Rutoken documentation

Page tree

Versions Compared

Old Version 5

changes.mady.by.user Технический писатель

Saved on

compared with

New Version 6

changes.mady.by.user Технический писатель

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Launch the Rutoken Control Panel.
  2. Go to the Settings tab.
  3. Click on Configuration.
  4. In the drop-down list called Consider the PIN code as "weak" when the length is less than select the required number.
  5. In the section Policies check the boxes next to the policy names.
  6. In order to have a message warning that the PIN code does not comply with the selected policies displayed on the screen when entering an incorrect PIN code, select the value "Warn" in the drop-down list If a "weak" ("medium") PIN code is set.
  7. In order to prohibit the use of a "weak" password, select the value "Prohibit use" in the drop-down list If "weak" PIN code is set.
  8. To set the default policies and behavior when changing the PIN code, click Set Default.
  9. To confirm the changes, click OK.
  10. To apply the changes and continue working with the policies, click on Apply.
  11. In the window requesting permission to make changes on the computer, click Yes.

View key pairs and certificates stored on the Rutoken device

In the Rutoken Control Panel, a personal certificate is a container consisting of: a certificate, a public key and a private key.

To view certificates and key pairs stored on the Rutoken device:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the Certificates tab.

The certificates, key pairs and personal certificates stored on the Rutoken device are displayed on the Certificates tab.

Icons are displayed to the left of the names of certificates, personal certificates and key pairs. They mean the following:

Image Added - personal certificate

Image Added - CryptoPro CSP certificate

Image Added - key pair

Image Added - CryptoPro CSP key pair

Bold indicates personal certificates installed by default. Each cryptographic provider has its own personal certificate installed by default. In the Rutoken Control Panel, you can set only a personal RSA certificate by default.

If, when clicking the left mouse button on the name of the personal certificate, there are notifications about the fact that the personal certificate is unreliable, displayed in the upper part of the panel window, then it is necessary to install a trusted root certificate of the certification center for it.

The wording of such notifications may be as follows:

  • "The certificate is unreliable";
  • "Review status could not be verified";
  • "The root certificate is not set."

To update the list of certificates, personal certificates and key pairs, click on the button Image Added next to the field Connected Rutoken.

Registration of the root certificate of the certification center as a trusted root certificate

Before registering the root certificate of the certification center as a trusted root certificate, check its presence inside the personal certificate recorded on the Rutoken device.

To check the presence of a root certificate:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the Certificates tab.
  5. Left-click on the name of the personal certificate for which you want to check the presence of the root certificate of the certification center.
  6. Click on Features
  7. Go to the tab Certification path in the window with the certificate name.
  8. If in the section Certification path only one certificate is displayed or several certificates with an error message are displayed, then you need to contact the certification center that issued this certificate to obtain a root certificate.
  9. If in the section Certification path two certificates are displayed and one of them with an error message, then you need to register the root certificate of the certification center as a trusted one by yourself.

For self-registration of the root certificate of the certifying center as a trusted one:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Left-click on the name of the personal certificate for which you want to register the root certificate of the certification center as a trusted one.
  6. Click on the "Install" link.
  7. In the window warning that, after registering the root certificate of the certification center, Windows will trust any certificate issued by this certification center, click Yes.  
  8. Right-click on the name of the personal certificate for which the root certificate of the certification center was registered as a trusted certificate. The message "The certificate is valid" will be displayed at the top of the panel. 

Viewing information about the certificate (key pair, personal certificate) stored on the Rutoken device

To view information about the certificate (key pair, personal certificate) stored on the Rutoken device:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Right-click on the name of the required certificate (key pair, personal certificate).
  6. Select the Features menu item.

The following points are specified on the General tab: 

  • supported certificate usage methods;
  • name of the certificate recipient;
  • name of the certification center that issued the certificate;
  • certificate validity period;
  • additional information about the certificate (Vendor Statement button).

Full description of the certificate is indicated on the tab Composition:

  • unique serial number assigned to the certificate by the certification center;
  • the hashing algorithm used by the certification center to digitally sign the certificate;
  • type and length of the public key;
  • summary of the data (thumbprint) of the certificate.

The path from the selected certificate to the certification authorities that issued the certificate is specified on the Certification path tab. By clicking on View the certificate, you can get additional information about the certificates of each certification center in the path.

Exporting a certificate to a file

Sometimes there is a need to transfer the certificate stored on the Rutoken device to another user. To do this, the certificate must be exported to a file.

The Rutoken Control Panel supports the following certificate file formats:

  • CER;
  • P7B.

There are two ways to export a certificate to a file in the Rutoken Control Panel:

Method 1

To export a certificate from a Rutoken device to a file:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Left-click on the certificate name.
  6. Click Export.
  7. If you need to export only the certificate, then select the switch next to the name of the file format to export.
  8. If you need to export the certificate together with the key pair, then set the switch to Personal Information Exchange File PKCS #12 (.PFX), enter the password twice or check the box Without a password (if you don't want to set a password).
  9. Click on Review next to the field Path and select a file on your computer.
  10.  Click on Export. As a result, the certificate will be exported to the specified file.

Method 2

To export a certificate from a Rutoken device to a file:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Right-click on the certificate name.
  6. Select the Export menu item.
  7. If you need to export only the certificate, then select the switch next to the name of the file format to export.
  8. If you need to export the certificate together with the key pair, then set the switch to Personal Information Exchange File PKCS #12 (.PFX), enter the password twice or check the box Without a password (if you don't want to set a password).
  9. Click on Review next to the field Path and select a file on your computer.
  10.  Click Export. As a result, the certificate will be exported to the specified file.

To export a root trusted certificate:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the Certificates tab.
  5. Left-click on the name of the personal certificate.
  6. Click on Features.
  7. Go to the tab Composition.
  8. Click on Copy to file.
  9. Click on Next.
  10. Select the switch next to the name of the required format and click on Next.
  11. Click on Review.
  12.  Select the file on your computer or external carrier and click Next.
  13. Click Done. As a result, the certificate will be exported to the specified file.

Importing an RSA certificate and an RSA key pair to a Rutoken device

This operation allows you to import a key pair to the Rutoken device along with a certificate from the following file formats:

  • PFX;
  • P12;

If a file in PFX or P12 format is selected for import, the private key and the corresponding RSA certificate will be copied to the Rutoken device.

If the PFX file is protected with a password, a password entry window will appear on the screen.

If a file in CER format is selected for import, the Rutoken Control Panel will check whether the device has a private key corresponding to this RSA certificate. If there really is a private key, then the imported RSA certificate will be binded with this key.

To import an RSA certificate and an RSA key pair from a file to a Rutoken device:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Click on Import.
  6. Specify the path to the file for import and click on Open. As a result, the RSA certificate and the RSA key pair will be imported to the Rutoken device.

Assigning a certificate for a key pair

If the user has a certificate corresponding to a key pair, then after creating a key pair on the Rutoken device, it is necessary to assign a certificate for it.

This operation allows you to assign a certificate in CER format to a key pair located on the Rutoken device.

To assign a certificate to a key pair:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Right-click on the name of the key pair and select Assign a certificate to a key pair...
  6. Select the certificate file on your computer and click Open. As a result, the certificate will be assigned to the key pair.

Assigning a new RSA certificate for the RSA key pair

This operation allows you to assign a new RSA certificate for the RSA key pair located on the Rutoken device.

To assign a new RSA certificate for the RSA key pair:

  1. Launch the Rutoken Control Panel.
  2. Select a device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Right-click on the name of the RSA personal certificate and select Assign a certificate to a key pair.
  6. Select the file with the RSA certificate on the computer and click Open. As a result, a new certificate will be assigned to the key pair.

Setting the "default" attribute for a personal RSA certificate

If the "default" attribute is not set for any of the personal certificates, then when working with the Rutoken device, the certificate recorded in the device memory before all others will be used.

If there is a personal certificate on the Rutoken device, for which the "default" attribute was previously set and another RSA personal certificate must be used instead, then it is enough to set the "default" attribute for another certificate.

For each cryptographic provider, the "default" attribute can be set for only one personal certificate.  

To set the "default" attribute for a personal RSA certificate:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Left-click on the name of the personal RSA certificate.
  6. Click By default. 
  7.  Enter the User's PIN and click OK. As a result, the personal RSA certificate will be used by default.

Removing the "default" attribute for a personal RSA certificate

To remove the "default" attribute for a personal RSA certificate:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the Certificates tab.
  5. Left-click on the name of the personal RSA certificate.
  6. Click By default.
  7. Enter the User's PIN and click OK. As a result, the RSA personal certificate will not be used by default. 

Registration of a personal certificate in the local storage

In order for various applications of the Windows operating system to access the personal certificate stored in the memory of the Rutoken device, it is necessary to register it in the local storage of the workstation. In some cases, a personal certificate is registered automatically.

This procedure allows you to register a personal certificate in the local storage.

To register a personal certificate in the local storage:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Select the checkbox in the line with the certificate name in the Registered column.