• (EDS) electronic signature for government services, creation and receipt. Error “You do not have valid certificates” in State Services - what to do

    There are several stages of registration on the State Services portal, which open up different opportunities for users. One of the user initiation steps is electronic signature, thanks to which you can log in to your personal account, as well as order electronic services.

    Initially, electronic signatures were used only by legal entities who preferred to communicate with tax authorities in electronic form. It made it possible to protect documentation when sent for inspection to the appropriate authorities. Later, this practice was broadly adopted for individuals.

    An electronic signature is a way to confirm the authenticity of a document. When creating an electronic signature, use various types encryption, so it may have different appearance. This short code is then attached to the main document that will be sent via email.

    The electronic signature is valid for a year, after which it is necessary to extend its validity by purchasing a new key or certificate. Please note that the service is paid. Its specific cost depends on the conditions included in the contract. Today, the minimum electronic payment amount for individuals is 700 rubles. You can view the tariffs on the official website of the RosIntegration certification center.

    Types of electronic signature

    There are 3 types of electronic signature:

    • Simple;
    • Unskilled;
    • Qualified.
    1. A simple electronic signature is often used in everyday life. It is a one-time code. Users constantly encounter such data encryption, for example, when confirming a payment with bank card. To successfully complete the operation, you must enter a code that is sent to the phone number associated with the card.
    2. Unqualified ES is used in electronic documents. With her in ordinary life Users encounter this quite rarely, because its registration is possible only in the control center. With this type of electronic digital signature you can “certify” your letters to government agencies when electronic sending. However, the service itself has privacy restrictions.
    3. A qualified electronic signature is an equal analogue of a paper signature for individual. And in the case of legal entities, it can also replace the seal of the organization. Thanks to this type, documents can be sent by e-mail to any authority. There is no need to personally confirm any information.

    How to obtain an electronic signature for the State Services website?

    To work with the State Services portal, a simple and qualified electronic signature is used. Obtaining any type of identifier is directly related to registration on the site. However, due to the fact that these electronic signatures are of a different nature, the obtaining procedure will differ significantly.

    Important! A qualified electronic signature has more weight than a simple one, as it opens access to all services of the portal. The main difference is that a simple digital signature gives access to viewing information, for example, about the amount of fines. However, only with a qualified electronic signature does the user have the opportunity to submit applications for receiving services electronically.

    Creating a simple electronic signature

    A simple electronic signature is created at the first stage of user registration on the portal. This is the so-called “simplified registration”, which only requires the visitor to enter certain data into the database. Everything is done remotely and does not take very much time.

    A simple type of signature is assigned to absolutely all portal users, as this happens immediately after registration.

    Information uploaded to the service is sent for verification. And if the data on them coincides with the data in the common database, the client can use the resource. In fact, at this stage the creation of a simple electronic signature is completed. The user can enter the portal and view the available information.

    The reduced functionality of the portal can be expanded if you complete the registration of a simple electronic signature into an unqualified one. To do this, you must personally contact the Russian Post or. You must have your passport and SNILS with you. Employees of government agencies check the documents' compliance with those specified in the profile settings. And if these are really your documents, a one-time code is issued, which is entered in your personal account in the profile settings. After its introduction, Public Services reveal their full potential.

    Pay attention! Registration on the State Services portal is not required if the user initially contacts the MFC to create a simple electronic signature. After this, you just need to select the SNILS entrance at home.

    Creating a qualified electronic signature

    A qualified electronic signature is issued on a USB flash drive in the control center. You need to contact the institution that creates a qualified electronic signature in your locality by phone and order an electronic signature. After this, you need to go to the office in person with your passport. There are different tariffs, according to which the electronic signature is created. To work with the State Services portal, the minimum tariff is suitable.

    Together with the flash drive, which contains information about the electronic signature, the client receives software for installation on his computer, a license and a certificate. At home, you will need to install the program and insert the flash drive into the USB connector. In the authorization form on the State Services portal at the bottom you must select “Login using electronic means" And then select the path to the removable storage device.

    What can EDS be used for?

    An electronic signature on State Services is used to provide access to all features of the site:

    • Sending an application to receive certificates, extracts, etc.;
    • Payment of state fees with a 30% discount, if provided for by a specific service.

    Additionally, an individual has the opportunity to send a tax return via the Internet. Electronic signatures also continue to be used by legal entities. But at the same time, it is necessary that the certificate be filled out in the name of a person authorized to work with the State Services portal from his company.

    Video:

    Electronic signature on the State Services portal

    One of our company’s employees needed to register on the State Services portal. As you know, the portal now has the ability to log into your personal account using a login/password or an electronic signature. The login/password option was discarded due to professional paranoia, and the employee went to the Rostelecom CA - the system operator - to receive a certificate. The CA did not offer him Rutoken EDS as a carrier of electronic signature/hardware CIPF. Due to corporate patriotism, the employee decided not to force events, but to try to access the State Services using Rutoken EDS for electronic signature.
    What came out of this is described under the cut.

    • On the State Services portal, a special browser plug-in is used to conduct electronic signatures, which is quite universal. As electronic signature tools, he can “pick up” both hardware CIPF and software crypto providers.
      Rutoken EDS is supported in this plugin.
    • Rutoken EDS is supported through our library that implements the PKCS#11 standard.
    • The procedure for logging into your personal account on the State Services portal via electronic signature is a signature of random data sent by the server. The signature is generated in PKCS#7 format. The server uses information from the X.509 certificate to authenticate the user, and successful signature verification verifies that the user has a private key that matches the certificate.
    • In order for the server to accept a user certificate, it must be a strengthened qualified certificate.

    The task was divided into subtasks:

    • Generate a key for Rutoken EDS in a format compatible with the format of the State Services plugin, that is, through the PKCS#11 library
    • Find out which accredited CAs issue qualified certificates for individuals
    • Agree with one of these CAs that it will issue a certificate based on a request made remotely.
    • Generate the correct request for a qualified certificate.
    • Transport the request to the CA.
    • Receive a certificate and write it to Rutoken EDS in a format compatible with the format of the State Services plugin, that is, through the PKCS#11 library.

    We came to an agreement with the CA quite quickly. One of our main partners, SKB Kontur, is accredited in the State Services system and agreed to issue us a certificate according to the described scheme.
    To solve technical issues, we decided to use Rutoken Plugin, which also works through the PKCS#11 library and is compatible with the State Services plugin.

    Registration Center

    To generate a key, create a request and record a certificate, we made a set of web pages, which we conventionally called the Registration Center. This Registration Center does not require a server part, all operations are carried out on the client. The Registration Center requires installation of the Rutoken Plugin.

    The Registration Center allows you to:

    • View key pairs and certificates on connected Rutoken EDS devices (viewing key pairs means viewing information about them)
    • Generate new key pair
    • Generate a request in PKCS#10 format for the selected key pair
    • Generate requests using a template
    • Import certificate to device
    • Remove a certificate from a device
    Generating a key and forming a certificate request
    Below are instructions for generating a key and creating a certificate request using the Registration Center:

    1. Launch the Registration Center:

    2. Connect Rutoken EDS to the computer, select a token, enter the PIN code:


    After selecting a token, a menu will appear:

    3. Click the “Create key” button:

    Then click “Create a request on this key”

    4. On the request creation page, select the “SKB Kontur, for individuals” template, fill out the request fields, click the “Create request” button (all fields must be filled in, in this case test example implemented):

    5. Copy the request to send it to the CA:

    6. The generated key appears in the list:

    After sending the request, the employee received a notification about the need to come to the CA office to confirm his identity.
    After passing the test, our employee received a certificate.

    Import a certificate
    1. Select a token in the list, click the “Import certificate” button, paste the resulting certificate into the input form, click the “Import” button:

    2. When importing, select the “Custom” certificate type:

    3. After this, a window will appear displaying the certificate and a message about the successful import of the digital signature to Rutoken (the picture shows an example of importing a test certificate obtained from a test CA):

    4. The certificate will appear in the list:

    Login to the State Services portal
    The employee installed the State Services plugin, and he was able to log into the portal using the electronic signature.

    Select “By electronic signature”:

    Select a certificate:

    Enter the PIN code:

    We get to your personal account:

    Instead of a conclusion
    The concept of hardware CIPF, made in various form factors, may be in demand in mass projects aimed at individuals. Primarily by simplifying the use of cryptography. Plugins that integrate the browser and hardware cryptographic solutions should evolve towards increasing ease of installation and expanding capabilities. Then these solutions will be used more often and more.

    In order to be able to issue qualified certificates for Rutoken EDS, which could be used with the State Services plugin or with the Rutoken Plugin, a local version of the Registration Center was made, it can be used directly at certificate issuance points.

    Before starting work on the public services portal, configure workplace. The article describes step by step instructions to set up your workplace.

    Step 1. Installation of CIPF

    CIPF (means cryptographic protection information) is a program for encrypting information. Without CIPF, an electronic signature will not work.

    Download the distribution kit on the CryptoPro website in the “Support” -> “Download Center” section. The section is available after registration. Which distribution to download depends on the version and bitness of the operating system.

    CryptoPro is divided by operating system versions (Windows XP, Windows 7, etc.) and their bit depth (x64/x86).

    Determine your operating system version to download the appropriate version " CryptoPro CSP».

    IN latest versions The CryptoPro distribution automatically detects the bit depth and installs the necessary packages.

    This manual covers the most popular OS, Windows 8.

    How to determine the version and bitness of the OS?

    Right-click on the “Computer” icon (on different operating systems - “My Computer” or “This Computer”) and select context menu"Properties".

    A window with information about the operating system appeared on the screen.

    Please note that the operating system installed on the computer is Windows system 8 Professional. The CryptoPro CSP 3.9 distribution is suitable.

    Accept license agreement. Download the distribution.

    Please note that the version of the CryptoPro CSP distribution kit matches the Windows OS.

    OSWindows

    CryptoProCSP

    CryptoPro CSP 3.6

    CryptoPro CSP 3.6

    CryptoPro CSP 3.6

    CryptoPro CSP 3.9

    CryptoPro 3.9 (4.0)

    How to install the distribution?

    Launch the distribution and click “Install”.

    Install all software as a user with administrator rights.

    The necessary packages and modules will be unpacked automatically. After installing packages and modules, a window indicating successful installation will appear.

    IN earlier versions"CryptoPro CSP" installation took place in several successive steps, in which a choice is made additional settings and entering the serial number. Now the installation procedure has been simplified to a minimum of steps.

    The crypto protection tool has installed. The trial mode for 3 months was activated automatically. To increase the duration, enter serial number.

    Order a cryptographic information protection tool

    Step 2. Entering the serial number / Activating the license

    To enter the serial number, go to the “Control Panel”, select the “System and Security” category, and then select the “CryptoPro CSP” program.

    The “CryptoPro CSP” work area will appear on the screen.

    Click the "Enter License..." button in the "License" section.

    Enter your full name. user who plans to work on the computer, name of organization, serial number. It is indicated on the form of the purchased license.

    Complete the license activation, click on the “OK” button.


    On the “General” tab, the license validity period will change to the one specified in the license.

    The work with CryptoPro CSP is finished; next time you will need CIPF to set up an electronic signature and install root certificates.

    Step 3. Install a personal certificate

    Go to the "Services" tab and in the "Certificates in the private key container" section, click the "View certificates in the container..." button.

    A window will appear on the screen asking you to select a key container.

    Click the "Browse" button to see the electronic signatures that are recorded on the secure media.

    A window will appear asking you to select a key container.

    If there is only one electronic signature on the medium, there will be no problems with selection.

    If there are several entries and you do not know which electronic signature is needed, select the first entry in order and click “OK”. Then click the “Next” button.

    Information about the selected electronic signature will open.

    Have you determined that a different signature is needed? Click the Back button and choose a different signature.

    Continue opening signature information until you find the one you want.

    Found the signature you need? Click the "Install" button.

    After successful installation of the personal certificate, a notification will appear on the screen. Click OK. The personal certificate is installed.

    Purchase an electronic signature for the State Services portal

    Step 4. Installing the CA root certificate

    To install the root certificate of the Certification Authority, click the “Properties” button. The electronic signature certificate will open

    "ASP Electronic services» issues qualified electronic signatures from the Kaluga Astral certification center

    On the General tab, you will see a message: “This certificate could not be verified by tracing to a trusted certificate authority.” To fix this, go to the Certification Path tab.

    In the “Certification path” section, the chain from full name is indicated. manager to the publisher (certification authority).

    To install the root certificate of a certification authority, double-click on it with the left mouse button. The electronic signature certificate window will open.

    Click the "Install Certificate" button.

    The Certificate Import Wizard will open, click Next.

    Place the cursor in the “Place all certificates in the following store” item, click the “Browse” button.


    A list of stores for installing certificates will open.

    Now you are building a chain of trusted certificates, so select the “Trusted Root Certification Authorities” store with the “OK” button. Then click Next.

    At the final stage, click the “Finish” button.

    The installation of the certificate will begin.

    The operating system will warn you about installing the certificate and ask you to confirm that you are the one installing the certificate.

    A security warning will appear on the screen.

    The security system cannot check the Certification Center of JSC Kaluga Astral, because Microsoft (the creators of the Windows OS line) is not aware of JSC Kaluga Astral. Don't worry and agree with the installation.

    After installation root certificate, a window will appear on the screen notifying you that the installation was successful. Close it by clicking "OK".

    Step 5: Setupinternet browser

    Majority state portals work exclusively in Internet Explorer no lower than version 8.0. This is due to two reasons:

    1. Internet Explorer is built into every Windows operating system.
    2. Not all Internet browsers support working with ActiveX components, which are needed to perform cryptographic tasks on the Internet.

    Internet Explorer icon

    Step 6: Configure Trusted Hosts

    Add addresses electronic platforms trusted so that the Internet browser can run all the necessary “scripts” and modules for working with cryptography.

    Launch Internet Explorer and press the Alt button on your keyboard.

    An action bar will appear at the top of the browser. Click the “Tools” -> “Browser Options” button on the panel.

    The Internet Options window will open. Go to the "Security" tab.

    Select the Trusted Sites zone and click the Sites button.

    In the “Trusted Sites” window (at the bottom of it), uncheck the “Server verification (https:) is required for all sites in the zone.”

    In the line “Add the following node to the zone:” enter the portal address https://*.gosuslugi.ru. Click Add.

    Step 6: Configuring ActiveX Components

    After adding nodes, enable ActiveX components.

    In Internet Options, on the Security tab, select the Trusted Sites zone.

    At the bottom of the window, in the “Security level for this zone” section, click on the “Other” button. A window will open with security settings for trusted sites.

    In the "Access to data sources outside the domain" option in the "Miscellaneous" section, place the cursor in the "Enable" item.

    In the "Block pop-up windows" option in the "Miscellaneous" section, move the cursor to the "Enable" option.

    At the bottom of the parameters table there is a section “ ActiveX controls and connection modules." Place the cursors in the “Enable” items for all parameters in this section. Click OK and close everything open windows. Browser setup is complete.

    Try logging into the government services portal. You will receive an error notification.

    How to install the plugin?

    To download the plugin distribution kit, follow the link: https://ds-plugin.gosuslugi.ru/plugin/upload/Index.spr plugin.

    Download and install the plugin following the installation wizard.

    Restart your Internet browser. Your workplace is ready, proceed to registration and/or work on the State Services portal.

    Questions:

    1. Which certificate is right for the job?
    2. How to buy / Under what tariff can I purchase a certificate?
    3. How to set up a workplace.
    4. Features of the resource.
    5. Technical support contacts. Questions and errors while working.

    Solution:

    1. To work on the portal, you need a qualified electronic signature (CES), with the exception of the CES for SMEV EP-OV.
    • CloudCEP for working on the State Services portal NOT suitable because cloud certificates only work in Contour services.
    • If there is a certificate for Kontur.Extern or another Kontur product issued to the manager (i.e. a CEP issued to a legal entity) - from a technical point of view it will be suitable, but we do not guarantee the operation of the KEP for CE and other Kontur products anywhere - or, except for Contour services, therefore we recommend using the CEP UC Portal to work.
    • The portal has the ability to work with certificates recorded on JaCarta (that is, CEP for EGAIS)
    • Registration of legal entities in Unified system identification and authentication (USIA) is not possible if the organization does not have a OGRN. Since, when registering with the Unified Identification and Logistics Agency, the data posted in the Unified Information System is checked. state register legal entities. That is, non-resident organizations (representatives of foreign organizations) will not be able to work on the portal due to the presence of a “zero” OGRN in the certificate.
    • Registration account A legal entity/individual with a certificate indicating a “zero” SNILS is not possible.

    2. If there is no certificate and you need to purchase it.

    A suitable certificate is issued within the tariffs:

    • Qualified Classic
    • Electronic signature 2.0
    • Qualified Rosreestr
    • Qualified FCS
    • Qualified Rosaccrediatsiya
    • Qualified SMEV (EP-SP (indicating the individual))
    • Qualified GIS GMP (EP-SP (indicating the individual))
    • Qualified electronic signature for EGAIS

    3. To set up a workplace, you can use the sertum.ru web disk, the profile “Set up for work on the portals of State Procurement and State Services” or https://install.kontur.ru/zakupki or the CA profile diagnostics https://help.kontur. ru/uc . During the diagnostics, in addition to the recommended fixes, you must select the “Plugin for the Public Services Portal” component.

    Components and settings required to work on the portal:

    • Plugin for the State Services Portal (can be downloaded from the government services website)
    • Cryptoprovider CryptoPRO CSP (this item is not needed if you are working with JaCarta SE for EGAIS)
    • Add the address https://esia.gosuslugi.ru to the list of Trusted sites (only for Internet Explorer browser)
    • You may need to Enable/allow access to the plugin according to the recommendations in the document.

    The Portal plugin (2.0.6 and below) only works in browsers that support ActiveX and NPAPI, i.e. in EDGE, Google Chrome 45+, or Opera38+, Yandex.Browser 16.7+ will not work.

    The public services portal itself Not works in Internet Explorer 8.

    Plugin 3.0.0.0 works in browsers: Internet Explorer; Google Chrome version 29.0 and higher; Mozilla Firefox versions 50.0 and higher; Safari; Satellite.

    For the plugin to work in Google Chrome, you will need the .

    If errors occur with the plugin, you can use the instructions from the portal: https://www.gosuslugi.ru/help/faq/yuridicheskim_licam/2744

    The new plugin started asking for a PIN code. When you enter the standard one, a message appears that the PIN code is incorrect. Solution:

    Enter any set of letters/numbers and click "Continue"

    The CryptoPro CSP window will appear with a message that the password is incorrect

    • Enter the correct PIN code/password (if not used, leave the window blank) and click “OK”.

    4. Features of the Portal and common situations related to obtaining a certificate and registration:

    • If you need to register as legal entity and, accordingly, to receive services for a legal entity - you need to obtain a CEP for CA services for a legal entity for the head of the organization indicated in the Unified State Register of Legal Entities as a person who has the right to act without a power of attorney on behalf of the legal entity.

    Pay attention! If an organization is registered for the first time on the State Services Portal, the EPC must be issued to the head of the organization indicated in the Unified State Register of Legal Entities as a person who has the right to act without a power of attorney on behalf of the legal entity.

    • If the organization has a branch structure, the initial registration with its own CEP at the State Services must be carried out by the head of the parent organization.
    • If a management company acts on behalf of the subscriber’s organization as the sole executive body, then it is necessary to obtain a certificate indicating the following data:
    • an individual - the head of the Management Company, a legal entity - a managed company
    • If you need to register as an individual/individual entrepreneur and receive services for an individual/individual entrepreneur, then he needs to obtain a CEP for CA services for an individual/individual entrepreneur, respectively.
    Read more: