How to copy an electronic signature from the registry to a medium? Copying using CryptoPro CSP How to open an electronic signature on a flash drive
The article provides answers to the questions: “What does it look like? electronic signature", "How digital signature works", its capabilities and main components are considered, and a visual step by step instructions the process of signing a file with an electronic signature.
What is an electronic signature?
An electronic signature is not an object that can be picked up, but a document requisite that allows you to confirm that the digital signature belongs to its owner, as well as record the state of information/data (presence or absence of changes) in electronic document from the moment of its signing.
For reference:
The abbreviated name (according to Federal Law No. 63) is ED, but more often they use the outdated abbreviation EDS (electronic digital signature). This, for example, facilitates interaction with search engines on the Internet, since EP can also mean an electric stove, a passenger electric locomotive, etc.
According to the legislation of the Russian Federation, a qualified electronic signature is the equivalent of a signature affixed “by hand”, which has full legal force. In addition to qualified digital signatures, there are two more types of digital signatures available in Russia:
- unqualified - ensures the legal significance of the document, but only after the conclusion of additional agreements between the signatories on the rules for the use and recognition of digital signatures, allows you to confirm the authorship of the document and control its immutability after signing,
- simple - does not give the signed document legal significance until additional agreements are concluded between the signatories on the rules for the use and recognition of digital signatures and without complying with the legally established conditions for its use (a simple electronic signature must be contained in the document itself, its key must be used in accordance with the requirements of the information system, where it is used, etc. in accordance with Federal Law-63, Article 9), does not guarantee its invariance from the moment of signing, allows you to confirm authorship. Its use is not permitted in cases related to state secrets.
Electronic signature capabilities
For individuals, digital signature provides remote interaction with government, educational, medical and other information systems via the Internet.
An electronic signature gives legal entities permission to participate in electronic trading, allows you to organize legally significant electronic document management (EDF) and submit electronic reporting to regulatory authorities.
The opportunities that digital signature provides to users have made it an important component everyday life both ordinary citizens and company representatives.
What does the phrase “an electronic signature has been issued to the client” mean? What does the digital signature look like?
The signature itself is not an object, but the result of cryptographic transformations of the document being signed, and it cannot be “physically” issued on any medium (token, smart card, etc.). Also, it cannot be seen, in the literal sense of the word; it does not look like a pen stroke or a figurative imprint. About what does an electronic signature “look like”, We'll tell you a little below.
For reference:
A cryptographic transformation is an encryption that is built on an algorithm that uses a secret key. The process of restoring the original data after cryptographic transformation without this key, according to experts, should take longer than the validity period of the extracted information.
Flash media is a compact storage medium that includes flash memory and an adapter (USB flash drive).
A token is a device whose body is similar to that of a USB flash drive, but the memory card is password protected. The token contains information for creation of digital signature. To work with it, you need to connect to the USB connector of your computer and enter a password.
A smart card is a plastic card that allows you to carry out cryptographic operations using a microcircuit built into it.
A SIM card with a chip is a card mobile operator, equipped with a special chip, on which a java application is securely installed at the production stage, expanding its functionality.
How should we understand the phrase “an electronic signature has been issued,” which is firmly entrenched in the colloquial speech of market participants? What does an electronic signature consist of?
The issued electronic signature consists of 3 elements:
1 - a means of electronic signature, that is, necessary for the implementation of a set of cryptographic algorithms and functions technical means. This can be either a crypto provider installed on the computer ( CryptoPro CSP, ViPNet CSP), either an independent token with a built-in crypto provider (EDS Rutoken, JaCarta GOST), or an “electronic cloud”. You can read more about digital signature technologies related to the use of the “electronic cloud” in the next article of the Unified Electronic Signature Portal.
For reference:
A cryptographic provider is an independent module that acts as an “intermediary” between the operating system, which manages it using a certain set of functions, and the program or hardware system that performs cryptographic transformations.
Important: the token and the qualified digital signature on it must be certified by the FSB of the Russian Federation in accordance with the requirements federal law № 63.
2 - a key pair, which consists of two impersonal sets of bytes generated by an electronic signature tool. The first of them is the electronic signature key, which is called “private”. It is used to form the signature itself and must be kept secret. Placing a “private” key on a computer and flash media is extremely unsafe, on a token it is somewhat unsafe, and on a token/smart card/sim card in a non-removable form is the most secure. The second is the electronic signature verification key, which is called “public”. It is not kept secret, is uniquely tied to the “private” key and is necessary so that anyone can verify the correctness of the electronic signature.
3 - EDS verification key certificate issued by a certification center (CA). Its purpose is to associate an anonymized set of bytes of a “public” key with the identity of the owner of the electronic signature (person or organization). In practice, it looks like this: for example, Ivan Ivanovich Ivanov ( individual) comes to the certification center, presents his passport, and the CA issues him a certificate confirming that the declared “public” key belongs to Ivan Ivanovich Ivanov. This is necessary to prevent a fraudulent scheme, during the deployment of which an attacker in the process of transmitting “open” code can intercept it and replace it with his own. This will give the criminal the opportunity to impersonate the signer. In the future, intercepting messages and making changes, he will be able to confirm them with his digital signature. That is why the role of the electronic signature verification key certificate is extremely important, and the certification center bears financial and administrative responsibility for its correctness.
In accordance with the legislation of the Russian Federation, there are:
— “electronic signature verification key certificate” is generated for an unqualified digital signature and can be issued by a certification center;
— “qualified electronic signature verification key certificate” is generated for a qualified digital signature and can only be issued by a CA accredited by the Ministry of Telecom and Mass Communications.
Conventionally, we can indicate that electronic signature verification keys (sets of bytes) are technical concepts, and a “public” key certificate and a certification authority are organizational concepts. After all, the CA is a structural unit that is responsible for matching “public” keys and their owners within the framework of their financial and economic activities.
To summarize the above, the phrase “an electronic signature has been issued to the client” consists of three components:
- The client purchased an electronic signature tool.
- He received a “public” and “private” key, with the help of which the digital signature is generated and verified.
- The CA issued the client a certificate confirming that the “public” key from the key pair belongs to this particular person.
Security issue
Required properties of signed documents:
- integrity;
- reliability;
- authenticity (authenticity; “non-repudiation” of the authorship of information).
They are provided by cryptographic algorithms and protocols, as well as software and hardware-software solutions based on them for generating an electronic signature.
With a certain degree of simplification, we can say that the security of an electronic signature and the services provided on its basis is based on the fact that the “private” keys of the electronic signature are kept secret, in a protected form, and that each user responsibly stores them and does not allow incidents.
Note: when purchasing a token, it is important to change the factory password, so no one will be able to access the digital signature mechanism except its owner.
How to sign a file with an electronic signature?
For signing digital signature file there are several steps to follow. As an example, let's look at how to put a qualified electronic signature on a trademark certificate of the Unified Electronic Signature Portal in .pdf format. Need to:
1. Click on the document right click mouse and select the crypto provider (in this case CryptoARM) and the “Sign” column.
2. Walk the path to dialog boxes crypto provider:
At this step, if necessary, you can select a different file to sign, or skip this step and go directly to the next dialog box.
The Encoding and Extension fields do not require editing. Below you can choose where the signed file will be saved. In the example, a document with digital signature will be placed on the desktop.
In the “Signature Properties” block, select “Signed”; if necessary, you can add a comment. The remaining fields can be excluded/selected as desired.
Select the one you need from the certificate store.
After checking that the “Certificate Owner” field is correct, click the “Next” button.
In this dialog box, the final check of the data required to create an electronic signature is carried out, and then after clicking on the “Finish” button, the following message should pop up:
Successful completion of the operation means that the file has been cryptographically converted and contains requisites that record the immutability of the document after it is signed and ensure its legal significance.
So, what does an electronic signature on a document look like?
For example, we take a file signed with an electronic signature (saved in .sig format) and open it through a crypto provider.
Desktop fragment. Left: file signed with digital signature, right: crypto provider (for example, CryptoARM).
Visualization of the electronic signature in the document itself when opening it is not provided due to the fact that it is a requisite. But there are exceptions, for example, an electronic signature of the Federal Tax Service when receiving an extract from the Unified State Register of Legal Entities/Unified State Register of Individual Entrepreneurs via online service conditionally displayed on the document itself. The screenshot can be found at
But how in the end EDS “looks”, or rather, how is the fact of signing indicated in the document?
By opening the “Manage signed data” window through the crypto provider, you can see information about the file and signature.
When you click on the “View” button, a window appears containing information about the signature and certificate.
The last screenshot clearly demonstrates what does the digital signature look like on a document?"from within".
You can purchase an electronic signature at.
Ask other questions on the topic of the article in the comments, the experts of the Unified Electronic Signature Portal will definitely answer you.
The article was prepared by the editors of the Unified Electronic Signature Portal website using materials from SafeTech.
When using the material in full or in part, a hyperlink to www..
If the electronic signature was issued to the PC registry, then you can copy it to a medium using the following instructions.
Step 1. Open CryptoPro and go to the “Service” tab, then click on the “Copy” button as shown in the instructions.
Step 2. In the window that appears, click the “Browse” button to select the electronic signature container you need to copy.
Step 3. In the list of existing containers that appears, select the container you need, which you need to copy to the media and click the “OK” button.
Step 4. Confirm the action by clicking the “Next” button in the window that appears
Step 5. In the window that appears, specify the name of the new container that will be created on the media. The name in the field is entered automatically, so you can simply leave it unchanged. Click the "Done" button.
Step 6. A media selection window will appear. Select the desired medium from the list to which you want to copy the electronic signature. In order to understand which media to select from the list, look at the “Inserted media” field: it will either say “Media is missing,” which means you have selected a non-existent media, or the media name will appear similar to the name in the screenshot. Select and click OK.
Step 7. Once you select the media, a window will appear to enter the PIN code for the new electronic signature container. We recommend entering the standard PIN code “12345678”, because... clients often forget or lose their PIN codes, after which the electronic signature has to be reissued. You can set your (different) PIN if you are sure that you will not lose it. After entering the PIN code, click the "OK" button.
Ready. Now the electronic signature container has been copied to the selected medium and you can use it.
If you don’t want to understand these details, we will help. You can even call our engineer to your office.
Often people who use electronic digital signatures for their needs need to copy the CryptoPro certificate to a flash drive. In this lesson we will look at various options for performing this procedure.
By and large, the procedure for copying a certificate to a USB drive can be organized in two groups of ways: using internal tools operating system and using the functions of the CryptoPro CSP program. Next we will look at both options in detail.
Method 1: CryptoPro CSP
First of all, let's look at the copying method using the CryptoPro CSP application itself. All actions will be described using the Windows 7 operating system as an example, but in general the presented algorithm can be used for other operating systems of the Windows family.
The main condition under which it is possible to copy a container with a key is the need for it to be marked as exportable when created on the CryptoPro website. Otherwise, the transfer will not be possible.
- Before you begin, connect the USB flash drive to your computer and go to "Control Panel" systems.
- Open section "System and Security".
- In the specified directory, find the item "CryptoPro CSP" and click on it.
- A small window will open where you need to move to the section "Service".
- Next, click the button "Copy...".
- A window for copying the container will appear, where you need to click on the button "Review…".
- A container selection window will open. Select from the list the name of the one from which you want to copy the certificate to a USB drive, and click "OK".
- The authentication window will then be displayed, where in the field "Enter password" you need to enter a key expression that is used to password the selected container. After filling out the specified field, click "OK".
- After this, you return to the main window for copying the private key container. Please note that in the name field key container the expression will be automatically added to the original name "-Copy". But if you wish, you can change the name to any other, although this is not necessary. Then click the button "Ready".
- Next, a window for selecting a new key media will open. In the list presented, select the drive with the letter that corresponds to the desired flash drive. After that press "OK".
- In the authentication window that appears, you will need to enter the same random password for the container twice. It can either correspond to the key expression of the source code or be completely new. There are no restrictions on this. After entering, click "OK".
- After this, an information window will be displayed with a message that the container with the key was successfully copied to the selected media, that is, in this case, to a flash drive.
Method 2: Windows Tools
You can also transfer the CryptoPro certificate to a flash drive only using the operating system. Windows systems by simply copying via "Conductor". This method is only suitable when the header.key file contains an open certificate. However, as a rule, its weight is at least 1 KB.
As in the previous method, descriptions will be given using the example of actions in the operating room Windows system 7, but in general they are also suitable for other OSes in this line.
At first glance, transferring a CryptoPro certificate to a flash drive using operating system tools is much simpler and more intuitive than actions through CryptoPro CSP. But it should be noted that this method is only suitable when copying an open certificate. Otherwise, you will have to use the program for this purpose.
An electronic signature is usually issued either on a flash drive, or on a token, or on a floppy disk. Working with props is easy, regardless of the selected media type: the software interface is clear, and problems in use rarely arise. Convenience and ease of use make electronic signature accessible even to people who do not have technical skills or experience working with complex programs.
Before starting to use the digital signature, the user must make sure that he has all the necessary tools and tools on his PC. These include:
- crypto provider;
- private key and digital signature certificate;
- configured workplace.
A crypto provider is a special software, responsible for cryptographic algorithms. It is necessary to create, verify, encrypt and decrypt digital signatures. The data is stored on an encrypted flash drive, which the crypto provider accesses when performing operations.
Setting up a workplace is one of the most important processes in the preparatory work for using an electronic digital signature. This includes installing a certification authority certificate, as well as setting up and installing a key certificate and a cross-certificate of the Ministry of Telecom and Mass Communications. You also need to configure the browser so that it allows you to carry out all the required operations. This involves installing the necessary plugins and add-ons.
How to use digital signature from a flash drive
Learn to work with digital signature not difficult: the process takes only a few minutes and consists of sequentially performing simple steps.
Digital signature setup
Using an electronic signature from a flash drive is not difficult: first, the media must be connected to the computer. When the flash drive is displayed in the system, you need to select “CryptoPro” - “Equipment” - “Configure readers”:
The new window should have menu items such as “All smart card readers” and “All removable drives”:
If for some reason they are missing, then you must:
- in the “Configure readers” tab, click “Add” and “Next”;
- in the new window select “All manufacturers”;
- then select “All smart card readers” and click “Finish”.
The signature is ready to use, and the signing process depends on the type of document.
Signing MS Word documents
In the required file, the user opens:
- “Information” - “Add digital signature”;
- selects the generated signature, adds a comment if necessary, and clicks “Sign”;
- if there are no errors, the system displays the message:
Signing a document via the CryptoPro plugin with using digital signature from a flash drive is similar to the previous method:
- the user opens the desired document, selects the menu item “File” - “Add digital signature”;
- then selects the desired signature and adds it to the document, completing the action by clicking “Sign”.
If there are no errors, the plugin will display a message indicating that the document was successfully signed.
Generating a signature for PDF documents also takes place in several stages. On the first, the user opens required file, and through the “Tools” panel goes to the “Certificates” section:
Then click on “Sign” and select the area where it will be located:
After this, in the window with a set of digital details, the user selects the one he needs and clicks “Continue”:
A new window will open with a preview of the electronic signature:
If everything is correct, then the user completes the action through the “Sign” button. After signing the document, if there are no errors, a message indicating the successful completion of the process is displayed.
Using a flash drive as an electronic key
A flash drive can be used as an analogue of an electronic digital signature using a RAM module. Its task is to test each electronic media for compliance with the stored data. Blocking of data or access to the system depends on the results of the scan.
Flash drive used as electronic key, works like this: every successful login to the system starts the process of overwriting the data stored in the backup part. During the next login, the system compares the brand, serial number, backup storage and manufacturer data.
To configure the RAM module you need to:
- install the libpam_usb.so library and utilities needed to manage the module;
- insert a flash drive into the USB port, collect and record all information about the media for subsequent user identification;
- enter a command assigning the name of the flash drive to account user;
- run a data validation check;
- give the pam_usb module the right to control the system. If no suitable media is found, the system must prompt you to enter a password and login, or block the login.
The advantages of using this type of media include the ability to store information on a flash drive and quickly log into the system, auto-protection, and the absence of the need to remember a large amount of information.
How to copy digital signature from a flash drive
Despite the fact that the flash drive is reliable, it is recommended to copy the electronic signature from it to the PC registry. You need this in order to have backup copy in case of media failure. This will also save the user from having to carry a flash drive with him everywhere, which will reduce the risk of theft or loss.
How to copy digital signature:
- via Start/Control Panel/CryptoPro select “Service” and “Copy”;
- in the window that opens, click “Browse”, select the key container and confirm “OK”;
- Click “Next” and proceed to copying the private key container. In the “Key container name” window, enter the name of the electronic signature. Click “Finish”;
- In the new window, click “Registry” and “OK”.
Install the copied certificate. To do this:
- in the “Service” tab, select “View certificates”;
- Go through “Browse” to select a certificate;
- select the required certificate and confirm the action using “OK” and “Next”;
- complete the process by successively clicking “Install”, “Yes”, “OK”.
EDS installation is complete. Now you can use the signature both from a flash drive and from a PC.
Why might the EP not work?
Typically, working with an electronic signature does not cause problems, however, there are a number of cases when the key certificate stops responding to user actions.
If the private key does not match the public key, then you need to check all closed containers on the PC you are using. The problem may be that the wrong port is selected. If the closed container is selected correctly, and the error repeats, you need to contact the CA to re-issue the electronic signature.
Sometimes, when starting, the system displays an error: certificate isn’t valid. To eliminate it, the digital signature is reinstalled according to the instructions of the CA. Also, sometimes a message appears stating that the electronic signature certificate is not trusted. In this case, the root certificate is reinstalled.
Often the problem in the operation of the electronic signature is related to the expired validity period of CryptoPro. To renew your license, you need to contact CA representatives and get a new key.
If no valid certificate is found on the PC, then you need to reinstall the digital signature and check the validity periods of the keys.
CryptoPro may not see the electronic signature due to the lack of a stable Internet connection, as well as due to an incorrectly installed program.
Less often, a case arises when the plugin does not see the installed and added certificate even after reinstallation. The problem may lie in the CA's certificate revocation list. If a user accesses the Internet through a proxy server, the software does not see reviews in the online directory installed certificate. To fix the problem you just need to add this guide on PC.
To work with an electronic signature from a flash drive, special tools must be installed on your PC. These include a crypto provider and a customized browser. Documents are signed using CryptoPro plugins, which are released for both MS Office and files PDF format. Flash media can also be used to store the electronic signature key. This is convenient because the user does not need to remember all the data, and login occurs automatically when connecting and checking the flash drive. If there is a need to travel frequently and work with digital signature certificates outside the office or at home, then it is advisable to copy the digital signature certificate from a flash drive to a PC. This will protect against damage, loss or theft of the media, and subsequent restoration of the digital signature.