Rutoken documentation

Page tree

Versions Compared

Old Version 5

changes.mady.by.user Технический писатель

Saved on

compared with

New Version Current

changes.mady.by.user Чернуцкая Милена

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel2

General information

Signs of correct connection of Rutoken devices to the computer 

The main signs of Rutoken devices connection are indicated in Table 1.

Table 1

How to know if your Rutoken device is connected

Each Rutoken device has a specific sign of connetion, these signs are listed in the tabe down below.

Device type

Sign of connection

Rutoken with USB and NFC interfaces

an indicator lights up on its body

Rutoken Smart Cards

Device name

Property

Token, Bluetooth Token, Token with Type-C, Token with NFC

the indicator lights up on the device

Smart Card

an indicator lights up on

the

a smart card reader

Warning
During operations with the Rutoken device, do

Do not disconnect

it

your Rutoken from

the computer in any case. This may lead to

a computer while working with it, it may cause an error.

Rutoken Control Panel

The Rutoken Control Panel is a software tool designed to service maintaine Rutoken devices in Microsoft Windows operating systemsOS. The Rutoken Control Panel is installed in the system when installing along with the "Rutoken Drivers for Windows" kit.

Types of users in the Rutoken Control Panel:

...

The User's PIN code is a password that is used to access the main functions of the Rutoken device.

The default User's PIN code is 12345678.

Administrator's PIN code

...

The default Administrator PIN PIN  is 87654321.

Connecting Rutoken devices to a computer

Connecting

...

a token

To connect Insert the token , insert it into the a USB port of the computer to connect it. If the a token is connected correctly, then an its indicator will light lights up on it.

Connecting a smart card

A smart card reader is used to connect the a smart card to the a computer.

Both, an empty reader and a reader with an inserted smart card, can be connected to the a USB port of the your computer.

To connect a smart card to a computer:

  1. Insert the a smart card into the a reader.
  2. Connect the a reader to the a computer's USB port. If the a smart card is connected correctly, the an indicator on the a reader will light lights up. If the a smart card is inserted into the a reader incorrectly, the an indicator on the a reader may blink. 

...

  1. start flashing. 

Connecting a Bluetooth-token

A Bluetooth-token is connected to a computer via a microUSB cable. If a Bluetooth-token is connected correctly, its indicator lights up.

Connecting a Rutoken with a Type-C connector to a computer

A Rutoken with a Type-C connector connects to a computer that has a special specific USB Type-C port. On some computers , this port is designated indicated as a Thunderbolt 3 (USB-C).

If the token a Rutoken with Type-C is connected correctly, then an its indicator will light lights up on it.

Launching

...

Rutoken Control Panel

There are several ways to launch the Rutoken Control Panel:

Method 1.  Launching from

...

a desktop of

...

your computer (

...

use it if there is a Rutoken Control Panel icon on

...

a desktop)

Use Double-click with the left mouse button to double-click on thea Control panelPanel icon located on the desktop a dekstop of the a computer.

Method 2.  Launching from

...

a Start menu (

...

use it if there is no Rutoken Control Panel icon on

...

a desktop)

For Windows 10:

  1. Click Search in Windowson Start.
  2. Enter the line Type "Rutoken" in the search box. If the English version of the operating system is used, then enter the line "Rutoken".into a search box and press enter. 
  3. Left-click on the name icon of the found program.

For  Windows 7:

  1. Click on Start.
  2. Enter the line Type "Rutoken" in the search box. If the English version of the operating system is used, then enter the line "Rutoken".into a search box and press enter. 
  3. Left-click on the name icon of the found program.

For  Windows XP:

  1. Click on Start.
  2. Left-click on the Search menu item.
  3. On the left side of the window called Search results window left-click on the Files and Folders link.
  4. Type "Rutoken" In the a field for specifying the file name, enter the line "Rutoken". If the English version of the operating system is used, then enter the line "Rutoken".
  5. Click on Find
  6. In the right part of the window , double left-click twice on the name of the found program.

Method 3.  Launching from

...

a computer Control Panel (

...

use it if

...

a taskbar is hidden)

  1. Launch the a dialog box. To do this, press the Press Win+R key combination.
  2. In the a dialog box, enter the type "control panel" line and clickpress OK.  
  3. In Control Panel click on the link Equipment and sound.
  4. Click on the link Rutoken Control Panel.

Device selection in

...

Rutoken Control Panel

If several Rutoken devices are connected to the your computer at the same time, then before starting to work , you need to select the a device with which operations will be performed.

To select a device:

  1. Launch the Rutoken  Rutoken Control Panel.
  2. Select a needed device on the Administration tab in the Connected Rutoken drop-down list called Connected Rutoken.

Checking

...

if device selection is correct

To check the correctness of the device selectionif a device collection is correct:

  1. Launch the Rutoken  Rutoken Control Panel.
  2. Select the needed Rutoken device.
  3. Click on Information. The Information about Rutoken window will open.
  4. If a Bluetooth token is selected, then it is necessary to compare the value in the ID field (the last 5 digits) with the numbers indicated on the Bluetooth token case.If a token is selected, then it is necessary to compare the value in the ID field with the numbers indicated on the token body.
    's body.

Viewing information about the Viewing information about the Rutoken device

To view information about the Rutoken device:

  1. Launch the Rutoken Control Panel.
  2. Select the needed Rutoken device.
  3. Click on Information. The Information about Rutoken window will open.

The description of the information about the Rutoken device presented in the control panel Rutoken devices is given in Table 2.

Table 2

Field

Description

Name

Personalized device

label

name

Model

General device name

of the device

System name

The name

Name used to designate the device in other applications

ID

Unique digital device identifier

Version

Rutoken device

Device's firmware version and status flags

Shared

Total memory (bytes)

The total amount of memory of the selected device

Free memory (bytes)

The amount of device memory (available to

the user

use)

The

User's PIN code can be changed

The policy selected to change the User's PIN on the device

Using UTF-8 in PIN codes

The

ability

possibility to safely use сyrillic

characters

symbols when setting a PIN code

CryptoPro FKC Support

The device supports

working

the work with CryptoPro Rutoken CSP via a secure FKC channel

Microsoft Base Smart Card Crypto Provider

The device supports

working

the work with a standard cryptography provider for Microsoft's smart cards

from Microsoft

The device is connected via RDP

Is

If the device is connected via

the

a RDP protocol

Viewing the version of the installed kit "Rutoken Drivers for Windows"

...

  1. Launch the Rutoken Control Panel.
  2. Go to the tab About the program. The current version of the "Rutoken Drivers for Windows kit " installed on the computer is indicated in the field Version of the Rutoken drivers

Entering the User's PIN code to work with

...

a Rutoken device

Warning
After entering an incorrect User's PIN code several times in a row, the Rutoken device is with be blocked. Only the Administrator of the Rutoken device device's Administrator can unlock it.

To enter the User's PIN code:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Click on Enter the PIN code.
  5. Check that the switch is set to User.
  6. Enter the User's PIN.
  7. Click OK.
  8. If an incorrect PIN code is entered, a message about it will be displayed on the screen. The maximum number of of attempts to enter the PIN code is indicated in the attempts left field. 

...

  1. Launch the Rutoken Control Panel.
  2. Go to the Settings tab.
  3.  Click on Configuration Settings
  4. In the section Settings of the Aktive Co. Rutoken CSP v1.0 crypto provider  select a method for generating RSA 2048 bit key pairs for Rutoken EDS. To do this, set the switch to the desired position.
  5. To apply the changes and continue working with the settings, click on Apply
  6. To confirm the choice of a cryptographic provider, click OK.
  7. In the window requesting permission to make changes on the computer, click Yes.

...

You can set the settings for the PIN code in the Rutoken Control Panel. The list of settings is specified in Table 3.

Table 3

Setting

Result of setting selection

Remember the PIN code from the app...

The PIN code is entered once when using the Rutoken device for the first time in the application

Offer to change the PIN code every time...

Every time after entering the PIN code, a message is displayed on the screen with a suggestion to change the PIN code (if the user has not changed the default PIN code)

Encoding the PIN code in UTF-8...

The PIN code can consist of Cyrillic characters

The Remember PIN-code setting allows you to reduce the number of PIN-code entries in applications due to their short-term storage by the crypto provider in encrypted memory. Do not use this setting if you are not sure about the security of the computer.

...

  1. The minimum length of the PIN code.
  2. The policy of using the default PIN code.
  3. The policy of using a PIN code consisting of a single repeated character.
  4. The policy of using a PIN code consisting only of digits.
  5. The policy of using a PIN code consisting only of letters.
  6. The policy of using a PIN code that matches the previous PIN code.

When installing the "Rutoken Drivers for Windows" kit, the policy settings are set by default.

...

  1. Launch the Rutoken Control Panel.
  2. Go to the Settings tab.
  3. Click on Configuration Setting.
  4. In the drop-down list called Consider the PIN code as "weak" when the length is less than select the required number.
  5. In the section Policies check the boxes next to the policy names.
  6. In order to have a message warning that the PIN code does not comply with the selected policies displayed on the screen when entering an incorrect PIN code, select the value "Warn" in the drop-down list If a "weak" ("medium") PIN code is set.
  7. In order to prohibit the use of a "weak" password, select the value "Prohibit use" in the drop-down list If "weak" PIN code is set.
  8. To set the default policies and behavior when changing the PIN code, click Set Default.
  9. To confirm the changes, click OK.
  10. To apply the changes and continue working with the policies, click on Apply.
  11. In the window requesting permission to make changes on the computer, click Yes.

View key pairs and certificates stored on the Rutoken device

In the Rutoken Control Panel, a personal certificate is a container consisting of: a certificate, a public key and a private key.

To view certificates and key pairs stored on the Rutoken device:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the Certificates tab.

The certificates, key pairs and personal certificates stored on the Rutoken device are displayed on the Certificates tab.

Icons are displayed to the left of the names of certificates, personal certificates and key pairs. They mean the following:

Image Added - personal certificate

Image Added - CryptoPro CSP certificate

Image Added - key pair

Image Added - CryptoPro CSP key pair

Bold indicates personal certificates installed by default. Each cryptographic provider has its own personal certificate installed by default. In the Rutoken Control Panel, you can set only a personal RSA certificate by default.

If, when clicking the left mouse button on the name of the personal certificate, there are notifications about the fact that the personal certificate is unreliable, displayed in the upper part of the panel window, then it is necessary to install a trusted root certificate of the certification center for it.

The wording of such notifications may be as follows:

  • "The certificate is unreliable";
  • "Review status could not be verified";
  • "The root certificate is not set."

To update the list of certificates, personal certificates and key pairs, click on the button Image Added next to the field Connected Rutoken.

Registration of the root certificate of the certification center as a trusted root certificate

Before registering the root certificate of the certification center as a trusted root certificate, check its presence inside the personal certificate recorded on the Rutoken device.

To check the presence of a root certificate:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the Certificates tab.
  5. Left-click on the name of the personal certificate for which you want to check the presence of the root certificate of the certification center.
  6. Click on Features
  7. Go to the tab Certification path in the window with the certificate name.
  8. If in the section Certification path only one certificate is displayed or several certificates with an error message are displayed, then you need to contact the certification center that issued this certificate to obtain a root certificate.
  9. If in the section Certification path two certificates are displayed and one of them with an error message, then you need to register the root certificate of the certification center as a trusted one by yourself.

For self-registration of the root certificate of the certifying center as a trusted one:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Left-click on the name of the personal certificate for which you want to register the root certificate of the certification center as a trusted one.
  6. Click on the "Install" link.
  7. In the window warning that, after registering the root certificate of the certification center, Windows will trust any certificate issued by this certification center, click Yes.  
  8. Right-click on the name of the personal certificate for which the root certificate of the certification center was registered as a trusted certificate. The message "The certificate is valid" will be displayed at the top of the panel. 

Viewing information about the certificate (key pair, personal certificate) stored on the Rutoken device

To view information about the certificate (key pair, personal certificate) stored on the Rutoken device:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Right-click on the name of the required certificate (key pair, personal certificate).
  6. Select the Features menu item.

The following points are specified on the General tab: 

  • supported certificate usage methods;
  • name of the certificate recipient;
  • name of the certification center that issued the certificate;
  • certificate validity period;
  • additional information about the certificate (Vendor Statement button).

Full description of the certificate is indicated on the tab Composition:

  • unique serial number assigned to the certificate by the certification center;
  • the hashing algorithm used by the certification center to digitally sign the certificate;
  • type and length of the public key;
  • summary of the data (thumbprint) of the certificate.

The path from the selected certificate to the certification authorities that issued the certificate is specified on the Certification path tab. By clicking on View the certificate, you can get additional information about the certificates of each certification center in the path.

Exporting a certificate to a file

Sometimes there is a need to transfer the certificate stored on the Rutoken device to another user. To do this, the certificate must be exported to a file.

The Rutoken Control Panel supports the following certificate file formats:

  • CER;
  • P7B.

There are two ways to export a certificate to a file in the Rutoken Control Panel:

Method 1

To export a certificate from a Rutoken device to a file:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Left-click on the certificate name.
  6. Click Export.
  7. If you need to export only the certificate, then select the switch next to the name of the file format to export.
  8. If you need to export the certificate together with the key pair, then set the switch to Personal Information Exchange File PKCS #12 (.PFX), enter the password twice or check the box Without a password (if you don't want to set a password).
  9. Click on Review next to the field Path and select a file on your computer.
  10.  Click on Export. As a result, the certificate will be exported to the specified file.

Method 2

To export a certificate from a Rutoken device to a file:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Right-click on the certificate name.
  6. Select the Export menu item.
  7. If you need to export only the certificate, then select the switch next to the name of the file format to export.
  8. If you need to export the certificate together with the key pair, then set the switch to Personal Information Exchange File PKCS #12 (.PFX), enter the password twice or check the box Without a password (if you don't want to set a password).
  9. Click on Review next to the field Path and select a file on your computer.
  10.  Click Export. As a result, the certificate will be exported to the specified file.

To export a root trusted certificate:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the Certificates tab.
  5. Left-click on the name of the personal certificate.
  6. Click on Features.
  7. Go to the tab Composition.
  8. Click on Copy to file.
  9. Click on Next.
  10. Select the switch next to the name of the required format and click on Next.
  11. Click on Review.
  12.  Select the file on your computer or external carrier and click Next.
  13. Click Done. As a result, the certificate will be exported to the specified file.

Importing an RSA certificate and an RSA key pair to a Rutoken device

This operation allows you to import a key pair to the Rutoken device along with a certificate from the following file formats:

  • PFX;
  • P12;

If a file in PFX or P12 format is selected for import, the private key and the corresponding RSA certificate will be copied to the Rutoken device.

If the PFX file is protected with a password, a password entry window will appear on the screen.

If a file in CER format is selected for import, the Rutoken Control Panel will check whether the device has a private key corresponding to this RSA certificate. If there really is a private key, then the imported RSA certificate will be binded with this key.

To import an RSA certificate and an RSA key pair from a file to a Rutoken device:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Click on Import.
  6. Specify the path to the file for import and click on Open. As a result, the RSA certificate and the RSA key pair will be imported to the Rutoken device.

Assigning a certificate for a key pair

If the user has a certificate corresponding to a key pair, then after creating a key pair on the Rutoken device, it is necessary to assign a certificate for it.

This operation allows you to assign a certificate in CER format to a key pair located on the Rutoken device.

To assign a certificate to a key pair:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Right-click on the name of the key pair and select Assign a certificate to a key pair...
  6. Select the certificate file on your computer and click Open. As a result, the certificate will be assigned to the key pair.

Assigning a new RSA certificate for the RSA key pair

This operation allows you to assign a new RSA certificate for the RSA key pair located on the Rutoken device.

To assign a new RSA certificate for the RSA key pair:

  1. Launch the Rutoken Control Panel.
  2. Select a device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Right-click on the name of the RSA personal certificate and select Assign a certificate to a key pair.
  6. Select the file with the RSA certificate on the computer and click Open. As a result, a new certificate will be assigned to the key pair.

Setting the "default" attribute for a personal RSA certificate

If the "default" attribute is not set for any of the personal certificates, then when working with the Rutoken device, the certificate recorded in the device memory before all others will be used.

If there is a personal certificate on the Rutoken device, for which the "default" attribute was previously set and another RSA personal certificate must be used instead, then it is enough to set the "default" attribute for another certificate.

For each cryptographic provider, the "default" attribute can be set for only one personal certificate.  

To set the "default" attribute for a personal RSA certificate:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Left-click on the name of the personal RSA certificate.
  6. Click By default. 
  7.  Enter the User's PIN and click OK. As a result, the personal RSA certificate will be used by default.

Removing the "default" attribute for a personal RSA certificate

To remove the "default" attribute for a personal RSA certificate:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the Certificates tab.
  5. Left-click on the name of the personal RSA certificate.
  6. Click By default.
  7. Enter the User's PIN and click OK. As a result, the RSA personal certificate will not be used by default. 

Registration of a personal certificate in the local storage

In order for various applications of the Windows operating system to access the personal certificate stored in the memory of the Rutoken device, it is necessary to register it in the local storage of the workstation. In some cases, a personal certificate is registered automatically.

This procedure allows you to register a personal certificate in the local storage.

To register a personal certificate in the local storage:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Select the checkbox in the line with the certificate name in the Registered column. 

Deleting a personal certificate from the local storage

To delete a personal certificate from the local storage:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. Uncheck the box in the line with the name of the personal certificate in the Registered column.

Deleting the RSA certificate (RSA key pair, RSA personal certificate) from the memory of the Rutoken device

Warning
After deleting the RSA certificate (the RSA key pair, the RSA personal certificate), it will be impossible to restore.

To delete the RSA certificate (RSA key pair, RSA personal certificate):

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Go to the tab Certificates.
  5. In the line with the name of the RSA certificate (RSA key pair, RSA personal certificate) click on the left mouse button.
  6. Click on Delete.
  7. Click Yes in the window with the request to confirm the operation. 
  8.  Enter the User's PIN and click OK. As a result, the selected RSA certificate (RSA key pair, RSA personal certificate) will be permanently deleted from the Rutoken device's memory.

Connecting a Rutoken to an Android device

Rutokens that can be connected to an Android device

You can connect to an Android device:

  • Rutoken with Type-C connector;
  • dual smart card with NFC support;
  • token with NFC.

Installing the Rutoken Control Panel app on Android

The Rutoken Control Panel application allows you to:

  • view information about connected Rutoken devices;
  • change PIN codes and device labels;
  • track the battery charge of the Bluetooth token.

To install the Rutoken Control Panel application:

  1. Launch Google Play Store on your device.
  2. Find the Rutoken Control Panel application. To do this, enter the name of the application in the Google Play Store search bar and press ENTER.
  3. Select the Rutoken Control Panel in the list of search results. A page with detailed information about the application will open.
  4. Click Install.
  5. Read the list of rights that the application needs.
  6. If you agree to grant the application the required rights, click Accept. The download and installation of the application will begin.
  7. If you do not agree to grant the required rights to the application, click Back. In this case, the installation of the application will be canceled.

Connecting a Rutoken with a Type-C connector to an Android device

A Rutoken with a Type-C connector connects to an Android device with a special USB Type-C port. If the token is connected correctly, an indicator will start to light on it and its name will be displayed in the Rutoken Control Panel application.

To check whether the name of the Rutoken is displayed correctly in the Rutoken Control Panel application:

  1. Connect the Rutoken with the Type-C connector to the device.
  2. Launch the Rutoken Control Panel app.
  3. Click on the device name in the application window. A window with basic information about the token will open.

Connecting a dual smart card with NFC support (NFC token) to an Android device

Info
To connect a dual smart card with NFC support (a token with NFC), you need a mobile device with an NFC module.

To connect a dual smart card with NFC support (NFC token), put the Rutoken to the NFC module of the mobile device. If the mobile device has made a sound, then Rutoken has connected to it.  Also, in case of correct connection, the name of the Rutoken will be displayed in the Rutoken Control Panel application.

Info
To work with a dual smart card (NFC token) on a mobile device, put it to the NFC module of the mobile device for the entire period of working with it.

To check the display of the name of a dual smart card with NFC support (a token with NFC) in the Rutoken Control Panel application:

  1. Connect a smart card with NFC support (NFC token) to the device.
  2. Launch the Rutoken Control Panel app.
  3. Click on the device name in the application window. A window with basic information about the Rutoken will open.

Working with the Rutoken Control Panel application

Changing the PIN code

  1. Connect the Rutoken to your Android device.
  2. Launch the Rutoken Control Panel application.
  3. To open the menu, click on the icon in the upper right corner of the Rutoken card Image Added.
  4. Select the menu item called Change the PIN code. The application will display a window for entering a new PIN code.
  5. Go to the tab User (to enter a new User PIN) or Administrator (to enter a new Administrator PIN).
  6. Enter the current PIN.
  7. Enter the new PIN code twice.
  8. Click OK.

Changing the Rutoken device label

To change the device label:

  1. Connect the Rutoken to your Android device.
  2. Launch the Rutoken Control Panel application.
  3. To open the menu, click on the icon in the upper right corner of the Rutoken card Image Added.
  4. Select the menu item called Change the token label. The application will display a window for entering the User's PIN code and a new label.
  5. Enter the User's PIN.
  6. Enter a new label.
  7. Click OK.

Unlocking the PIN code

To unlock the User's PIN code:

  1. Connect the Rutoken to your Android device.
  2. Launch the Rutoken Control Panel application.
  3. To open the menu, click on the icon in the upper right corner of the Rutoken card Image Added.
  4. Select the Unlock menu item. The application will display a window for entering the Administrator's PIN code and a button for unlocking the User's PIN code.
  5. Enter the Administrator's PIN.
  6. Click OK.

Specific features related to working with the Rutoken EDS Flash device

An important feature of the Rutoken EDS Flash device is the presence of managed Flash memory. It can be divided into sections, access to which is delimited using PIN codes. Such memory is called protected and its state remains unchanged during the formatting of the device.