After completing the installation of CIPF with the enhanced key usage control mode enabled, it is necessary to install trusted root certificates in the local computer certificate store CryptoProTrustedStore (“CryptoPro CSP Trusted Roots”) using the Certificates snap-in or using the certmgr utility .exe:


certmgr.exe -inst -cert -silent -store mCryptoProTrustedStore -file ca.cer

After this, you should restart the computer.

Figure 9. Error window for receiving data from a random number sensor when installing CIPF.

The developer on the website indicates what CryptoPro is - this is the name for a cryptographic information protection tool (CIPF). This program protects information through encryption and the creation of electronic signatures (ES). These certificates confirm the importance and status of electronic documents when working:

  • with electronic platforms;
  • electronic reporting;
  • client-banks;
  • when exchanged between users on the network.

Cryptographic protection is based on the implementation of national standards in this area:

  1. GOST R 34.10-2012 (replaces 34.10-2001) on digital signature.
  2. GOST R 34.11-2012 (replaced 34.11-94) on caching.
  3. GOST 28147-89 on the crypto conversion algorithm.

The company has introduced CryptoPro Cryptographic Service Provider (CSP) software modules that are compatible with the Microsoft interface. The developer forum states that you can install CryptoPro CSP for free if you do not perform operations with private keys, for example:

  • generation of private keys;
  • signing or decrypting data.

It turns out that installing CryptoPro CIPF for free means not entering the serial number.

Electronic signature certificate service

From the services available in electronic form, install the CryptoPro EDS certificate. Obtain a legally binding signature that will verify, encrypt and decrypt documents in electronic form using a certificate.

Through the “Services” tab, open the “Electronic Signature Service”.

If this service is activated, installation of the CryptoPro EDS key is not required. The system stores the key and the necessary set of cryptographic operations.

If you store the digital signature key at the user's workplace, contact the Certification Center for service.

To work with the electronic signature certificate in electronic download format, download the distribution kit.

Obtain manuals from the developer. The manufacturer asks you to register. If your email and password are already in the database, enter them to log in.

Before loading again, the site will make sure that it is ready to enter into a license agreement.

When you agree and start working with the electronic signature certificate (EPS) service, the function of working through the company’s Certification Center is enabled. A signature verification key certificate is created in it.

As part of this CryptoPro service, a certificate is not installed on your computer. The use of an electronic signature key certificate is confirmed by the owner when entering a one-time password with an individual PIN code for access to the key container.

The ES key certificate is created in a non-exportable format. It is not available for use on removable media (and the user's desktop).

When to reinstall

If you replace the demo program with the main one or upgrade to the next version of the distribution, reinstall CryptoPro. Make sure your computer has licenses or certificates. If not, save them.

By launching the menu of an existing program with system administrator functions, remove the previous program in the standard way. If you cannot remove the program correctly through the installation and removal panel, use the distribution kit. In an emergency, remove it using the CryptoPro utility.

The utility is suitable for all versions of CSP. To perform cleaning, run the cspclean.exe file, restart your computer, and run the utility again.

Now install the new product.

How to install CryptoPro

To download and verify an electronic signature on web pages using CryptoPro CSP, you will need a plugin. Here are instructions on how to install CryptoPro EDS browser plug in to work on an electronic platform:

Step 1. Download the current version of the plugin.

Step 2: Run the executable file cadesplugin.exe.

Step 3: Confirm installation.

Step 4: If prompted, allow changes to be made by clicking Yes.

Step 5. Wait for the installation to complete.

Step 6: Once the installation is complete, click OK.

There are several versions of the program. The distribution package is purchased by:

  • from the manufacturer or from an official dealer on a tangible medium;
  • on the website of the manufacturer or official dealer.

From the description we can conclude which operating systems the program is compatible with. Let's make sure that the required functionality has a certificate.

In the “Products” tab, select the “Certificates” section. Let's take a look at the description.

Once you have a preference for a particular version, get an idea of ​​the potential costs. A price list for services for obtaining licenses and company certificates has been published as of August 2020. For example, annual technical support at a workplace costs 850 rubles, and installation or updating at a workplace or server costs 5,500 rubles.

How to work with CryptoPro

Having the necessary information, we use the program in demo mode. Here are instructions on how to use CryptoPro for free:

Step 1. Upload files through the products and the CIPF tab of CryptoPro CSP.

Step 2. We see a message about restricted access. Let's pre-register and answer a few questions.

Step 3. Fill out the fields and send a registration request, take further actions on the next page. Please note the message about the period of use of the demo version: 90 days from the date of installation. The transfer of rights to use is acquired in the form of a license. The demo version is designed to work during the initial installation of the product. If you try again, the download will not happen.

Step 4. Select the distribution that matches the computer’s operating system and download it. Loads quickly. Launch the program file with the extension .exe. Security software will alert you when changes are made to your computer. If you agree, click “Install”. The module is loading.

After installing the latest version, work with the program immediately. If you downloaded previous versions, restart your computer immediately or delay this action.

In accordance with the procedure adopted in 2014 for the transition to GOST R 34.10-2012 until January 1, 2019, an attempt to use GOST R 34.10-2001 (except for signature verification) on all certified versions of CryptoPro CSP 3.9, 4.0 released to date from January 1, 2019 d. will cause an error/warning (depending on the product and operating mode).

But, due to the postponement of the transition to GOST R 34.10-2012 until January 1, 2020, to continue working in accordance with GOST R 34.10-2001, use the following recommendations:

To disable warnings about the need to switch to GOST R 34.10-2012 when generating keys and signatures in accordance with GOST R 34.10-2001 in CryptoPro CSP, open registry editor.

For this:

    Win+R. In the window that opens, enter regedit and press " OK»:

  • on the menu Start in the search bar enter regedit. Run the found program:

The window “ Registry Editor»:

When working with:

    64-bit older XP\Windows Server 2003 go to the section:

    32-bit Windows operating system older XP\Windows Server 2003 go to the section:

Create the following settings:

Warning_time_gen_2001

Warning_time_sign_200

Like QWORD and set them equal ffffffffffffff(hexadecimal number system)

To create a parameter:

  • on the menu " Edit» click « Create" and select " ParameterQWORD (64 bits)»:

  • Create" and select " ParameterQWORD (64 bits)»:

Please indicate the required name:

ChangeOK».

When working with:

  • 64-bit Windows operating system XP\Windows Server 2003 go to the section:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Crypto Pro\Cryptography\CurrentVersion\Parameters\

  • 32-bit Windows operating system XP\Windows Server 2003 go to the section:

    HKEY_LOCAL_MACHINE\SOFTWARE\Crypto Pro\Cryptography\CurrentVersion\Parameters\

Create the following settings:

Warning_time_gen_2001

Warning_time_sign_2001

Like DWORD and set them equal ffffffffff

To create a parameter:

    on the menu " Edit» click « Create" and select " DWORD value (32 bits)»:

  • right click, click " Create" and select " ParameterDWORD (32 bits)»:


Please indicate the required name:

Right click and select " Change" In the window that opens, enter the desired value and click “ OK».

To apply settings for these parameters in CryptoPro CSP 4.0 (KS1 in key storage service mode or KS2) before build 4.0.9959, you need to restart the CryptoPro CSP service (cpcsp).

Recommendations for transferring the date of blocking work from GOST R.34.10-2001 for users of CryptoPro CSP 4.0 operating in enhanced key control mode

To transfer the work blocking date according to GOST R 34.10-2001 from January 1, 2019 in CryptoPro CSP 4.0 R3, open registry editor.

For this:

  • press the key combination on your keyboard Win+R. In the window that opens, enter regedit and press " OK».

  • In the start menu in the search bar, enter regedit. Left-click on the found program:

The window “ Registry Editor»:

When working with:

  • 64-bit Windows operating system older XP\Windows Server 2003 go to the section:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Crypto Pro\Cryptography\CurrentVersion\Parameters\

  • 32-bit Windows operating system older XP\Windows Server 2003 go to the section:

    HKEY_LOCAL_MACHINE\SOFTWARE\Crypto Pro\Cryptography\CurrentVersion\Parameters\

Create the following parameter:

forbid_time_sign_2001

type QWORD and set it equal to ffffffffffffff(hexadecimal number system).

To create a parameter:

  • on the menu " Edit» click « Create" and select " ParameterQWORD (64 bits)»:

  • right click, click " Create" and select " ParameterQWORD (64 bits)»:

Please indicate the required name:

Right click and select " Change" In the window that opens, enter the desired value and click “ OK».

When working with:

  • 64-bit operating system Windows XP\Windows Server 2003 go to the section:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Crypto Pro\Cryptography\CurrentVersion\Parameters\

  • 32-bit operating system Windows XP\Windows Server 2003 go to the section:

    HKEY_LOCAL_MACHINE\SOFTWARE\Crypto Pro\Cryptography\CurrentVersion\Parameters\

Create the following parameter:

forbid_time_sign_2001

type DWORD and set it equal to ffffffff.

To create a parameter:

  • on the menu " Edit» click « Create" and select " DWORD value (32 bits)»:

  • right click, click " Create" and select " ParameterDWORD (32 bits)»:

Please indicate the required name:

Right click and select " Change" In the window that opens, enter the desired value and click “ OK».

To apply the settings for these parameters in CryptoPro CSP (KS1 in key storage service mode or KS2), you need to restart the CryptoPro CSP service (cpcsp).

Recommendations were presented by the developer of the CIPF “CryptoPro CSP” and published on the official website of this product.