Authorization on the portal of public services with the help of Rutoken EDS
One of the employees of our company needed to register on the portal Gosuslug. As you know, the portal now has the opportunity to enter your personal account by login / password, or by electronic signature. The login / password option was discarded due to professional paranoia, and an employee went to Rostelecom's TC, the system operator, to receive a certificate. In CA, Rutoken did not offer EDS as a carrier of electronic signature / hardware ICSD. By virtue of corporate patriotism, the employee decided not to force events, but to try to go to the state services, using Rutoken EDS for the electronic signature.
What came out of this is described under the cut.
')
The task was divided into subtasks:
We agreed with CA pretty quickly. One of our main partners, SKB Kontur, is accredited in the system of public services and agreed to issue us a certificate according to the described scheme.
To solve technical issues, we decided to use the Rutoken Plugin , which also works through the PKCS # 11 library and is compatible with the State Services plugin.
To generate a key, create a request and record a certificate, we made a set of web pages, which we conditionally called the Registration Center. This Registration Center does not require a server part, all operations are carried out on the client. The Registration Center requires the installation of the Rutoken Plugin.
Registration Center allows you to:
Below is an instruction on how to generate a key and generate a certificate request using the Registration Center:
1. Start Registration Center:
2. Connect Rutoken EDS to the computer, select a token, enter the PIN code:
After selecting a token, the menu appears:
3. Press the “Create a key” button:
Then click "Create a request for this key"
4. On the page for creating a request, select the template “SKB Kontur, for natural persons”, fill in the request fields, click the “Create request” button (all fields must be filled in, in this case a test case is implemented):
5. Copy the request to send it to CA:
6. The generated key appeared in the list:
After sending the request, the employee received a notification about the need to appear at the TC office for identification.
After passing the test, our employee received a certificate.
1. Select a token from the list, click the “Import Certificate” button, insert the received certificate into the input form, click the “Import” button:
2. When importing, select the “Custom” certificate type:
3. After that, a window will appear displaying a certificate and a message about successful import to the Rutoken EDS (the picture shows an example of importing a test certificate obtained in a test CA):
4. The certificate will appear in the list:
The employee installed the state service plug-in, and he managed to enter the EP portal.
Choose “By electronic signature”:
Choose a certificate:
Enter the PIN:
We fall into a personal account:
The concept of hardware SKZI, made in various form factors, can be in demand in mass projects focused on individuals. First of all, by simplifying the use of cryptography. Plug-ins that integrate browser and hardware cryptographic solutions should evolve to increase ease of installation and empowerment. Then these solutions will be used more often.
In order to be able to issue qualified certificates for Rutoken EDS, which could be used with the state services plugin or with the Rutoken Plugin, a local version of the Registration Center was made, it can be used directly at the points of issue of certificates.
What came out of this is described under the cut.
')
- On the portal of state services for the use of electronic signature uses a special browser plugin, which is quite versatile. As a means of electronic signature, he is able to “hook up” both hardware SKZI and software crypto-providers.
Rutoken EDS in this plugin is supported. - Rutoken EDS is supported through our library that implements the PKCS # 11 standard.
- The procedure for logging into the personal account on the portal of state services for electronic signature is a signature of random data sent by the server. The signature is formed in the format PKCS # 7. To authenticate a user, the server uses information from an X.509 certificate, and a successful signature verification confirms that the user has the private key corresponding to the certificate.
- In order for the server to accept a user certificate, it must be enhanced qualified.
The task was divided into subtasks:
- Generate a key on Rutoken EDS in a format compatible with the plug-in format of public services, that is, through the PKCS # 11 library
- Find out which accredited CAs issue qualified certificates for individuals
- Agree with one of these CAs that he will issue a certificate based on a request made remotely.
- Generate the correct request for a qualified certificate.
- Transport request to CA.
- Get a certificate and write it to Rutoken EDS in a format compatible with the format of the plug-in Gosuslug, that is, through the PKCS # 11 library.
We agreed with CA pretty quickly. One of our main partners, SKB Kontur, is accredited in the system of public services and agreed to issue us a certificate according to the described scheme.
To solve technical issues, we decided to use the Rutoken Plugin , which also works through the PKCS # 11 library and is compatible with the State Services plugin.
Registration Center
To generate a key, create a request and record a certificate, we made a set of web pages, which we conditionally called the Registration Center. This Registration Center does not require a server part, all operations are carried out on the client. The Registration Center requires the installation of the Rutoken Plugin.
Registration Center allows you to:
- View key pairs and certificates on connected Rutoken EDS devices (viewing key pairs means viewing information about them)
- Generate a new key pair
- Generate a PKCS # 10 request for the selected key pair
- Generate requests by template
- Import certificate to device
- Delete certificate from device
Generating a key and generating a certificate request
Below is an instruction on how to generate a key and generate a certificate request using the Registration Center:
1. Start Registration Center:
2. Connect Rutoken EDS to the computer, select a token, enter the PIN code:
After selecting a token, the menu appears:
3. Press the “Create a key” button:
Then click "Create a request for this key"
4. On the page for creating a request, select the template “SKB Kontur, for natural persons”, fill in the request fields, click the “Create request” button (all fields must be filled in, in this case a test case is implemented):
5. Copy the request to send it to CA:
6. The generated key appeared in the list:
After sending the request, the employee received a notification about the need to appear at the TC office for identification.
After passing the test, our employee received a certificate.
Import certificate
1. Select a token from the list, click the “Import Certificate” button, insert the received certificate into the input form, click the “Import” button:
2. When importing, select the “Custom” certificate type:
3. After that, a window will appear displaying a certificate and a message about successful import to the Rutoken EDS (the picture shows an example of importing a test certificate obtained in a test CA):
4. The certificate will appear in the list:
Entrance to the portal of public services
The employee installed the state service plug-in, and he managed to enter the EP portal.
Choose “By electronic signature”:
Choose a certificate:
Enter the PIN:
We fall into a personal account:
Instead of conclusion
The concept of hardware SKZI, made in various form factors, can be in demand in mass projects focused on individuals. First of all, by simplifying the use of cryptography. Plug-ins that integrate browser and hardware cryptographic solutions should evolve to increase ease of installation and empowerment. Then these solutions will be used more often.
In order to be able to issue qualified certificates for Rutoken EDS, which could be used with the state services plugin or with the Rutoken Plugin, a local version of the Registration Center was made, it can be used directly at the points of issue of certificates.
Source: https://habr.com/ru/post/219071/
All Articles