April 18, 2017 at 11:30 pm

We go to your personal account at zakupki.gov.ru without Internet Explorer and others useful tips when working with CryptoPro

In this note I will try to summarize the experience of using the cryptoprovider CryptoPro to access the closed part of the official website of a single information system in the field of procurement (zakupki.gov.ru) and the website of government services (gosuslugi.ru). The cryptoprovider itself has already become a de facto standard for government agencies; in its format, an EDS is issued, for example, by a certification center (CA) Federal Treasury or TC of the Ministry of Health.

First of all, we will talk about the website zakupki.gov.ru. The personal account of this site is accessible only via HTTPS using GOST encryption algorithms. For a long time, HTTPS via GOST only worked in Internet Explorer, which relied entirely on the crypto provider. The end came not long ago, when the website zakupki.gov.ru stopped supporting older versions of IE, including IE8. The trouble is that IE8 is the latest version of this browser supported on Windows XP, and government agencies tend to be very conservative in terms of licensing. Thus, a fairly large part of users found themselves “overboard” overnight.

Fortunately, the CryptoPro company releases a special assembly Firefox browser called CryptoPro Fox (CryptoFox), which supports GOST algorithms and works, of course, only in conjunction with the corresponding crypto provider. There was a time when the development of the assembly almost completely stopped, but now new versions are released regularly. The latest build is based on Firefox 45. You can download the builds, versions are available for Windows, Linux and even Apple OS X.

The English version of the browser is available at this link. To localize it, you need to download a package with a translation of the interface. Please note that the version of the package must match the version of the browser itself.

After installing the package you need to open new tab, type about:config there, and in the list of parameters that opens, enter general.useragent.locale and change its value from en-US to ru-RU. After restarting the browser, the interface will be in Russian.

Now you can put the root certificate of the Federal Treasury CA in the “Trusted Root Certification Authorities” repository, the user’s personal certificate in the “Personal” repository, restart the browser and log into your personal account zakupki.gov.ru according to 44-FZ.

My workplace does not have valid certificates of authorized persons, so access to my personal account is prohibited. However, the connection is encrypted in any case using an algorithm from the GOST family.

In case of access to the closed part of the site under 223-FZ, authorization will take place through the ESIA (that is, through the site gosuslugi.ru). Here the situation is simplified, because this site’s plugin for Firefox has existed for a long time and is being developed by Rostelecom. When you first visit the site, we will be prompted to download the plugin. After installation, the plugin should be switched to the “Always on” mode in the CryptoFox settings, otherwise a window requesting a certificate will not appear on the government services website.

Unfortunately, signing documents on the website zakupki.gov.ru is implemented through a specific component sing.cab, which uses ActiveX technology. Naturally, this component will not work in CryptoPro, so we will wait for the transition to a more common technology. Fortunately, signing a document is only a small part of what an operator must do while working on zakupki.gov.ru, so CryptoFox can be used for everyday operations.

Sometimes it is necessary to save a copy private key on local computer. This can be done if the key is marked as uploadable when created in the CA. Copying is done using the “Copy” button (what a surprise) in the CryptoPro applet interface

If there are two options for storing the key on the local machine - in the “Registry” reader and in the virtual removable disk. In principle, the security of storing the key in both cases is approximately the same, so the choice of means is up to the reader.

In the “Register” reader, keys are stored in the branch

HKLM\SOFTWARE\Crypto Pro\Settings\Users\\Keys
for user and branch

HKLM\SOFTWARE\Crypto Pro\Settings\Keys
for the computer as a whole.

In the case of a 64-bit OS, the paths will be slightly different:

HKLM\SOFTWARE\Wow6432Node\Crypto Pro\Settings\Users\\Keys
And

HKLM\SOFTWARE\Wow6432Node\Crypto Pro\Settings\Keys

When CryptoPro is running on a terminal server, the user may not have enough rights to write the key to these branches, since they are not in the user profile. This situation can be corrected by assigning appropriate rights to branches through the Regedit utility.

CryptoPro looks for key containers on disks that have the “removable” attribute, that is, a flash drive or, God forgive me, a floppy disk will be considered key containers, and network drive or a disk forwarded via RDP - no. This allows you to store keys on floppy disk images on the principle of one key - one floppy disk and thereby increase security. For creating virtual drive you can use the utility

Attention: the article is outdated and refers to an earlier version of the government procurement website of the Republic of Kazakhstan.

We configure the Internet Explorer and Java browser to work with the Public Procurement of the Republic of Kazakhstan (GZ RK) portal.

In the article:

Before starting setup you should have:

• EDS keys have been installed. How to install keys is shown in this article -
• NCA certificates have been established. How to install NCA certificates is shown in this article -
• Java installed latest version. How to download, install or update Java is shown in this article −

Open the website of Public Procurement of the Republic of Kazakhstan, copy the website address.

Go to the browser settings, click on the icon in the right top corner browser, in the menu that opens, select Browser Properties.

In the window that opens, select Trusted nodes and press the button Websites.
Be sure to uncheck All sites in this zone require server verification (https:), check that the line contains the address http://goszakup.gov.kz, press the button Add.

To trusted Web sites you need to enter another address of the portal of the State Law of the Republic of Kazakhstan - https://goszakup.gov.kz

Click on the line Add the following node to the zone right mouse button and paste the copied portal address there. After http insert a letter s to get an address like

Press the button Add.

We check that two nodes have been added:

• http://goszakup.gov.kz
• http://www.goszakup.gov.kz/?setlang=ru

If you plan to work in the “Competition and Auction” Module, add another address here:

Press the button Close
In the window Browser properties, press the button Another

In the window that opens, look for Miscellaneous and set in the following items:

• Block pop-ups - Disable
• Use SmartScreen Filter - Disable

Let's move on to the section ActiveX controls and plugins.

In all paragraphs of this section, you must indicate Turn on.

Having checked all the items in the ActiveX section, press the button OK, in the window that appears Are you sure you want to change the setting for this zone?- press Yes.

We close all windows, including the Internet Explorer browser and move on to the next point - Installing a certificate for the website Public Procurement of the Republic of Kazakhstan.

The Internet Explorer browser is configured to work with the government procurement portal of the Republic of Kazakhstan.

Download the archive with the certificate of the portal of the Civil Protection of the Republic of Kazakhstan - link.

Extract the certificate file - goszakup.gov.kz.cer from the archive.

Go to the tab Security, click on the button Manage Certificates

We install the certificate of the Civil Protection of the Republic of Kazakhstan in Trusted Certificates And Secure Site

1. In line Certificate type choose Trusted Certificates
2. Click the button Import
3. Open the folder where we downloaded the security certificate of the portal of the Civil Protection of the Republic of Kazakhstan
4. Files of type All Files goszakup.gov.kz
5. Open;
6. IN Trusted Certificates the certificate was displayed GOSZAKUP.GOV.KZ NCA HR (RSA)

1. IN Certificate type choose Secure Site;
2. Click the button Import;
3. Open the folder where we downloaded the security certificate of the portal of the Civil Protection of the Republic of Kazakhstan;
4. Since the certificate is not displayed in this folder, we enable the display of all file types in the paragraph Files of type window, select an item from the list All Files. Now we see a file in the folder goszakup.gov.kz;
5. Select the file with a single click and press the button Open;
6. IN Secure Site the certificate was displayed GOSZAKUP.GOV.KZ NCA HR (RSA).

The portal certificate is installed.

Go to the tab Security, click on the button Edit Site List

Press the button Add and enter the address in the line that appears - http://www.goszakup.gov.kz/?setlang=ru

From July 2, 2018 in personal account customers under Law No. 44-FZ, when placing information, a blocking message may appear: “An error occurred during placement, try again: “signCadeBES” is not defined.” due to incorrect workplace settings. To eliminate the blocking message when publishing information, it is recommended to configure the workplace in accordance with clause 6 of the Instructions for installing and configuring the “CryptoPro EDS” component Browser plug-in", available at the link:

In a pop-up window in the Internet browser Internet Explorer asking you to allow the add-on, you must allow the add-on to run by clicking on the "Allow" button. If the plugin works correctly, when you go to the page, an access confirmation window will open. In the access confirmation window that opens, click "Yes".

Instructions for installing and configuring the “CryptoPro EDS Browser plug-in” component (extract)

5 Configuring the plug-in “CryptoPro EDS Browser plug-in”

For the user to work correctly in the UIS in the Internet browser “Internet Explorer” using the “CryptoPro EDS Browser plug-in” plug-in, you must:

• Add the address of the Official EIS website to the list of exceptions and trusted sites in the browser settings.
• Try working in compatibility mode (for Internet Explorer version 10 and higher).

A detailed description of the actions is given in the document “Instructions for setting up a workstation”.

For all browsers, you must add the address of the Official EIS website to the list of reliable nodes of the CryptoPro EDS Browser plug-in plug-in.

To check that the Official EIS website has been added to the list of trusted nodes of the plug-in, or to add it to trusted nodes, open the “CryptoPro EDS Browser plug-in Settings” shortcut using the required Internet browser.

To do this, click right click mouse shortcut “CryptoPro EDS Browser plug-in settings” and in the context menu select “Open with”, then select the name of the required browser (Figure 5).

Figure 5. Selecting an Internet browser in the item context menu"To open with"

In the Internet browser window that opens, the “CryptoPro EDS Browser Plug-in Settings” page will be displayed (Figure 6).

Figure 6. Configuration page for the “CryptoPro EDS Browser Plug-in” plugin

In the Internet browser “Internet Explorer”, in the pop-up window, allow the execution of scripts and ActiveX controls by clicking on the “Allow blocked content” button (see Figure 6).

On the plugin settings page in the “List of trusted nodes” block, enter the address of the Official EIS website “http://zakupki.gov.ru” in the field for entering values ​​and click on the “” icon.

To save the added nodes, click on the “Save” button (Figure 7).

Figure 7. Configuration page of the plug-in “CryptoPro EDS Browser Plug-in” with the address of the Official EIS website added to the list of trusted nodes

6 Checking the operation of the plug-in “CryptoPro EDS Browser plug-in”

To check the correct operation of the “CryptoPro EDS Browser plug-in” plug-in in your Internet browser, go to the page: https://www.cryptopro.ru/sites/default/files/products/cades/demopage/simple.html.

If the plugin has not been installed or configured, the page will look like the one shown in the figure below (Figure 8).

Figure 8. Page for checking the operation of the “CryptoPro EDS Browser plug-in” plug-in. Plugin not available

In the Internet browser “Internet Explorer” in the pop-up window, allow the add-on to run by clicking on the “Allow” button (Figure 9).

Figure 9. Internet browser window “Internet Explorer 10”. Pop-up window asking permission to run an add-on

If the plugin works correctly, when you go to the page, an access confirmation window will open (Figure 10).

Figure 10. Access confirmation window

In the window that opens, click the “Yes” button; to cancel the action, click “No”.

Following the instructions on the page, select a signing certificate, enter data to verify the plugin is working and click on the “Sign” button (if necessary) (Figure 11).

Figure 11. Page for checking the operation of the CryptoPro EDS Browser plug-in. The plugin is loaded, the signature is generated successfully

From July 1, 2018, documents are signed on the EIS website zakupki.gov.ru using the CryptoPro EDS Browser plug-in. The "sign.cab" plugin is not used.

3. Installing root certificates

You will need to install:

1. Root certificate of the Head Certification Authority (GUC, also known as the Ministry of Telecom and Mass Communications). .

2. Root certificate of the Certification Authority of the Federal Treasury (CA FC) or a commercial certification authority (Kontur, Taxcom, Tensor, etc.), depending on which CA issued your electronic signature certificate. .

4. Installing a personal certificate

From July 1, 2018, only enhanced qualified qualifications can be used on the procurement portal. electronic signature. You can obtain a qualified (reinforced qualified) certificate from accredited certification centers. .

5. Setting up Internet Explorer browser

1. Add the UIS (zakupki.gov.ru) to the list of trusted sites in Internet Explorer: go to browser properties - “Security” tab - “Trusted Sites” icon - “Sites” button.

In the “Add the following node to the zone” field, write “https://*.zakupki.gov.ru” and click “Add”.

2. Configure security settings: go to browser properties - “Security” tab - “Trusted sites” icon - “Other” button.

Block “Miscellaneous” - “Block pop-ups” - select “Disable”.

Block “Miscellaneous” - “Access to data sources outside the domain” - select “Enable”.

Block “Scenarios” - “Active scenarios” - select “Enable”.

Block “Scripts” - “Enable XSS filter” - select “Disable”.

Block “Scripts” - “Run Java application scripts” - select “Enable”.

In the "ActiveX controls and connection modules" block, all values ​​are "Enable"

And click the “OK” button.

3. Set up pop-up windows: go to browser properties - “Privacy” tab - uncheck the “Block pop-up windows” switch.

4. Override automatic processing of cookies: go to browser properties - “Privacy” tab - “Advanced” button - in the new window, check the box “Override automatic processing” cookies" - click "OK".

5. Setting IE default settings: go to browser properties - “Advanced” tab - click on the “Reset” button.