Installing cryptopro on RELS. Installing cryptopro on RELS editing a list of trusted nodes
Installed ROSA Enterprise Linux Server 6.7 in the Configuration "Standard Rosa Server", access to the repositories (for this you need to use the key, in advance from the support service, executing the echo command<ключ>»\u003e / Etc / rosa-support-id-server with administrator rights).
Applicability
The instructions describe the installation of CSP 4.0 cryptopro cryptopro for Rosa Enterprise Linux Server 6.7 to work with the route. An example is specified for the 64-bit AMD64 architecture, for a 32-bit installation, the installation is similar to the attribution of installation packages and folders.
Note
When it does not mention the need to use the superuser's rights, it is understood that everything is performed with the rights of the user who will be working in the Firefox browser. This user must remain unchanged throughout the process described.
Obtaining installation packages
To install SPI Cryptopro CSP 4.0 First you need to register on the site https://www.cryptopro.ru/ and from the download page https://www.cryptopro.ru/products/csp/downloads download version 4.0 R2 for Linux in RPM format
We also immediately download Cryptopro EDS Browser Plug-in version 2.0 | From here
After that, the browser should be closed.
Installation
To install, you need to unpack the resulting archive. To do this, open the terminal (the terminal tab is located on the left in the middle of the application startup panel)
and execute the following commands:
cD ~ / downloads / tar -xvf linux-amd64.tgz tar -xvf cades_linux_amd64.tar.gzThere should be a folder with cryptopro installation files, you can go to her in the console
cD Linux-AMD64 /Setting the basic components of cryptopro
sU.and enter the password, after that enter commands for installation:
yum Install Redhat-LSB * CCID PANGOX-COMPAT ./install.sh.Installation of additional components of cryptopro
rPM -IVH CPROCSP-RDR-PCSC- * LSB-CProcSp-PKCS11- * CProcSp-RDR-GUI-GTK- *It is also worth noting device support packets (tokens / reader / extension cards). These packages are in the CSP cryptopro archive, their names begin with cPROCSP-RDR. If you need to use a specific device (for example, the RUWCEN EDS) should be installed the corresponding package ( RPM -IVH CPROCSP-RDR-RUTOKEN *). Also in the archive there are packets with drivers ( iFD- *) They should also be installed using the appropriate device (RUCOCEN S -\u003e rPM -IVH IFD-Rutokens *).
You should not install the CProcSp-RDR-GUI package, since in a bundle with CProcSp-RDR-GUI-GTK, it disrupts the work of graphic components.
Installing Browser Plug-in
cD .. RPM -IVH LSB-CPROCSP-DEVEL * YUM Install Cprocsp-PKI-2.0.0-AMD64-CADES.RPM YUM Install Cprocsp-PKI-2.0.0-AMD64-PLUGIN.RPMConnecting Token
Now you can connect the router to the USB port of the computer
We run in a separate console window the PCSCD program with administrator rights (root). At this stage, the debuginary startup option is used.
sU. KILLALL PCSCD PCSCD -ADFFFFFFAfter starting, you will not close this console (it can be seen as the system communicates with a smart card).
For subsequent commands, we will use the console that we opened the first. For them, the superuser rights are not required (you can dial in the EXIT terminal to cancel the root mode).
The utility should see the device:
Installing certificates
Editing a list of trusted nodes
To begin with, add the cryptopro site to the list of trusted. To do this, close the browser if it was opened and enter the command in the console (without administrator rights):
firefox /etc/opt/cprocsp/trusted_sites.html.We drive the name of the site in the "Add New" string, click "+" and "Save".
Install Certification Center Certificates
To work with certificates, you need to install the certificate of the Certification Center (in this case, the root certificate is installed directly) and the certificate with the route to local storage. To do this, you need to download a file containing a certificate chain from the certificate site (usually file with extension .cer or.p7b) and a list of reconciled certificates. They are available at the following link (https://www.cryptopro.ru/certsrv/certcarc.asp). You need to click "Loading the CA certificate chain" and "Loading the last base CRL". In the console, using the right of a regular user, execute the following commands:
/ OPT / CPROCSP / BIN / AMD64 / CERTMGR -INST -Store uroot -File ~ / downloads / certnew.p7b / OPT / CPROCSP / BIN / AMD64 / CERTMGR -INST -CRL -File ~ / downloads / certcrl.crlRead more about CERTMGR program, you can now learn to work with containers located on tokenet. If there are no containers on the device, you can create them. To do this, use the instructions in the paragraph. After installing the packets (clause 5.1. And clause 5.2.) It should be possible to see containers on the device. To find out the path to the container, as well as about the fact of its availability, you can enter the following:
Installing a certificate from a container on tokenet
Now set the certificate with the route in Personal Storage (UMY):
/ OPT / CPROCSP / BIN / AMD64 / CERTMGR -INST -CONT "<путь к контейнеру, начинающийся на \\.\>"-Store UMY.If everything was fulfilled without errors, you can move to the item
Note
Most often extension. The.CER complies with the certificate, AP7B - container in which one or more certificates may contain (for example, their chain)
Creating a test certificate
Creating a container on a rigid disk
If there are no containers on the device, you can create them. We go to the test certifying center (UC) cryptopro (http://www.cryptopro.ru/certsrv/certrqma.asp) and fill the required fields (be sure to fill in the "Name:" field). It is necessary to mark the key as exported. It is worth noting that to check the Browser Plug-in Checking Service, you need to use the 2001 standard.
Press the "Submit\u003e" button
Now you can copy the container to the token, but first you need to know its name. To do this, open the console and execute the following command:
/ OPT / CPROCSP / BIN / AMD64 / LIST_PCSCYou must also find out the full name of the container obtained during the generation of the certificate:
/ OPT / CPROCSP / BIN / AMD64 / CSPTEST -KEYSET -ENUM_CONT -VerifyC -FQCNCopying container on token
Then use these names in the following command:
/ OPT / CPROCSP / BIN / AMD64 / CSPTEST -KEYCOPY -CONTSRC "<полное название контейнера>"-ContDest" \\\\. \\<название токена>\<желаемое название контейнера>"Now the token contains a container. You can return to the "Installing a Certificate from a container on a token (clause 7.3)", pre-delete the certificate installed from the hard disk container (generated by the test certifying center).
Note
Set the certificate from the container on the token, it is necessary in order for the system to bind a certificate to the device
You can delete this certificate by using the following command:
/ OPT / CPROCSP / BIN / AMD64 / CERTMGR -DELAnd, if necessary, selecting the certificate number you want to delete.
Verification of the electronic signature using Browser Plug-in
To verify the work of the Browser Plug-in, you can use the following resource: https://www.cryptopro.ru/sites/default/files/products/cades/demopage/simple.html is also worth checking if unnecessary certificates are not installed, the resource works correctly Only if a single certificate is installed (you can use the / OPT / CProcSp / BIN / AMD64 / CERTMGR -DEL command). In the case of proper operation, the page will look approximately as follows.
Generalization
In general, the installation algorithm scheme is as follows.
Recommendations for using Cryptopro command line utilities
Installation of environment variables
For convenience, you should first make it so that you can run programs without prescribing the path to them every time. This can be done in many ways. In this case, it is proposed to enroll as follows:
In the console we get the superuser rights (type SU and enter the password) enter the following command (to specify the path to all users except the superuser):
echo "Export Path \u003d $ Path: / OPT / CProcsp / BIN / AMD64: / OPT / CProcsp / Sbin / AMD64" \u003e\u003e / etc / profileIf you need to do the same for the superuser, we use the command
echo "Export Path \u003d $ Path: / OPT / CProcsp / BIN / AMD64: / OPT / CProcsp / Sbin / AMD64" \u003e\u003e /root/.bash_profileReboot
To check, you can sign and check the file and check the signature:
Use of pseudonyms
For frequently used commands (for example, a command to enumerate containers) is worth using simple, quickly recruited pseudonyms. To destination aliases, you need to use the Alias \u200b\u200bcommand. For example, assign a pseudonym for the command
/ OPT / CPROCSP / BIN / AMD64 / CSPTEST -KEYSET -ENUM_CONT -VerifyC -FQCNIn the console, we obtain the superuser rights (type SU and enter the password) enter the following command:
eCHO "ALIAS CONTS \u003d" / OPT / CPROCSP / BIN / AMD64 / CSPTEST -KEYSET -ENUM_CONT -VERIFYC -FQCN "" \u003e\u003e / etc / bashrcReboot the example of work can be seen below.
Literature on the use of command line utilities
For information on other programs, it is better to use the command with the "--help" flag (for example, CSPTEST --HELP).
Some useful teams
Container removal:
cSPTEST -KEYSET -DeleteKeySet -Container "<полное название контейнера>"Show trusted sites:
cpconfig -ini "\\ Local \\ Software \\ Crypto Pro \\ Cadesplugin \\ TrustedSites" -ViewCopying container:
cSPTEST -KEYCOPY -CONTSRC "<полное название исходного контейнера>"-Contdest"<полное название контейнера назначения>"The default cryptoproder change (available types and names can be viewed by the cpconfig -Defprov -View_Type command):
cpconfig -Defprov -SetDef -Provtype<тип провайдера> -Provname.<название провайдера>Find out the cryptopro version:
cSPTEST -KEYSET -VerifyCont.View license information:
cPCONFIG -LCENSE -View.Entering a license (key is written without quotes):
cpconfig -license -Set.<номер лицензии>List available containers:
cSPTEST -KEYSET -ENUM_CONT -VERIFYC -FQCNToday's small record I decided to highlight the topic of creating an electronic digital signature by the Cryptopro cryptoproder. It will be about the BAT file that can be used to automate the signature of electronic documents.
In order to automate the process of signing electronic documents, we will need:
1) Crypto-pro CSP;
2) a USB key (for example, a router), inserted into USB port;
3) notepad (notepad.exe);
4) Certificates installed for your key;
The stumbling block throughout this story is the CSPTest.exe file that is in the cryptopro directory (default C: \\ Program Files \\ Crypto Pro \\ CSP \\ CSPTEST.EXE).
Open the command prompt and execute the command:
CD C: \\ Program Files \\ Crypto Pro \\ CSP \\ and CSPTESTES
We will see all possible parameters of this EXE file.
sELECT FROM: -Help Print This Help -Noerrorwait Do Not Wait for Any Key On Error -Notime Do Not Show Time Elapsed -pause Wait for Keyboard Input After Completion So That You May Check Memory and Other ResourcesProvider Call DestroycSprovider () of Last Used CSP AT EXIT SERVICES (Cryptsrv *, HSM, ETC) not affected -randinitIn order to see the parameters of this or that global option, it is enough to call this file with this option, for example
CSPTEST -SFSIGN.
Thus, to sign the file via CMD tools CSPTest.exe, you need to call the command:
CSPTEST -SFSIGN -Sign -in Dogovor.doc -OUut Dogovor.doc.sig -My Ltd. LLC Ivanov Ivan Ivanovich
where:
-My. - indicates the holder of the key;
-in - Indicates which file you need to sign. If the file is not in the folder with CSPTEST, then you need to specify the full path.;
-out. - indicates the name of the signature file;
You can check the signature on the website of the State Service for this link.
Most probably. If you download this file on the state service, it will be an error. Caused by the fact that information about the certifying center is necessary. There will also be no extra dates and time of the signature of documents. To do this, add two parameters to our team:
CSPTEST -SFSIGN -Sign -in Dogovor.doc -OUut Dogovor.doc.sig -My Ltd. LLC Ivanov Ivan Ivanovich -AddSigtime -Add.
If we need a connected format signature, then add another parameter:
CSPTEST -SFSIGN -Sign -in Dogovor.doc -out Dogovor.doc.sig -My Ltd. Mine Programs Ivanov Ivan Ivanovich -AddSigtime -Add -Detached
Note:
If the signature of the document is executed with an error
Unable to Open File
An error occurred in Running The Program.
. \\ signtsf.c: 321: Cannot Open Input File.
ERROR NUMBER 0X2 (2).
Could not find the specified file.
When calling, as in the last example, and you are confident in the correctness of the paths in the -in and -out parameter, try creating a signature for the first example, and then execute the command with a full set of parameters !!!
We got the main command for the signature. Now a little simplifies the procedure. We will make a bat file, when starting which will sign the SECRET.TXT file, located in Tyuza folder as the BAT file. Let's open a notepad and write the listening code:
CHCP 1251 SET CURPATH \u003d% CD% CD C: \\ Program Files \\ CRYPTO PRO \\ CSP Call CSPTest -SFSIGN -Sign -in% Curpath% \\ Secret.txt -out% Curpath% \\ Secret.txt.sig -My Mine Programs Ivanov Ivan Ivanovich -AddSigtime -Add -Detached CD% CURPATH%
Click "File" -\u003e "Save As" -\u003e Specifying S.Bat -\u003e "Save"
Both everyone. For reference:
cHCP 1251. - Specifies encoding for CMD. It is necessary for the valid processing of Russian letters in the code;
sET CURPATH \u003d% CD% - Saves the path of the current CMD directory into the CURPATH variable;
cD - Specifies the current CMD path;
call - launches the program;