In order to transfer the private key container ( key) and user certificate ( certificate) you will need:
- key floppy disk with key and certificate
- a computer with a floppy drive ( computer 1)
- a computer without a floppy drive ( computer 2), from which tax reporting will be sent
- regular flash drive ( flash drive)
- CryptoPro distribution kit of any version and reader Registry for him

First stage: preparing the computer and copying the key

Install the distribution CryptoPro on computer 1

Launch the snap-in CryptoPro CSP from Control panels.
Paste into computer 1 flash drive.

In the new window, click the "Add..." button

Check Drive?:, as shown in the pictures.

Click "Next >", "Finish" and "Ok".

Now insert the key floppy.

Go to the "Service" tab, click on the "Copy container" button.
In the new window, click the "Browse" button and specify "Drive A:" as key container, which will be copied.

Now specify the name of the new key container and click "Finish", after which the program will ask you to specify a device for recording the key. In this case, this is our flash drive (Disk drive?). Select it and click "Ok", when prompted for a password, click "OK" again.

After this, you need to copy the certificate file (file with *.cer extension) from the floppy disk to a flash drive via Explorer or in any other way.

Stage two: preparing computer 2 and installing the key

Install the distribution CryptoPro on computer 2(skip this item if Crypto-Pro is already installed on it).

Launch the snap-in CryptoPro CSP from Control panels.
Paste into computer 2 flash drive.

Go to the "Hardware" tab, click the "Configure readers" button.

In the new window, click the "Add..." button, now "Next >", check Drive?:, as shown in the pictures.

The drive letter must match the letter assigned to the flash drive operating system.
Click "Next >", "Finish" and "Ok".

Now add the reader Registry in a similar way and through the "Service" tab, copy the private key container from Drive?: to the reader Registry(specify Drive?: as the source when copying, and Registry as the destination).

Copy from flash drive to computer 2 certificate.

In CryptoPro CSP, on the "Service" tab, click the "Install" button personal certificate", follow the instructions of the installation wizard. When selecting a key container, specify Registry.

Connect to the Internet and try using the Kontur-Extern system.

If the Kontur-Extern system is installed on your computer for the first time, be sure to download and run

Almost every organization has some kind of electronic key. They are widespread and without them it is almost impossible to conduct any activity. They are needed for signing reporting documents and for many other things. Therefore, those who serve the IT sector in the organization need to know what it is. For example, today we’ll talk about how to copy a certificate from the registry and transfer it to another computer.

How to copy a certificate from the registry to a flash drive

Let's imagine you come to an organization and you need to set up access to a portal for a new employee. Electronic key You don’t have it and you don’t know where to get it. In this case, the easiest way is to copy it from the computer on which it is installed. To do this, take a clean flash drive and launch Crypto Pro. Start - All programs - Crypto Pro - Certificates. In general, it is better to store copies of the keys on a separate flash drive in your closet.

In the window that opens, go to the Composition tab and click Copy to file at the bottom.

The certificate export wizard will open on the first tab, click next. You need to specify copy private key or not. We don’t need it yet, so we’ll leave everything as it is.

Now we mark the required certificate format; in most cases, you need to leave everything here by default.

How to copy a private key from the registry

Some certificates require a private key. It can also be copied from the registry to a flash drive. This can also be done simply by launching Crypto Pro. Go to the service tab and select Copy.

Enter a new name and click Finish.

In the window that opens, select the flash drive.

Electronic document management is entering our lives more and more tightly.
Today this question This concerns not only office employees of enterprises and individual entrepreneurs; working with electronic documents increasingly makes it easier for ordinary citizens to solve everyday problems in everyday life. Of course, with the increasing applicability of electronic documents, the distribution of electronic digital signature, abbreviated as EDS.
It is about increasing the convenience of working with digital signatures that we will discuss further, namely, we will consider how to add EDS key to the CryptoPro registry on the computer.

What is digital signature and private key certificate

Electronic digital signature used in many software products: 1C: Enterprise (and other programs for business or accounting), VLSI++ , Contour.Extern (and other solutions for working with accounting and tax reporting) and others. EDS has also found application in servicing individuals when resolving issues with government agencies.

EDS- this is a kind of guarantor in the world of electronic document management, similar to a regular signature and seals on paper

As with signing paper documents, the process of signing electronic media involves " editing"primary source.

Electronic digital signature of documents carried out by transformation electronic document using the owner's private key, this process is called document signing

To date private key certificates most often distributed either on regular USB flash drives or on special protected media with the same USB interface (Rutoken , eToken and so on).
At the same time, every time there is a need to sign documents (or identify a user), we need to insert the media with the key into the computer, and then manipulate the certificate. Accordingly, after completing the work, we simply need to remove the media from the computer so that no one else can use our signature. This method is quite safe, but not always convenient.

If you use digital signature at home, then every time connect/disconnect token gets boring quickly. In addition, the carrier will occupy one USB port, which are not always enough to connect all the necessary peripherals.
If you use digital signature at work, it happens that the certification center issued only one key, and different people must sign documents. Carrying a container back and forth is also not convenient, and there are also cases when Several specialists work with a certificate at the same time.
In addition, both at home and, especially, at work, it happens that on one computer it is necessary to perform actions using immediately multiple digital signature keys.

It is in cases where the use of a physical certificate medium is inconvenient that you can register the digital signature key in the CryptoPro registry(you can read more about the Windows registry in a general sense in the corresponding article: Changing Windows registry settings) And use the certificate without connecting the media to the computer's USB port.

Adding a Registry reader to CryptoPro CSP

First of all, in order for our CryptoPro to be able to work with locally registered keys, we need to add a version of such a reader.

In order to set the new media type in the CSP utility, run the program as administrator right click mouse or from the utility menu on the General tab

Now go to the Hardware tab and click on the button Configure readers...
If there is no option in the window that opens Registry, then to display it here, click on the Add button...

1. Click the Next button in the first window.
2. From the list of readers from all manufacturers, select the option Registry and click Next again.
3. Enter a custom reader name, you can leave the default name. Click Next.
4. In the last window we see a notification that after completing the reader setup, it is recommended to restart the computer. Click the Finish button and reboot the machine yourself.

The first stage is completed. Registry reader added , as evidenced by the corresponding item in the window Reader management (We remind you that this window is called up along the path CryptoPro - Equipment - Configure readers...)

Copying the key to the CryptoPro CSP Registry

To register the key container in local storage , connect the physical media with the key to the computer.

Now run the CryptoPro utility again, open the Service tab and click on the Copy button...
Next in the window Copy Private Key Container Wizards Click the Browse button (or According to the certificate...) and select our key carrier, confirming your choice with the OK button, and then proceed to the next window with the Next button.

In the new window, set an arbitrary friendly name for the key container being created and click the Finish button. Then, to record the key, select the reader type we created earlier Registry, confirming your choice with the OK button.
After confirmation, we need to set a Password for the created key container; by default, most often, a password is used 12345678 , but for more secure operation the password can be set more complex. After entering the password, click on the OK button.

All, key container added to the CryptoPro Registry .

Installing a CryptoPro CSP private key certificate

To complete the setup of signing documents without connecting the key carrier to the computer, all we have to do is install private key certificate from the created media container.

To install a certificate in CryptoPro you need to do the following:

1. In the CSP utility, on the Service tab, click on the button View certificates in container...
2. In the window that opens, click on the Browse button, where we select the desired media using the name we specified, confirming the selection with the OK button. Click Next.
3. In the final window, we check that the certificate has been selected correctly and confirm the decision with the Install button.

Now we have installed Private key certificate from local storage Registry .

Setting up CryptoPro is complete, but you should remember that for many software products will also be required re-register new key in system settings.
After these steps we can sign documents without connecting a key, be it Rutoken, eToken or some other physical medium.

Copy using Windows

If you use a floppy disk or flash drive for work, you can copy the container with the certificate using Windows (this method is suitable for versions of CryptoPro CSP no lower than 3.0). Place the folder with the private key (and, if there is one, the certificate file - the public key) in the root of the floppy disk / flash drive (if you do not place it in the root, then working with the certificate will be impossible). It is recommended not to change the folder name when copying.

The folder with the private key should contain 6 files with the extension .key. As a rule, the private key contains a public key (the header.key file in this case will weigh more than 1 KB). In this case, it is not necessary to copy the public key. An example of a private key is a folder with six files and a public key is a file with the .cer extension.

Private key Public key

Copy to Diagnostics profile

1. Go to the “Copying” Diagnostics profile using the link.

2. Insert the media to which you want to copy the certificate.

3. On the desired certificate, click on the “Copy” button.

If a password has been set for the container, the message “Enter the password for the device from which the certificate will be copied” will appear.

4. Select the media where you want to copy the certificate and click “Next”.

5. Give the new container a name and click on the “Next” button.

6. A message indicating that the certificate was successfully copied should appear.

Bulk copy

1. Download and run the utility. Wait for the entire list of containers/certificates to load and select the required checkboxes.
2. Select the Bulk Actions menu and click on the Copy Containers button.

3. Select the storage media for the container copy and click OK. When copying to the registry, you can check the box “Copy to the key container of the computer”, then after copying the container will be available to all users of this computer.

4. After copying, click the “Update” button at the bottom left.
If you want to work with copied containers, you need .

Copying using CryptoPro CSP

Select “Start” > “Control Panel” > “CryptoPro CSP”. Go to the “Service” tab and click on the “Copy” button.

In the Copy Private Key Container window, click on the Browse button .

Select the container you want to copy and click on the “Ok” button, then “Next”. If you copy from a root token, an input window will appear in which you should enter a pin code. If you have not changed the pin code on the media, the standard pin code is 12345678.

Create and manually specify a name for the new container. Russian layout and spaces are allowed in the container name. Then click "Done".

In the Insert Blank Key Media window, select the media on which the new container will be placed.

You will be prompted to set a password for the new container. We recommend that you set a password that is easy for you to remember, but that others cannot guess or guess. If you do not want to set a password, you can leave the field blank and click OK.

Do not store your password/pin code in places where others have access. If you lose your password/pin code, using the container will become impossible.

If you copy the container to a ruToken smart card, the message will sound different. In the input window, enter your pin code. If you have not changed the pin code on the media, the standard pin code is 12345678.

After copying, the system will return to the “Service” tab of CryptoPro CSP. Copying is complete. If you plan to use a new key container to work in Externa, .

Initially, an electronic signature (ES) is issued to physical media called RuToken or EToken. It stores a certificate (aka public key, as I understand it) and a secret (aka private) key. This key pair is combined by a key container. There can be several key containers on one physical medium. After the certificate expires, it is reissued along with the private key, that is, a pair of keys is created anew: private and public.

So, what I’m talking about, the office has a Rutoken with an electronic signature, several employees may need it at the same time to sign documents, and this is where conflicts begin. But in fact, not everything is so sad, if the key container allows itself to be exported, then it can be placed from Rutoken to the Registry! By placing the container in the registry and indicating to the certificate that the private key is stored in the registry at such and such an address, the presence of Rutoken in the USB port disappears.

How it's done

Naturally, the first thing we do is insert Rutoken into the USB port. Launch CryptoPro CSP as ADMINISTRATOR and check which media are available:
If a reader is available in the list Registry, then everything is fine, otherwise press the button Add and using the reader installation wizard we add Registry.

Next you should test the key container:
If key export is allowed, then let's start copying the key! Go to the key copy interface Tools -> Copy, select the name of the key container that is stored on Rutoken. Please note the setting if installed User, then the browser will display key containers from the registry that were previously exported for the current OS user, if you install Computer, then the containers previously exported for the computer will be displayed. Let's copy it for the user:

Selecting a container to copy

Click Further, and specify the name of the key container under which it will be stored in the registry. You should also pay attention to the property The name entered specifies the key container. If you install User, then the container will be copied to the registry and will be available to the current OS user if installed Computer, then the container will be copied to the registry and will be available to everyone. Let's set for the user:
After selecting the reader, set New Password for the new copied key container, the export is complete. To make the certificate refer to the private key stored in the registry, simply reinstall the certificate.