Windows

Cryptopro 4 does not see the flash drive media. What to do if the computer does not see the digital signature

Install Rutoken in CryptoPro

Thanks to the use of Rutoken, you can reliably protect information from unauthorized access. Protected file system keep your data safe with cryptographic encryption. Specially created software that combines the capabilities of two programs - CryptoPro Rutoken CSP. Combining the identifier and CIPF, we got a reliable module on which you can safely store data.

Since all actions are performed inside the identifier key and the data exchange protocol is protected by a unique technology, it is rational to use such a distribution kit when working with electronic documents high importance. If you use Rutoken separately, you must first install drivers for the software. You can not connect the identifier before installing the drivers. After installation, you will need to install support modules for CryptoPro. After completing the preparation steps, you can connect the Rutoken key. Then you should run the CryptoPro program and configure the readers in the Hardware tab. For the identifier to work, select the item "All smart card readers" and click "Next".

For installation, you will need a certificate file (a file with the .cer extension). To install a certificate, just follow these steps: Select "Start" / "Control Panel" / " CryptoPro CSP» . In the window "Properties of CryptoPro CSP" go to tab "Service" and click on the button "Install personal certificate» (see fig. 1). Rice. 1. “CryptoPro CSP Properties” window In the window "Certificate Import Wizard" click on the button "Further". In the next window, click on the button "Overview" to select a certificate file (see Figure 2).
Rice. 2. Certificate file selection window Specify the path to the certificate and click the button "Open"(See Fig. 3).
Rice. 3. Selecting a certificate file In the next window, click the button "Further", in the window "View Certificate" click on the button "Further". Select "Overview" to specify the appropriate container private key(see Fig. 4).
Rice. 4. Private key container selection window Specify the container corresponding to the certificate and confirm the selection using the button "OK"(See Fig. 5).
Rice. 5. Key container selection window After selecting the container, click the button "Further", check the box next to "Install certificate in container"(See Fig. 6). In the window "Certificate Store Selection" click on the button "Overview"(See Fig. 6).
Rice. 6. Selecting a certificate store You must select a store "Personal" And

Good afternoon!. The last two days I had an interesting task of finding a solution to such a situation, is there a physical or virtual server, it probably has the well-known CryptoPRO installed on it. Connected to the server , which is used to sign documents for VTB24 DBO. Locally on Windows 10 everything works, but on the server platform Windows Server 2016 and 2012 R2, Cryptopro does not see the JaCarta key. Let's figure out what the problem is and how to fix it.

Description of the environment

There is a virtual machine Vmware ESXi 6.5, as operating system installed Windows Server 2012 R2. The server is running CryptoPRO 4.0.9944, the latest version at the moment. From the network USB hub, using USB over ip technology, a JaCarta dongle is connected. Key in the system sees, but not in CryptoPRO.

Algorithm for solving problems with JaCarta

CryptoPRO very often causes various errors in Windows, a simple example (Windows installer service could not be accessed). This is how the situation looks when the CryptoPRO utility does not see the certificate in the container.

As you can see in the UTN Manager utility, the key is connected, it is seen in the system in smart cards as a Microsoft Usbccid (WUDF) device, but CryptoPRO does not detect this container and you do not have the opportunity to install a certificate. Locally, the token was connected, everything was the same. Began to think what to do.

Possible causes with container definition

Firstly, this is a driver issue, for example in Windows Server 2012 R2, JaCarta should ideally be listed as JaCarta Usbccid Smartcard in the smart card list, not Microsoft Usbccid (WUDF)
Secondly, if the device is seen as Microsoft Usbccid (WUDF), then the driver version may be outdated, and because of which your utilities will not detect the protected USB drive.
Legacy version of CryptoPRO

How to solve the problem that the cryptopro does not see the USB key?

We created a new virtual machine and began to install the software all in sequence.

Before installing any software working with USB media containing certificates and private keys. Necessary NECESSARILY disable the token, if stuck locally, then disable it, if over the network, break the session

First of all, we update your operating system with all available updates, as Microsoft fixes many errors and bugs, including drivers.
The second point is, in the case of a physical server, install all the latest drivers on the motherboard and that's it. periphery equipment.
Next, install the JaCarta Unified Client.
Install the latest version of CryptoPRO

Installing a single JaCarta PKI client

Single Client JaCarta- this special utility from the Aladdin company, for proper work with JaCarta tokens. Download latest version given software product, you can from the official site, or from my cloud, if suddenly it doesn’t work out from the manufacturer’s website.

Next, you unpack the resulting archive and run setup file, for my Windows architecture, I have it 64-bit. Let's start installing the Jacarta driver. A single Jacarta client, very easy to install (REMINDER your token at the time of installation, must be disabled). On the first window of the installation wizard, just click next.

Accept license agreement and click "Next"

In order for JaCarta token drivers to work correctly for you, it is enough to perform a standard installation.

If you choose "Custom installation", then be sure to check the boxes:

Drivers
Support modules
Support module for CryptoPRO

After a couple of seconds, the Jacarta Unified Client is successfully installed.

Be sure to restart the server or computer so that the system sees the latest drivers.

After installing JaCarta PKI, you need to install CryptoPRO, for this go to the official website.

https://www.cryptopro.ru/downloads

At the moment, the latest version of CryptoPro CSP is 4.0.9944. Run the installer, check "Install root certificates" and click "Install (Recommended)"

CryptoPRO installation will be performed in background, after which you will see a suggestion to restart the browser, but I advise you to completely restart.

After reboot connect your JaCarta USB token. I have a network connection, from a DIGI device, via . In the Anywhere View client, my Jacarta USB drive is successfully defined, but as Microsoft Usbccid (WUDF), and ideally it should be defined as JaCarta Usbccid Smartcard, but you need to check anyway, since everything can work like that.

When opening the "Jacarta PKI Unified Client" utility, the connected token was not found, which means that something is wrong with the drivers.

Microsoft Usbccid (WUDF) is standard driver Microsoft, which is installed by default on various tokens, and it happens that everything works, but not always. operating room Windows system by default, puts them in mind for its architecture and settings, for me, personally, in this moment this is not necessary. What we do is we need to uninstall the Microsoft Usbccid (WUDF) drivers and install the drivers for the Jacarta media.

Open the dispatcher Windows devices, find Smart card readers, click Microsoft Usbccid (WUDF) and select Properties. Click the Drivers tab and click Uninstall

Agree to remove the Microsoft Usbccid (WUDF) driver.

You will be notified that for the changes to take effect, you need to restart the system, be sure to agree.

After rebooting the system, you can see the installation of the ARDS Jacarta device and drivers.

Open the device manager, you should see that your device is now defined as JaCarta Usbccid Smartcar and if you go to its properties, you will see that the jacarta smart card is now using driver version 6.1.7601 from ALADDIN RDZAO, as it should be .

If you open the Jacarta single client, you will see your electronic signature, this means that the smart card was detected normally.

We open CryptoPRO, and we see that the cryptopro does not see the certificate in the container, although all the drivers are defined as needed. There is one more feature.

In the RDP session, you will not see your token, only locally, this is how the token works, or I did not find how to fix it. You can try the suggestions to resolve the error "Unable to connect to the smart card management service".
You need to uncheck one checkbox in CryptoPRO

MUST uncheck "Do not use outdated cipher suites" and reboot.

After these manipulations, CryptoPRO saw my certificate and the jacarta smart card became working, you can sign documents.

You can also see your JaCarta device in Devices and Printers,

If you, like me, have the jacarta token installed in the virtual machine, then you will have to install the certificate via console virtual machine, and also give rights to it to the responsible person. If this is a physical server, then you will have to give rights to the control port, which also has a virtual console.

When you have installed all the drivers for Jacarta tokens, you may see the following error message when connecting via RDP and opening the Jacarta PKI Unified Client utility:

The smart card service is not running on the local machine. The architecture of the RDP session developed by Microsoft does not provide for the use of key media connected to the remote computer, therefore, in the RDP session, the remote computer uses the local computer's smart card service. It follows from this that starting the smart card service inside an RDP session is not enough for normal operation.
Smart Card Management Service on local computer started, but not available to the program inside the RDP session due to Windows settings and/or RDP client.\

How to fix "Unable to connect to smart card management service" error.

Start the smart card service on the local machine you are initiating the session with remote access. Customize it automatic start when starting the computer.
Allow the use of local devices and resources during the remote session (in particular, smart cards). To do this, in the "Remote Desktop Connection" dialog, select the "Local Resources" tab in the settings, then in the "Local Devices and Resources" group, click the "Details..." button, and in the dialog that opens, select the "Smart cards" item and click "OK", then "Connect".

Make sure the RDP connection settings are saved. By default, they are saved in the Default.rdp file in the My Documents directory. given file there was a line "redirectsmartcards: i: 1".
Make sure on remote computer to which you are making an RDP connection is not activated group policy
-[Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow smart card reader redirection]. If it is enabled (Enabled), then disable it and restart the computer.
If you have Windows 7 SP1 or Windows 2008 R2 SP1 installed and you are using RDC 8.1 to connect to computers running Windows control 8 and above, then you need to install the update for the operating system https://support.microsoft.com/en-us/kb/2913751

Here is such a troubleshooting for setting up the Jacarta token, CryptoPRO on the terminal server, for signing documents in VTB24 RBS. If you have comments or corrections, then write them in the comments.

If none of the solutions below resolves the problem, the key media may have been damaged and needs to be restored (see ). It is not possible to recover data from a damaged smart card or registry.

If there is a copy of the key container on another medium, then you must use it for work, after installing the certificate.

Diskette

If a floppy disk is used as the key container, the following steps must be performed:

1. Make sure that there is a folder at the root of the floppy disk containing the files: header, masks, masks2, name, primary, primary2. The files must have the .key extension and the folder name format must be xxxxxx.000.

the private key container has been corrupted or removed

2. Make sure that the reader “Drive X” is configured in CryptoPro CSP (for CryptoPro CSP 3.6 — “All removable drives"), where X is the drive letter. To do this:

Select the menu "Start" > "Control Panel" > "CryptoPro CSP";

?).

3. In the CryptoPro CSP window "Selecting a key container", set the "Unique names" radio button.

Select the menu "Start" > "Control Panel" > "CryptoPro CSP";
Go to the "Service" tab and click on the "Delete remembered passwords" button;

5. How to copy a container with a certificate to another medium?).

Flash drive

If as key carrier using a flash drive, follow these steps:

1. Make sure that in the root of the media there is a folder containing the files: header, masks, masks2, name, primary, primary2 . The files must have a .key extension and the folder name format must be: xxxxxx.000 .

If any files are missing or not in the correct format, then the private key container may have been corrupted or deleted. You also need to check if this folder with six files is contained on other media.

2. Make sure that the “Drive X” reader is configured in CryptoPro CSP (for CryptoPro CSP 3.6 — “All removable drives”), where X is the drive letter. To do this:

Select the menu "Start" > "Control Panel" > "CryptoPro CSP";
Go to the "Hardware" tab and click on the "Configure readers" button.

If the reader is missing, it must be added (see How to configure readers in CryptoPro CSP?).

4. Delete remembered passwords. For this:

Select the menu "Start" > "Control Panel" > "CryptoPro CSP";
Mark the "User" item and click on the "OK" button.

5. Make a copy of the key container and use it for work (see How to copy a container with a certificate to another medium?).

6. If CryptoPro is installed at the workplace CSP versions 2.0 or 3.0, and there is Drive A (B) in the list of key media, then it must be removed. For this:

Select the menu "Start" > "Control Panel" > "CryptoPro CSP";
Go to the "Hardware" tab and click on the "Configure readers" button;
Select the reader "Drive A" or "Drive B" and click on the "Delete" button.

After removing this reader, work with the floppy disk will be impossible.

Rutoken

If a Rutoken smart card is used as a key carrier, the following steps must be taken:

1. Make sure the light on the rutoken is on. If the lamp does not light, then the following recommendations should be used.

2. Make sure that the "Rutoken" reader is configured in CryptoPro CSP (for CryptoPro CSP 3.6 - "All smart card readers"). To do this:

Select the menu "Start" > "Control Panel" > "CryptoPro CSP";
Go to the "Hardware" tab and click on the "Configure readers" button.

If the reader is missing, it must be added (see How to configure readers in CryptoPro CSP?).

3. In the "Select key container" window, select the "Unique names" radio button.

4. Delete remembered passwords. For this:

Select "Start" menu > "Control Panel" > "CryptoPro CSP" ;
Go to the "Service" tab and click on the "Delete remembered passwords" button;
Mark the "User" item and click on the "OK" button.

5. Update support modules required for Rutoken to work. For this:

Disconnect the smart card from the computer;
Select Start Menu > Control Panel > Add or Remove Programs (for Windows Vista\ Seven "Start" > "Control Panel" > "Programs and Features");
Select "Rutoken Support Modules" from the list that opens and click on the "Delete" button.

After removing the modules, you must restart the computer .

Download and install the latest support modules. The distribution kit is available for download on the Aktiv website.

After installing the modules, you must restart your computer.

6. It is necessary to increase the number displayed in CryptoPro CSP containers on Rutoken using the following instruction .

7. Refresh Rutoken driver(see How to update the Rutoken driver?).

8. You should make sure that Rutoken contains key containers. To do this, you need to check the amount of free memory on the media by following these steps:

Open "Start" ("Settings") > "Control Panel" > "Rutoken Control Panel" (if this item is missing, then update the Rutoken driver).
In the "Rutoken Control Panel" window that opens, in the "Readers" item, select "Activ Co. ruToken 0 (1,2)" and click on the "Information" button.

If the rutoken is not visible in the “Readers” item or when you click on the “Information” button, the message “ruToken memory status has not changed” appears, which means that the media has been damaged, you must contact the service center for an unscheduled replacement of the key.

Check what value is indicated in the line "Free memory (bytes)".

As a key carrier in service centers rutokens are issued with a memory capacity of about 30,000 bytes. One container occupies about 4 KB. The amount of free memory of a rutoken containing one container is about 26,000 bytes, two containers - 22,000 bytes, etc.

If the amount of free memory of the rutoken is more than 29-30,000 bytes, then there are no key containers on it. Therefore, the certificate is contained on a different medium.