ViPNet CSP 4.0. User's Guide

Transcription

1 ViPNet CSP 4.0 User's Guide

2 Inftecs. All rights reserved. Versin: ENU This dcument is included in the sftware distributin kit and is subject t the same terms and cnditins as the sftware itself. N part f this publicatin may be reprduced, published, stred in an electrnic database, r transmitted, in any frm r by any means electrnic, mechanical, recrding, r therwise fr any purpse, withut the prir written cnsent f Inftecs JSC. ViPNet is a registered trademark f Inftecs JSC, Mscw, Russia. All brands and prduct names that are trademarks r registered trademarks are the prperty f their wners. Inftecs GmbH Oberwallstr Berlin Deutschland Tel: +49 (0) Fax: +49 (0) [email protected] Web:

3 Cntents Intrductin... 8 Abut This Dcument... 9 Audience... 9 Dcument Cnventins... 9 Abut ViPNet CSP System Requirements Distributin Kit Feedback Chapter 1. Using ViPNet CSP in Data Prtectin Systems ViPNet CSP Purpse Encrypting and Signing Dcuments Key Cntainer Digital Signature Authenticity and Cnfidentiality f TLS/SSL Cnnectins ViPNet CSP Scpe Chapter 2. Quick Start Chapter 3. Setting Up and Starting ViPNet CSP ViPNet CSP Setup Running Setup frm the Cmmand Line Adding, Uninstalling, and Restring ViPNet CSP Cmpnents Starting ViPNet CSP ViPNet CSP Licensing Chapter 4. Registering ViPNet CSP Befre Yu Begin Why Yu Need t Register ViPNet CSP Starting the Registratin Prcess Buying Prgram (Getting a Serial Number) Requesting a Registratin Cde... 38

4 Requesting Yur Registratin Cde n the Internet (nline) Requesting Yur Registratin Cde by Requesting Yur Registratin Cde by Phne Receiving Yur Registratin Cde frm the Administratr Registering ViPNet CSP Saving Registratin Data If the Cnfiguratin f Yur Cmputer Has Been Changed System Administratr Actins fr Registratin Using a File Chapter 5. Obtaining a Certificate and Private Key Obtaining and Installing a Private Key and a Certificate Creating a Certificate Request and Generating a Private Key Using Signing Keys f the ViPNet Hst's User Chapter 6. Installing Cntainers and Certificates Ways t Install a Private Key and a Certificate Installing Cntainer frm a Flder Installing Cntainer frm an External Device Installing Certificates in a Cntainer Installing the User Certificate in the System Stre Installing a Certificate Which Has Nt Been Added t the Cntainer Installing a Certificate frm Cntainer Installing Issuer's Certificates and CRL Chapter 7. Wrking with Cntainers Viewing and Cnfiguring Cntainer Prperties Changing the Cntainer Passwrd Deleting a Previusly Saved Passwrd Verifying a Key Cntainer Deleting a Private Key Creating a Backup Cpy f a Cntainer Deleting a Cntainer Chapter 8. Managing External Devices Viewing the Cnnected Devices List Cnfiguring the Devices List External Device Initializatin... 87

5 Changing PIN Using a Randm Number Generatr Chapter 9. Digital Signature in Micrsft Office Dcuments Digitally Signing a Dcument Micrsft Office Micrsft Office Micrsft Office Viewing a Digital Signature Micrsft Office Micrsft Office Micrsft Office Remving a Digital Signature Micrsft Office Micrsft Office Micrsft Office Visible Representatin f a Signature Line in Wrd and Excel Dcuments Adding a Signature Line t a Dcument Adding a Signature Line t a Dcument Chapter 10. Digital Signature and Encryptin in Micrsft Mail Prgrams Organizing Encrypted Messages Exchange Exchanging Certificates with the Message Recipient Advanced Cnfiguring f Digital Signature and Encryptin Adding a Digital Signature t All Messages Micrsft Outlk Windws Live Mail Adding a Digital Signature t a Message Micrsft Outlk Digitally Sign/Sign Buttn Isn't Displayed Windws Live Mail Viewing the Message's Digital Signature Micrsft Outlk Windws Live Mail Encryptin Encryptin in Outlk Encryptin in Outlk

6 Encryptin in Micrsft Outlk 2010 and Micrsft Outlk Encryptin in the Windws Live Mail Prgram Viewing the Encrypted Messages Encrypting Dcuments and Files Chapter 11. Digital Signature in Micrsft Office InfPath Permissin t Sign an InfPath Frm with a Digital Signature Micrsft Office InfPath Micrsft Office InfPath Micrsft Office InfPath Signing an InfPath Frm Micrsft Office InfPath Micrsft Office InfPath 2007, 2010, and Viewing an InfPath Frm Signature Unsigning an InfPath Frm Chapter 12. Digital Signature fr Macrs and Databases Macr Digital Signature Digitally Signing a Macr Verifying a Macr's Digital Signature Unsigning a Macr Signing Micrsft Access 2007 and 2010 Databases Chapter 13. Organizing a Prtected Cnnectin via TLS/SSL Checklist: Organizing Access t a Prtected Web Server Cnfiguring a Server Hst Cnfiguring a Client Hst Cnfiguring Internet Explrer fr Wrk ver the TLS/SSL Prtcl Checking the Web Hst's Availability ver the Secure HTTPS Prtcl Chapter 14. Prblems and Trubleshting Checking the Prgram Cmpnents Integrity The Prgram Wn't Start ViPNet CSP Cnflicts with Other Prgrams Can't Use Accrd-TSHM Electrnic Lck When Yu Are Using etken Aladdin, the System Irrespnsive Unable t Check the Certificate

7 Dcument Can't be Encrypted Address f the Certificate Is Nt Fund n the List f Cntact Addresses Invalid Certificate Can't Use the Digital Signature The Crrespnding Private Key Is Nt Fund The Message Can't be Signed An Message Is Signed with a Certificate That Yu Have Nt Selected fr Signing Macrs r Micrsft Access 2007 Database Can't be Signed The Signature Line in Micrsft Wrd 2003 r Excel 2003 Can't be Signed Signed Micrsft Wrd r Excel Dcument Can't be Edited N Cnnectin t the Server ver HTTPS The IIS Server and the Web Client Have Different ViPNet CSP Versins User's Certificates, the Issuer's Certificate, and CRL Were Installed in the Wrng Stre The Brwser Is Nt Cnfigured t Wrk ver the TLS Prtcl The IIS Services Shuld Be Restarted Passwrd t Server's Certificate Shuld Be Saved When Yu Cnnect t a Server, Security Warning Is Displayed Prviding Additinal Infrmatin Abut the Prblem Appendix A. External Strage Devices Overview Supprted External Strage Devices Appendix B. Glssary Appendix C. Index

8 Intrductin Abut This Dcument 9 Abut ViPNet CSP 11 Feedback 13 ViPNet CSP 4.0. User's Guide 8

9 Abut This Dcument In this dcument, yu can learn abut the purpse f the ViPNet CSP prgram and find hw-t tpics n its usage. Here yu can als get an verview f the ViPNet CSP features, explre the principles f the prgram peratin, and find the descriptin f the graphical user interface. Audience This dcument appeals t thse wh use certificates in ViPNet CSP fr encrypting dcuments in digital dcument wrkflw and Outlk messages, fr signing, fr digital signatures verificatin, as well as t system administratrs wh rganize remte access t resurces ver TLS/SSL prtcls. A ViPNet CSP user des nt have t be an infrmatin technlgy prfessinal. Hwever, at least the minimal level f expsure t netwrk technlgies, IP prtcls, firewalls, and infrmatin security is recmmended. Dcument Cnventins This dcument cncerns the fllwing cnventins: Table 1: Dcument cnventins Icn Descriptin Warning: Indicates an bligatry actin r infrmatin which may be critical fr cntinuing user peratins. Nte: Indicates a nn-bligatry, but desirable actin r infrmatin which may be helpful fr users. Tip: Cntains additinal infrmatin. ViPNet CSP 4.0. User's Guide 9

10 Table 2: Cnventins fr highlighted infrmatin Icn Name Key+Key Menu > Submenu > Cmmand Cde Descriptin The name f an interface element. Fr instance, the name f a windw, a bx, a buttn r a key. Shrtcut keys. T use the shrtcut keys, press and hld the first key and press ther keys. A hierarchical sequence f elements. Fr instance, menu items r sectins in the navigatin pane. A file name, path, text file (cde) fragment r a cmmand executed frm the cmmand line. ViPNet CSP 4.0. User's Guide 10

11 Abut ViPNet CSP ViPNet CSP is a cryptgraphic service prvider (see ViPNet CSP Purpse n page 15), which calls cryptgraphic functins frm varius Micrsft prgrams and ther prgrams using the Micrsft CryptAPI 2.0 interface. With ViPNet CSP yu can: Create signature keys (see Digital signature n page 178) in accrdance with the GOST R and the GOST R algrithms. Calculate and verify a digital signature in accrdance with the GOST R and the GOST R algrithms. Hash data in accrdance with the GOST R and the GOST R algrithms. Encrypt data and message authenticatin with mdificatin detectin cde in accrdance with the GOST algrithm. Generate randm number, pseud-randm numbers, and sessin encryptin keys. Authenticate and create the sessin key when transferring data via SSL/TLS. Stre public keys certificates directly in the key cntainer. Use varius tkens and ther devices fr string digital keys and certificates securely (etken and thers). ViPNet CSP is cmpatible with third-party cryptgraphic service prviders if they cmply with RFC and System Requirements Nte: The cmpatibility f ViPNet CSP with Windws 7 OS is fficially recgnized by Micrsft. ViPNet CSP 4.0. User's Guide 11

12 The minimum system requirements fr yur cmputer t run ViPNet CSP are as fllws: Prcessr: Intel Cre 2 Du r any ther x86-cmpatible prcessr f similar characteristics with tw r mre cres. Minimum RAM: 512 MB. Free disk space: 100 MB. Operating system: Micrsft Windws XP SP3 (32 bit), Windws Server 2003 (32 bit), Windws Vista (32/64 bit), Windws 7 (32/64 bit), Windws Server 2008 (64 bit), Windws Server 2008 R2 (64 bit), Windws 8 (32/64 bit), Server 2012 (64 bit). Yu must install the latest service pack fr yur versin f Windws. Internet Explrer 6.0 r later. If Micrsft Office prgrams are used, the versin shuld be 2003, 2007, 2010, r ViPNet CSP is cmpatible with sme external strage devices. Fr mre infrmatin abut the supprted devices, see Supprted External Strage Devices (n page 175). Distributin Kit The ViPNet CSP distributin kit includes: The ViPNet CSP setup file setup.exe. Dcument ViPNet CSP. User's Guide in PDF frmat (the current dcument). ViPNet CSP. Infrmatin abut Third-Party Sftware Cmpnents. ViPNet CSP 4.0. User's Guide 12

13 Feedback Finding Additinal Infrmatin Fr mre infrmatin abut Inftecs prducts and technlgies, see the fllwing resurces: ViPNet dcumentatin web prtal Infrmatin abut current Inftecs prducts Infrmatin abut Inftecs slutins Frequently asked questins Cntacting Inftecs We value any feedback frm yu. If yu have any questins cncerning Inftecs prducts and slutins, any suggestins, cmplains r ther feedback, feel free t cntact us by means f the fllwing: Supprt request frm Supprt [email protected]. Telephne: +49 (0) Fax: +49 (0) Errata Inftecs makes every effrt t ensure that there are n errrs r misprints in the text f all dcuments supplied with ViPNet sftware. Hwever, n ne is perfect, and mistakes d ccur. If yu find an errr in ne f ur dcuments, like a spelling mistake r sme inaccuracy in describing user scenaris r system features, we wuld be very grateful fr yur feedback. By sending in errata yu may save ther reader hurs f frustratin, and at the same time yu will be helping us prvide dcumentatin in even higher quality. ViPNet CSP 4.0. User's Guide 13

14 1 Using ViPNet CSP in Data Prtectin Systems ViPNet CSP Purpse 15 Encrypting and Signing Dcuments 16 Key Cntainer 18 Digital Signature 20 Authenticity and Cnfidentiality f TLS/SSL Cnnectins 21 ViPNet CSP Scpe 22 ViPNet CSP 4.0. User's Guide 14

15 ViPNet CSP Purpse The main purpse f the ViPNet CSP cryptprvider is t enable yu t implement cryptgraphic functins in Windws OS. Nte: Since the cryptgraphic service prvider is an independent sftware cmpnent, yu dn't need t start any ther client ViPNet sftware fr it t wrk prperly. ViPNet CSP may perfrm the fllwing tasks: Authenticating and ensuring the authenticity f dcuments in secure dcument exchange systems. Fr this purpse, we've implemented the means f digital signatures generatin and verificatin in accrdance with GOST R , GOST R , GOST R , and GOST R Ensuring infrmatin cnfidentiality and integrity by encrypting it and using MAC in accrdance with GOST Ensuring authenticity and cnfidentiality f TLS/SSL cnnectins. ViPNet CSP 4.0. User's Guide 15

16 Encrypting and Signing Dcuments T encrypt and verify a digital signature, the ViPNet CSP prgram emplys a public key lcated in the certificate (see Public key certificate n page 179) f the user the encrypted dcument is addressed t, r f the user wh sent the digitally signed dcument. Fr decrypt r create a digital signature, the cryptgraphic service prvider emplys a private key f the user wh decrypts r signs the dcument (the key that is specified by this user). The scheme belw visualizes the prcess f sending a cnfidential Outlk message. Figure 1: Exchanging prtected dcuments User A needs t send a cnfidential Outlk message t user B. 1 User A requests user B's public key certificate frm the netwrk certificate stre and checks its crrespndence with the user B's cntact in the Micrsft Outlk prgram. 2 User A encrypts the dcument using a public key frm user B's certificate. 3 User A sends the encrypted message t user B. 4 User B decrypts the dcument using his r her private key. Thus, user B receives the cnfidential message frm user A. If a malicius user intercepts this cnfidential message, he r she will nt be able t read it because he r she des nt pssess user B's private key. ViPNet CSP 4.0. User's Guide 16

17 If user B can't decrypt the message received frm user A, this means that the message has been changed by unauthrized persns r damaged during sending. In this case, user B can ask user A t resend the message. The prcess f digital signature generatin and verificatin is shwn belw. Figure 2: The prcess f digital signature generatin and verificatin Suppse that user A needs t digitally sign a dcument (fr example, an Outlk message) s that ther users can't change it and each user can make sure that the authr f the dcument is user A. 1 User A signs the dcument using his r her private key. 2 User A sends the dcument t all persns cncerned (t users B, C, and D) r shares the dcument with them. 3 User B requests user A's public key certificate frm the certificate stre. 4 User B verifies the dcument with user A's public key stred in user B's certificate. If verificatin is successful, the dcument's authr is user A and this dcument has nt been changed after signing. If verificatin is nt successful, the dcument's authr is nt user A r that the dcument has been mdified by unauthrized persns r damaged during sending. In this case, user B can ask user A t resend the message. ViPNet CSP 4.0. User's Guide 17

18 Key Cntainer A key pair(a public key and a private key included in a certificate) is used t encrypt and digitally sign dcuments. A private key is generated by the administratr in a Certificatin Authrity r by the user. It is stred in a key cntainer n a hard drive r an external device. A user certificate is created in a Certificatin Authrity n user's request (see Creating a Certificate Request and Generating a Private Key n page 53) r, in sme cases, n the Certificatin Authrity administratr's initiative. Yu can create a certificate request r a renewal request in the client sftware, such as ViPNet Client, and the Create a certificate request (see Obtaining and Installing a Private Key and a Certificate n page 52) prgram included in the ViPNet CSP installatin package, r a third-party prgram. Besides, yu need the issuer's certificate (n page 178) chain and CRL (see Certificate revcatin list (CRL) n page 177) t validate the user certificate. T implement a secure electrnic dcument flw system, the prgram yu create electrnic dcuments in (a Micrsft Office prgram, the Internet Explrer web brwser, the IIS) addresses the cryptgraphic service prvider and prvides it with the certificates' parameters and lcatin f the private key. Fr the prgram t access certificates, yu need t install them in the system certificates stre: Yu can use the ViPNet CSP prgram t install the user certificate and the user private key (see Installing Cntainers and Certificates n page 59). Yu can use standard perating system tls (see Installing Issuer's Certificates and CRL n page 73) t install the issuer's certificate and CRL. ViPNet CSP allws yu t install private keys and public key certificates in the fllwing ways: Adding a cntainer with a private key and a certificate. The cntainer may be lcated in a flder n a disk (see Installing Cntainer frm a Flder n page 61) r n an external device (see Installing Cntainer frm an External Device n page 64). Installing the certificate and chsing the crrespnding private key frm the cntainer in a flder n a disk r n an external device (see Installing the User Certificate in the System Stre n page 68). ViPNet CSP 4.0. User's Guide 18

19 A certificate can be stred separately frm a private key in cases when the certificate is created n a user's request. A certificate and a private key are stred in the same cntainer when the certificate request is initiated by the Certificatin Authrity administratr. A cntainer frmat depends n the particular cryptgraphic service prvider's vendr. Certificate files are always created nly in the fllwing standard frmats: X.509 frmat, cntaining nly a certificate (files with extensins.crt r.cer). PKCS#7 r PKCS#12 frmats. These frmats are intended fr string encrypted and signed messages tgether with the necessary certificates. One f these file frmats can als be used fr transferring certificates and certificate revcatin lists (files with extensins.p7r,.p7b,.pfx, and.p12). Nte: Yu can use any number f certificates and key cntainers in ViPNet CSP. In this case, t digitally sign a dcument, yu need t chse the key, which yu will use. ViPNet CSP 4.0. User's Guide 19

20 Digital Signature The digital signature is an attribute f an electrnic dcument that is a result f cryptgraphic data prcessing with the use f a private key. A digital signature can cnfirm: Authenticity. A digital signature unambiguusly identifies the persn wh has signed the dcument. Integrity. A digital signature cnfirms that the dcument has nt been changed after the signing. Nn-repudiatin. The authr can't deny the fact that he r she has signed the dcument. Thus, individuals and legal entities may use a digital signature as an equivalent t a handwritten signature t ensure the legal validity f an electrnic dcument equal t the legal validity f a printed r handwritten dcument signed manually by the eligible persn and fficially sealed. T use a digital signature, yu need t get a public key certificate (see Key Cntainer n page 18) in a cmpetent Certificatin Authrity. If certificate validatin with the use f the Certificatin Authrity's database cnfirms that a certificate is legal, functinal, has nt expired, and has nt been revked, this certificate is cnsidered valid. The dcuments that are signed using a valid certificate and have nt been changed since the mment f signing are cnsidered valid as well. ViPNet CSP 4.0. User's Guide 20

21 Authenticity and Cnfidentiality f TLS/SSL Cnnectins The TLS/SSL prtcl is used t rganize remte prtected cnnectins, fr example, t get access t remte server's resurces. The TLS/SSL prtcl ensures perfrming f ne-way authenticatin r mutual authenticatin fr interacting parties, as well as cnfidential data transfer. Yu may need secure access when yu share databases r repsitries, r create electrnic payment systems, and fr sme ther functinality. The interactin between tw hsts in a prtected cnnectin is displayed in the scheme belw. Figure 3: Hsts cmmunicate ver TLS Nte: Beside Micrsft Internet Explrer, yu may use Ggle Chrme r Yandex.Brwser as a web client. Therefr, in the brwser's shrtcut prperties, in the Object bx, at the end f the path t the prgram flder add the cmmand --usesystem-ssl. Thus, the usage f the TLS/SSL prtcl implemented by means f ViPNet CSP prvides a reliable and authrized cnnectin t remte servers and strictly cntrlled access t the prtected data. ViPNet CSP 4.0. User's Guide 21

22 ViPNet CSP Scpe With ViPNet CSP yu can perfrm the fllwing peratins: encrypt Micrsft Outlk, Micrsft Outlk Express, Micrsft Windws Mail, and Micrsft Windws Live Mail messages and their attachments (see Encryptin n page 121); generate and verify a digital signature in Micrsft Office prgrams (see Digital Signature in Micrsft Office Dcuments n page 91); sign Micrsft Outlk, Micrsft Outlk Express, Micrsft Windws Mail, and Micrsft Windws Live Mail messages (see Digital Signature and Encryptin in Micrsft Mail Prgrams n page 105); sign Micrsft Office InfPath frms (see Digital Signature in Micrsft Office InfPath n page 128); sign macrs in Micrsft Wrd, Excel, Outlk, PwerPint, Access, Publisher, and Visi prgrams (see Macr Digital Signature n page 139); establish prtected TLS/SSL web cnnectins by using an IIS server and the Micrsft Internet Explrer brwser (see Organizing a Prtected Cnnectin via TLS/SSL n page 144); perfrm cryptgraphic functins in the DcVisin electrnic dcument wrkflw; authenticate in Windws with the Kerbers prtcl; perfrm cryptgraphic peratins required fr Active Directry Certificate Services. ViPNet CSP 4.0. User's Guide 22

23 2 Quick Start If yu need t secure electrnic dcuments by means f cryptgraphy and t digitally sign dcuments, ensuring their authenticity and integrity, yu shuld install a special mdule called a cryptgraphic service prvider (see ViPNet CSP Purpse n page 15). T start using the cryptgraphic service prvider ViPNet CSP: 1 Install ViPNet CSP (see ViPNet CSP Setup n page 26). 2 Get a public key certificate and a cntainer with a private key: Yur Certificatin authrity administratr may have given yu a certificate file and a cntainer file with a private key (r a cntainer file cntaining bth a private key and a certificate) earlier. Make sure that yu already have these files. If yu dn't have a cntainer r a certificate, create a certificate request (see Obtaining and Installing a Private Key and a Certificate n page 52). Tgether with the certificate and the key cntainer, yu receive the issuer's certificate (n page 178) and the certificate revcatin list (CRL) (n page 177). Nte: A certificate cntains a public key crrespnding t nly ne private key. The private key is stred n a user's cmputer and is used t generate a digital signature and t decrypt encrypted messages. A public key is used t verify a digital signature and t encrypt messages, and it is distributed in a certificate. The issuer's certificate and CRL are used t verify the authenticity f yur certificate. ViPNet CSP 4.0. User's Guide 23

24 3 Install a public key certificate and the crrespnding private key (r several certificates and keys) (see Ways t Install a Private Key and a Certificate n page 60). Nte: When yu add a cntainer, yu will be prmpted t install the certificate int the system stre. If the certificate has nt been installed, yu shuld d it manually (see Installing a Certificate frm Cntainer n page 71). 4 Install the issuer's certificate and a certificate revcatin list (see Installing Issuer's Certificates and CRL n page 73) in the system stre. Nte: If yu are a web server administratr and yu want t rganize a secure cnnectin t yur server ver TLS/SSL, cnfigure the server and web clients fr wrk ver the TLS/SSL prtcl (see Organizing a Prtected Cnnectin via TLS/SSL n page 144). 5 Upn cmpleting the abve-mentined steps, yu may use any prgrams that use a cryptgraphic service prvider in their wrk (see ViPNet CSP Scpe n page 22). These can be prgrams fr wrking with a digital signature, encryptin, secure cmmunicatin, and thers. Figure 4: Start using ViPNet CSP ViPNet CSP 4.0. User's Guide 24

25 3 Setting Up and Starting ViPNet CSP ViPNet CSP Setup 26 Running Setup frm the Cmmand Line 28 Adding, Uninstalling, and Restring ViPNet CSP Cmpnents 29 Starting ViPNet CSP 31 ViPNet CSP Licensing 33 ViPNet CSP 4.0. User's Guide 25

26 ViPNet CSP Setup If the ViPNet CSP prgram is part f ViPNet sftware, it is installed tgether with this sftware. If yu need t install prgram separately, fllw the instructins in this sectin. T install ViPNet CSP, yu shuld have OS administratr rights n yur cmputer. T install ViPNet CSP: 1 Duble-click the setup file. 2 On the License page f the setup prgram, read the terms and cnditins f the license agreement. If yu agree, select the crrespnding check bx. Then click Cntinue. 3 T cnfigure the setup parameters, n the Setup type page, click Custmize and specify: the sftware cmpnents yu want t install; the path t the prgram flder n yur cmputer; the user name and the cmpany name; the name f the prgram flder n the Start menu. Yu can enable r disable the fllwing sftware cmpnents: ViPNet CSP supprt via MS Cypt API adds the functinality that allws yu t integrate ViPNet CSP in third-party prgrams. This cmpnent is enabled by default when yu install ViPNet CSP as a separate prgram and disabled when yu install it as a part f sme ther ViPNet sftware. KC3 integrity check adds the functinality that ensures file integrity check. This is required s that ViPNet CSP cnfrms with the KC3 Russian standard fr cryptgraphical prtectin. 4 T start the setup, click Install nw. 5 Yu will be prmpted t restart yur cmputer. T restart the cmputer immediately, click Yes. T register ViPNet CSP during installatin withut displaying the user interface ( Silent mde ), yu need t prepare the registratin file cspreg.txt and put it t the same flder as the setup.exe file. The cspreg.txt file must be as fllws: Serial Number: XXXX-XXXX-XXXX-XXXX ViPNet CSP 4.0. User's Guide 26

27 User name: <User first, secnd, and last name> Cmpany: <Cmpany name> Nte: The User name and Cmpany fields are ptinal. ViPNet CSP 4.0. User's Guide 27

28 Running Setup frm the Cmmand Line Yu may run ViPNet CSP setup prgram frm the Windws cmmand line specifying a number f standard Windws Installer arguments. Table 3: Setup mde arguments Argument /qn /qb /qf Descriptin Installatin withut displaying user interface ( Silent mde ). Installatin with basic user interface (nly a standard indicatr f prgress and infrmatinal messages are displayed). Installing with full user interface (default). Table 4: Restart mde arguments Argument /nrestart /prmptrestart /frcerestart Descriptin Disable restart after installatin. Display a dialg bx prmpting yu t restart. Restart the cmputer after installatin and frce ther applicatins t clse withut saving pened files. This parameter is valid nly in cnjunctin with the /qn argument. Here is an example f the setup cmmand: setup.exe /qn /nrestart ViPNet CSP 4.0. User's Guide 28

29 Adding, Uninstalling, and Restring ViPNet CSP Cmpnents If necessary, yu can install r uninstall ViPNet CSP cmpnents and restre the sftware in case f a failure. T add r remve a cmpnent r t restre ViPNet CSP: 1 Run the setup file. Wait until the preparatin fr the cmpnents' installatin is cmpleted. 2 In the Changing installed sftware cmpnents windw, click the required ptin: t add r remve a cmpnent, click Add r remve cmpnents; t restre the prgram, click Restre; t remve all cmpnents f the prgram, click Remve All Cmpnents. Figure 5: Changing installed sftware cmpnents Then, click Cntinue. ViPNet CSP 4.0. User's Guide 29

30 3 If yu add r remve any ViPNet sftware cmpnents, make the necessary changes in the Chse cmpnents windw. Then, click Cntinue. 4 Wait fr the peratin t be cmpleted. Then, click Clse. ViPNet CSP 4.0. User's Guide 30

31 Starting ViPNet CSP T cnfigure the ViPNet CSP prgram, d ne f the fllwing: Click the Start buttn, chse All Prgrams > ViPNet > ViPNet CSP > ViPNet CSP Settings (the prgram lcatin n the Start menu might have been changed at installatin). On the desktp, duble-click the shrtcut (this shrtcut is displayed nly if the crrespnding ptin has been selected during the installatin). When yu start ViPNet CSP dem versin, yu will be ffered t register the prgram. Yu may register the prgram r run a dem versin (see ViPNet CSP Licensing n page 33). Figure 6: Starting a dem versin After the ViPNet CSP startup, the General sectin f the main windw will be displayed. This sectin cntains infrmatin abut the prgram versin, license wner, and ViPNet CSP peratin mde. ViPNet CSP 4.0. User's Guide 31

32 Figure 7: Displaying infrmatin abut ViPNet CSP Started using ViPNet CSP. First, we recmmend yu t install a key cntainer and a certificate. (see Installing Cntainers and Certificates n page 59) ViPNet CSP 4.0. User's Guide 32

33 ViPNet CSP Licensing If yu install the ViPNet CSP prgram as part f anther ViPNet sftware, registratin is nt required. If yu install the ViPNet CSP separate, yu need t register it. Using a dem license, yu can wrk with ViPNet CSP nly fr 14 days. After that the prgram will stp functining and yu will need t register it. Hwever, there are n limitatins in the dem versin, and all features are available. Yu can register ViPNet CSP fr free s we strngly recmmend yu t d it as sn as pssible t avid any incnvenience when dem perid expires. When the dem perid expires, yu can't wrk with unregistered ViPNet CSP prgram. T cntinue the wrk, yu need t register the prgram (see Registering ViPNet CSP n page 34). The registratin is free. ViPNet CSP 4.0. User's Guide 33

34 4 Registering ViPNet CSP Befre Yu Begin 35 Buying Prgram (Getting a Serial Number) 37 Requesting a Registratin Cde 38 Registering ViPNet CSP 47 System Administratr Actins fr Registratin Using a File 50 ViPNet CSP 4.0. User's Guide 34

35 Befre Yu Begin Why Yu Need t Register ViPNet CSP 35 Starting the Registratin Prcess 35 Why Yu Need t Register ViPNet CSP After yu install ViPNet CSP, it starts in the dem mde and yu can use it nly fr a limited perid f time (see ViPNet CSP Licensing n page 33). If yu find that ViPNet CSP meets yur requirements, yu shuld register it t enjy a full-featured versin. That is why we recmmend yu the fllwing wrkflw: install ViPNet CSP and feel free t use the dem versin t find ut all its features and advantages; When the validity perid f yur dem license expires, yu need t register yur ViPNet CSP cpy. Starting the Registratin Prcess ViPNet CSP can be registered in tw ways: by yurself (cmmn registratin) and by the system administratr. T register by yurself, fllw the scenari belw. If yu are a system administratr and yu need t register several cpies at nce, yu can use the grup registratin feature allwing yu t cllect several users registratin requests in ne and receive all required registratin cdes at nce. Fr mre infrmatin, see System Administratr Actins fr Registratin Using a File (n page 50). Nte: If ViPNet CSP has been reinstalled and registered n yur cmputer, yu can restre the previusly saved registratin data using the *.brg file (see Saving Registratin Data n page 49). If yu are planning t perfrm minr upgrades t the cmputer, where yu are ging t use ViPNet CSP, cnsider the tpic If the Cnfiguratin f Yur Cmputer Has Been Changed (n page 49). ViPNet CSP 4.0. User's Guide 35

36 T register ViPNet CSP: 1 In the ViPNet CSP main windw, n the Help menu, click Registratin. The Registratin f ViPNet CSP Wizard will be launched. Figure 8: First registratin page 2 Yur next step depends n whether yu have gt the ViPNet CSP serial number befrehand: If yu have nt gt the serial number, click Get the serial number (free f charge) (see Buying Prgram (Getting a Serial Number) n page 37). If yu have gt the serial number, click Request registratin cde (see Requesting a Registratin Cde n page 38). Nte: If yu request yur registratin cde nline, yur ViPNet CSP registratin will be dne autmatically (n user actin is required). If yu have already gt bth the serial number and the registratin cde, click Register (see Registering ViPNet CSP n page 47). ViPNet CSP 4.0. User's Guide 36

37 Buying Prgram (Getting a Serial Number) T buy a serial number: 1 In thethe Registratin f ViPNet CSP wizard, select Get the serial number (free f charge), and click Next. The ViPNet prducts rder page n the Inftecs website will be displayed in yur default Internet brwser. 2 Chse the prduct versin, fill in the request frm an send it. The link t dwnlad the prduct and the serial number will be sent t yur . 3 Upn receiving a serial number, return t the Registratin f ViPNet CSP (see Starting the Registratin Prcess n page 35) wizard and request a registratin cde (see Requesting a Registratin Cde n page 38). ViPNet CSP 4.0. User's Guide 37

38 Requesting a Registratin Cde T request a registratin cde fr ViPNet CSP: 1 On the Registratin f ViPNet CSP page, chse Request registratin cde and click Next. 2 On the Registratin request ptins page, chse the means f requesting yur registratin cde. T d this, chse ne f the fllwing ptins: On the Internet (nline) (see Requesting Yur Registratin Cde n the Internet (nline) n page 38). By (see Requesting Yur Registratin Cde by n page 41). By phne (see Requesting Yur Registratin Cde by Phne n page 43). Using file (see Receiving Yur Registratin Cde frm the Administratr n page 44). Figure 9: Selecting a registratin request ptin 3 Click Next. ViPNet CSP 4.0. User's Guide 38

39 Requesting Yur Registratin Cde n the Internet (nline) Warning: Fr requesting a registratin cde n the Internet yu need an Internet cnnectin. If yu select On the Internet (nline), the Registratin data page will be displayed. Figure 10: Entering registratin data On the Registratin data page: 1 In the Serial number bx, type yur serial number. Nte: If yu d nt have a serial number, make request t purchase it (see Buying Prgram (Getting a Serial Number) n page 37). If yu have ever previusly typed yur serial number in this bx, yur serial number will be entered autmatically. 2 In the User name bx, type yur name t be used when issuing yur license and cntacting yu. This bx is ptinal. By default, the user name yu have typed at the ViPNet CSP installatin will be displayed. 3 In the Cmpany bx, type yur cmpany name. This bx is ptinal. By default, the cmpany name yu have typed at the ViPNet CSP installatin will be displayed. ViPNet CSP 4.0. User's Guide 39

40 4 In the bx, type yur address which will be used t cntact yu in case f need. Warning: We will nt sell, distribute r lease yur addresses. We are cmmitted t ensuring that yur infrmatin is secure. In rder t prevent unauthrized access r disclsure we have put in place suitable physical, electrnic and managerial prcedures t safeguard and secure the infrmatin we cllect frm yu. 5 In the Additinal infrmatin bx, feel free t type any additinal infrmatin. Fr example, yu can type here hw t cntact yu r pst sme prblems r suggestins n ViPNet registratin utility r ViPNet sftware in the whle. In the Cmputer cde bx, a cde that uniquely identifies yur cmputer is displayed. Yu can't change this value. 6 Click Next. The page, shwing yur registratin request status, will be displayed. On this page yu will als see hw much time elapsed since yu had begun yur registratin request. Please nte, that yu have n mre than three minutes t cmplete yur nline registratin request. Figure 11: Requesting fr registratin If within the three minutes a cnnectin t the Inftecs registratin server is nt established, the crrespnding message will be displayed. If a cnnectin t the Inftecs registratin server is established, the registratin may failed by the fllwing reasns: ViPNet CSP 4.0. User's Guide 40

41 Yu have supplied incrrect data. In this case, yu will be prmpted t check the crrectness f supplied data. In the message windw, click OK t return t the Registratin data page. The entered serial number has been already registered fr anther cmputer. In this case, yu will be prmpted t t get anther serial number free f charge. Click the link in the message and request a new serial number (see Buying Prgram (Getting a Serial Number) n page 37). If nline registratin was successful, the Registratin f ViPNet CSP was successful page will be displayed. This page will als display sme suggestins n hw t securely backup yur registratin data (see Saving Registratin Data n page 49). 7 Click Finish. Requesting Yur Registratin Cde by Warning: Fr requesting a registratin cde n the Internet yu need an Internet cnnectin. If yu select By , the Registratin data page will be displayed. On the Registratin data page: 1 Prvide all yur data as described in Requesting Yur Registratin Cde On the Internet (Online) (n page 38). 2 Click Next. An summarizing yur registratin data will be autmatically pened in yur default applicatin. It will be addressed t [email protected]. ViPNet CSP 4.0. User's Guide 41

42 Figure 12: Requesting registratin cde by Warning: We dn't recmmend yu t mdify anything in this aut-generated . 3 T cmplete the prcedure, send this . When Inftecs has checked yur registratin data, yu will receive yur registratin cde in respnse. Warning: If yu dn't receive a respnse frm Inftecs fr a lng perid f time, yu may try t resend yur . T d this, repeat all steps described in this tpic. If yu still can't register yur ViPNet CSP, cntact Inftecs Supprt Team. ViPNet CSP 4.0. User's Guide 42

43 4 Upn receiving a respnse with registratin cde, register yur ViPNet CSP (see Registering ViPNet CSP n page 47). Requesting Yur Registratin Cde by Phne If yu select By phne, the Registratin request by phne page will be displayed. Figure 13: Registratin request by phne This page displays all the data yu need t tell Inftecs. 1 Call Inftecs n the phne number specified at the tp f the windw and request a registratin cde. 2 When yu receive the registratin cde, click Next. The Register page will be displayed. ViPNet CSP 4.0. User's Guide 43

44 Figure 14: Entering the serial number and registratin cde 3 On the Register page type yur serial number and registratin cde, then click Next. Nte: If yu have ever previusly typed yur serial number in this bx, yur serial number will be entered autmatically. If yu prvided crrect data, the Registratin f ViPNet CSP was successful page will be displayed. This page will als display sme suggestins n hw t securely backup yur registratin data (see Saving Registratin Data n page 49). 4 Click Finish. Receiving Yur Registratin Cde frm the Administratr The idea behind registering using a file is t delegate the registratin cde receiving prcess t yur ViPNet netwrk administratr. This means that yu persnally dn't request yur registratin cde frm Inftecs. Instead yu use the Registratin f ViPNet CSP Wizard t cllect yur registratin data and then pass it t yur ViPNet netwrk administratr. Nte: If yu wuld like t register nly ne cpy f ViPNet CSP using a file, first cmplete actins 1 6 described in this chapter and then fllw the instructins given in the chapter System Administratr Actins fr Registratin Using a File (n page 50). Then, cmplete the step 7 t register yur cpy f ViPNet CSP (see Registering ViPNet CSP n page 47). ViPNet CSP 4.0. User's Guide 44

45 It is yur ViPNet netwrk administratr, wh cllects yur and ther ViPNet users registratin data and sends it t Inftecs. It is yur ViPNet netwrk administratr, wh btains yur and ther ViPNet users registratin cdes and then passes them t yu and yur fellw ViPNet users. Upn receiving yur registratin cde frm yur ViPNet netwrk administratr yu can register yur ViPNet CSP. T register yur ViPNet CSP using a file: 1 On the Registratin request ptins page, chse Using file. The Registratin data page will be displayed. 2 Prvide all yur data as described in Requesting Yur Registratin Cde n the Internet (nline) (n page 38). Click Next. 3 On the Saving registratin data page, click Brwse and select the flder that will stre the file cntaining yur registratin data. Figure 15: Saving registratin data 4 Click Next. The registratin data is saved in a text file named after the serial number f the prgram: <serial number>.txt. ViPNet CSP 4.0. User's Guide 45

46 Figure 16: Registratin data have been saved 5 Click Finish. 6 Send the file cntaining yur registratin data t yur system administratr. 7 When yu receive yur registratin cde frm yur system administratr, register yur ViPNet CSP (see Registering ViPNet CSP n page 47). ViPNet CSP 4.0. User's Guide 46

47 Registering ViPNet CSP Upn receiving registratin cde frm Inftecs, yu can register yur ViPNet CSP. T d this: 1 Launch the Registratin f ViPNet CSP (see Starting the Registratin Prcess n page 35). 2 On the first wizard page, chse Register prgram and click Next. 3 On the Serial number page, type yur serial number. Figure 17: Entering a serial number Nte: If yu have ever previusly typed yur serial number in this bx, yur serial number will be entered autmatically. 4 On the Registratin Cde page: yu persnally sent a request fr a registratin cde, select Single registratin and type the registratin cde. yur system administratr sent a request fr a registratin cde, select Using file, click Brwse and lcate the file n yur netwrk that cntains the registratin cde. ViPNet CSP 4.0. User's Guide 47

48 Figure 18: Ввод кода регистрации 5 Click Next. If yu prvided crrect data, the Registratin f ViPNet CSP was successful page will be displayed: Figure 19: Завершение регистрации 6 Click Finish. 7 Back up yur registratin data (see Saving Registratin Data n page 49) by cpying yur registratin file t a secure lcatin. The file ffmanager.brg is lcated in the same flder as the ViPNet CSP applicatin. ViPNet CSP 4.0. User's Guide 48

49 Saving Registratin Data The registratin prcess saves registratin data t the *.brg file, which is created in ne f the fllwing flders: C:\PrgramData\inftecs\ViPNet CSP\ fr the perating systems Windws Vista, Windws 7 and Windws Server 2008; C:\Dcuments and Settings\All Users\Applicatin Data\inftecs\ViPNet CSP\ fr the perating systems Windws XP and Windws Server Nte: The name f the *.brg file depends n the ViPNet prgram versin. We recmmend yu t save this file in a secure place because it will be useful in sme cases f re-installatin (fr example, if yu need t install the prgram int anther flder n yur cmputer, r yu need t re-install the prgram after frmatting yur hard drive). In such cases, yu shuld unlad the prgram, mve the saved *.brg file back int the flders mentined abve, and then start the prgram anew. Upn start, ViPNet CSP will be registered autmatically (as lng as the registratin data are valid and the cnfiguratin f yur cmputer has nt changed). Registratin data (serial number, cmputer cde, registratin cde, and mre) is als stred in a registratin lg file named reginf.txt, lcated in the ViPNet CSP installatin flder. Yu can use infrmatin frm this file fr manual registratin f the prgram after re-installatin (fr example, if the *.brg file has been lst). If the Cnfiguratin f Yur Cmputer Has Been Changed Changes in cmputer cnfiguratin may influence the wrk f ViPNet Netwrk Manager installed n this cmputer. If yur upgrade was substantial (yu replaced almst all hardware in yur PC) yu will need t register yur ViPNet Netwrk Manager nce again (see Requesting a Registratin Cde n page 38). If yu made nly minr changes t yur cmputer s cnfiguratin, yu will nt have t register yur ViPNet Netwrk Manager again. At the first ViPNet Netwrk Manager startup after minr upgrade the message will be displayed infrming yu that yur cmputer s cnfiguratin has been changed and a new *.brg file has been created. This means that yur previus registratin data became bslete. Yu will nt be able t register yur ViPNet Netwrk Manager using thse data after its reinstallatin. That is why yu shuld cpy this updated *.brg file int the secure lcatin. If yu reinstall ViPNet CSP n this cmputer, yu shuld cpy this very file t the ViPNet CSP installatin flder. Only after that the applicatin will cnsider itself registered. ViPNet CSP 4.0. User's Guide 49

50 System Administratr Actins fr Registratin Using a File Registratin using file allws a cmpany t request and receive registratin cdes fr several users via a single persn. This persn is nrmally the rganizatin's system administratr. T register using file, all ViPNet users must have their prduct's serial number. If nt, they need t buy it via the Registratin f ViPNet CSP (see Buying Prgram (Getting a Serial Number) n page 37). Each user, frm their cmputer, shuld have created a using file registratin request (see Receiving Yur Registratin Cde frm the Administratr n page 44). This creates a *.txt file cntaining registratin data, which they will send t their system administratr. If yu are a system administratr: 1 Save the files btained frm ViPNet users and cntaining their registratin data t the same flder. 2 When yu have them all, cmbine them using the cpy cmmand: cpy *.txt registratin.all. Yu can use anther file name instead f registratin.all. 3 the file t Inftecs at [email protected]. Name the ViPNet Registratin Using File. 4 After Inftecs cmpany has prcessed the request, yu will receive an with an attached *.txt file. This file will cntain registratin cdes fr all users taking part in the grup registratin. Deliver this file t users (fr example via netwrk disk) wh can then register their installed ViPNet prgram. ViPNet CSP 4.0. User's Guide 50

51 5 Obtaining a Certificate and Private Key Obtaining and Installing a Private Key and a Certificate 52 Creating a Certificate Request and Generating a Private Key 53 Using Signing Keys f the ViPNet Hst's User 57 ViPNet CSP 4.0. User's Guide 51

52 Obtaining and Installing a Private Key and a Certificate T have an pprtunity t sign electrnic dcuments, yu need t get a user private key, and t verify a digital signature, yu need t get a public key certificate. Nte: The rder f btaining and cmmissining a certificate and private key is determined by the rules f yur Certificatin Authrity. T generate a certificate request, ask yur Certificatin Authrity's administratr whether requests, generated in the Create a certificate request prgram, will be accepted. T btain and t cmmissin a new certificate r t renew already existing certificate, yu need t: 1 Create a certificate request in the Create a certificate request prgram (see Creating a Certificate Request and Generating a Private Key n page 53). 2 Create a private key r save a cntainer with the private key n the disk r an external device. 3 Send the certificate request file t yur Certificatin Authrity's administratr (by r ther means used in yur cmpany) and wait until yu receive the certificate. 4 Install the received certificate in a cntainer (see Installing Certificates in a Cntainer n page 66). 5 Install the received certificate (see Installing the User Certificate in the System Stre n page 68), the issuer's certificate and CRL (see Installing Issuer's Certificates and CRL n page 73) in the system stre. ViPNet CSP 4.0. User's Guide 52

53 Creating a Certificate Request and Generating a Private Key T create a request fr a new certificate r t renew an existing certificate: 1 On the Start menu, click All prgrams > ViPNet > ViPNet CSP > Create a certificate request. 2 In the Certificatin Authrity windw, chse ne f the fllwing: Request new certificate t create a new certificate request. Request a renewal f the existing certificate t renew an existing certificate. When yu are creating a certificate renewal request: In the Renew Certificate windw, select the certificate t be renewed and click OK. If yu need t select anther certificate r view the selected certificate, use the Select certificate and Selected certificate buttns. If necessary, specify new certificate parameters and details abut the wner f the certificate r use the details f the previus certificate. Figure 20: Allwing blcked cntent ViPNet CSP 4.0. User's Guide 53

54 3 In the Chse Certificate Settings sectin, specify the fllwing parameters: In the Cryptprvider list, select the cryptgraphic service prvider that yu want t use fr creating private and public keys. In the crrespnding list, select a hash algrithm. In the Purpse list, select the actins a certificate will be used fr: Signature and encryptin (by default), if yu want t use yur digital signature fr encrypting messages and signing them. Signature, if yu want t use yur digital signature nly fr signing messages r dcuments. Encryptin, if yu want nly t encrypt messages r dcuments. In the Certificate template list, chse ne f the fllwing ptins: Qualified ViPNet CSP (by default), t create a request fr a qualified certificate, in which yu may specify OGRNIP (Primary State Registratin Number f the Sle Prprietr), SNILS (Insurance Number f Individual Ledger Accunt), INN (taxpayer identificatin number), and OGRN (primary state registratin number) attributes. Reprting, t create a certificate fr signing dcuments intended fr submissin f financial statements. WEB server, t create a certificate n the IIS web server. Standard fr the remaining cases. T have an pprtunity t exprt a certificate, select the Exprtable check bx. T create a certificate fr installing it t the system stre, select the System check bx. 4 In the Prvide details abut the wner f the certificate sectin, specify the necessary infrmatin abut yurself (the persn fr whm the certificate will be generated). Figure 21: Typing the data n the certificate wner ViPNet CSP 4.0. User's Guide 54

55 Warning: If yu plan t use the certificate fr signing MS Outlk messages, yu need t specify the address.yu can't use a certificate withut an address fr signing messages. 5 In the Save Yur Request sectin, click Brwse and specify a flder n a hard r remvable drive fr string the request file, and als specify a name fr the file. Nte: The request file frmat is determined by the rules f yur Certificatin Authrity. We recmmend yu t include yur name and surname in the request file name s that yur request was easily identifiable. 6 Click Create request. This buttn appears after all required fields are filled. Warning: If the Create request buttn is nt displayed after yu fill in all required fields, make sure that, in the General sectin (see figure n page 32), the Allw ViPNet CSP t use MS Crypt API check bx is selected. Then, create a key cntainer by perfrming the fllwing actins. 7 In the displayed ViPNet CSP Key Cntainer Initializatin windw, specify: A cntainer name, r leave the default value. The cntainer lcatin by clicking ne f the fllwing ptins: Flder r Chse device. Nte: In sme cases, the ViPNet CSP Key Cntainer Initializatin windw can be displayed with a delay. Wait until it is displayed. 8 In the ViPNet CSP Key Cntainer Initializatin windw, specify the private key prtectin passwrd. 9 The Digital Rulette (n page 178) windw will be displayed. Fllw the instructins in the Digital Rulette windw. ViPNet CSP 4.0. User's Guide 55

56 Figure 22: Digital Rulette 10 In the message abut the successful creatin f the certificate request file, click OK. 11 After creating the request file, yu can clse the Certificatin Authrity brwser page. After the certificate request is created, deliver yur request file t the administratr f yur certificatin authrity and get an issued certificate in return. Then, in the ViPNet CSP Settings prgram, install the issued certificate (see Installing the User Certificate in the System Stre n page 68) and specify the key cntainer crrespnding t this certificate. ViPNet CSP 4.0. User's Guide 56

57 Using Signing Keys f the ViPNet Hst's User Yu can transfer the key cntainer installed n yur ViPNet hst using the ViPNet CryptService, ViPNet Client r ViPNet Crdinatr prgram (versin r later), t anther cmputer and use this key cntainer in the ViPNet CSP prgram. T use the signature keys f the ViPNet hst's user in the ViPNet CSP prgram, d the fllwing: 1 In the ViPNet CryptService, ViPNet Client f ViPNet Crdinatr, pen the Security Service Settings dialg bx, click the Keys tab. 2 Under Signature, click Transfer. Figure 23: Transferring the key cntainer 3 In the ViPNet CSP- Key Cntainer Initializatin windw, click Brwse and specify a flder r remvable device fr transferring the cntainer. Then click OK. The cntainer will be transferred int the specified flder. 4 Cpy the cntainer t the cmputer where the ViPNet CSP prgram installed. ViPNet CSP 4.0. User's Guide 57

58 Warning: After yu delete the cntainer frm yur ViPNet hst, yu can't use signature keys. 5 Install the cntainer in the ViPNet CSP prgram (see Installing Cntainer frm a Flder n page 61). ViPNet CSP 4.0. User's Guide 58

59 6 Installing Cntainers and Certificates Ways t Install a Private Key and a Certificate 60 Installing Cntainer frm a Flder 61 Installing Cntainer frm an External Device 64 Installing Certificates in a Cntainer 66 Installing the User Certificate in the System Stre 68 Installing Issuer's Certificates and CRL 73 ViPNet CSP 4.0. User's Guide 59

60 Ways t Install a Private Key and a Certificate T wrk with the digital signature, d the fllwing: 1 Install the cntainer cntaining yur private key: If a private key and a certificate are lcated in the same cntainer in a flder n the hard drive, see the sectin Installing Cntainer frm a Flder (n page 61). If a private key and a certificate are lcated in the same cntainer n an external device, see the sectin Installing Cntainer frm an External Device (n page 64). If the certificate was issued in the certificatin authrity by request, and as a result yu have a cntainer with a private key and a separate cer-file, see the sectin Installing Certificates in a Cntainer (n page 66). 2 Install a certificate with a public key in the system stre (see Installing the User Certificate in the System Stre n page 68). 3 Install the issuer's certificate and CRL in the system stre (see Installing Issuer's Certificates and CRL n page 73). ViPNet CSP 4.0. User's Guide 60

61 Installing Cntainer frm a Flder T wrk with prtected dcuments and t rganize cnnectins ver the TLS/SSL prtcl, yu need a private key and a crrespnding certificate. Yu can install a private key and a certificate in the same cntainer r install a certificate and a cntainer with a private key separately (see Installing the User Certificate in the System Stre n page 68). T install the cntainer, lcated in a flder n the hard drive, in the system stre: 1 In the main ViPNet CSP windw, select Cntainers. Figure 24: Cntainers cntrl panel 2 In the Cntainers sectin, click Add. 3 In the ViPNet CSP - Key Cntainer Initializatin windw, click Brwse. If a cntainer is stred n the hard drive, in the Brwse fr Flder windw, specify the lcatin f the cntainer. If a cntainer is stred n a remvable flash-drive, in the Brwse fr Flder windw, select this drive. In the Flderbx, the path will be autmatically substituted, fr example E:\inftecs\Cntainers. ViPNet CSP 4.0. User's Guide 61

62 Warning: On a remvable flash-drive, the cntainer shuld be lcated in the flder Inftecs\Cntainers. Figure 25: Installing the key cntainer frm the flder 4 In the Cntainer name list, chse the cntainer file r leave the default value. 5 Click OK. In the Key cntainer windw, a message abut the successful cntainer additin will be displayed and yu will be prmpted t install the certificate in the stre. T use certificates, yu shuld install them in the system stre f the current user. Warning: If the ViPNet CSP prgram is installed n a server and is used t rganize cnnectins ver the TLS/SSL prtcls, yu shuld install yur certificate in the lcal cmputer's stre (see Installing a Certificate frm Cntainer n page 71) manually. If yu want t install the certificates autmatically in the user's stre, click Yes. Certificates will be autmatically installed in the user's stre. If yu dn't need t install certificates (r yu will install it manually), click N. T view the cntainer's certificate list, click Certificates. 6 After yu have installed the certificates in a stre (r after yu have canceled the certificates installatin), in the available cntainers list (see figure n page 61), the added cntainer will be displayed. ViPNet CSP 4.0. User's Guide 62

63 Nte: In the certificate settings windw, yu can install certificates frm the cntainer manually (see Installing a Certificate frm Cntainer n page 71). After cntainer adding, install the issuer s certificate and CRL (see Installing Issuer's Certificates and CRL n page 73) and prceed using cryptgraphic peratins (see ViPNet CSP Scpe n page 22). ViPNet CSP 4.0. User's Guide 63

64 Installing Cntainer frm an External Device T install cntainer frm an external device: 1 In the main ViPNet CSP windw, select the Cntainers (see figure n page 61) sectin. 2 In the Cntainers sectin, click Add. 3 In the ViPNet CSP - Key Cntainer Initializatin windw, click Device. In the devices list, select the required device. Figure 26: The key cntainer initializatin frm an external device 4 In the Type PIN bx, specify the PIN f the selected external strage device. Select the Save PIN check bx if yu dn't want t enter PIN every time yu cnnect the cntainer. Nte: If yu save PIN f the device in the system, the security level becmes lwer. Fr mre infrmatin,see the Supprted External Strage Devices (n page 175). 5 Click OK. In the Key cntainer (see figure n page Ошибка! Закладка не определена.) windw, the message abut successful cntainer additin will be displayed, and yu will be prmpted t install the certificate in the stre. T use certificates, yu shuld install them in the system stre f the current user. ViPNet CSP 4.0. User's Guide 64

65 If yu want t install the certificates autmatically in the user's stre, click Yes. Certificates will be autmatically installed in the stre. If yu dn't need t install the certificates (r yu will install them manually), click N. T view the cntainer's certificate list, click Certificates. 6 After yu have installed the certificates in a stre (r after yu have canceled the certificates installatin), in the available cntainers list (see figure n page 61), the added cntainer will be displayed. Nte: Yu can install certificates frm cntainer manually, using certificate settings windw (see Installing a Certificate frm Cntainer n page 71). After yu have added the cntainer, install the issuer s certificate and CRL (see Installing Issuer's Certificates and CRL n page 73), and then prceed using cryptgraphic functins (see ViPNet CSP Scpe n page 22). Tip: If an external device has been remved, and then cnnected t the cmputer again, the cntainer, which is lcated n this device, may nt appear in the Cntainers sectin. T display this cntainer in the Cntainers sectin, click. ViPNet CSP 4.0. User's Guide 65

66 Installing Certificates in a Cntainer When yu create a certificate request, the cntainer with a private key is generated. By request, in the Certificatin Authrity, the public key certificate crrespnding t this private key is issued. T use a certificate public key received frm the Certificatin Authrity, t generate a digital signature and fr ther purpses, this certificate shuld be installed in the cntainer where the crrespnding private key is stred. T install the certificate in a cntainer: 1 In the main ViPNet CSP windw, select the Cntainers (see figure n page 61) sectin. 2 In the Cntainers sectin, chse the cntainer in which yu need t install the certificate, and click Prperties r duble-click the necessary cntainer. 3 In the Key Cntainer Prperties windw, click Add. Figure 27: Adding the certificate t the cntainer 4 In the Open windw, select the certificate file, which crrespnds t the private key in the cntainer, and click Open. If yu have chsen the crrect certificate, it will be added t the cntainer. Otherwise, yu will see an Invalid certificate message. ViPNet CSP 4.0. User's Guide 66

67 Nte: T view this certificate after adding, in the Key Cntainer Prperties windw, click Refresh. ViPNet CSP 4.0. User's Guide 67

68 Installing the User Certificate in the System Stre T use a public key certificate in different applicatins, yu shuld install it in the certificates system stre. There are tw ways t d it: If the certificate is nt installed in the cntainer with the crrespnding private key, yu shuld install the certificate in the system stre in the Cntainers (see Installing a Certificate Which Has Nt Been Added t the Cntainer n page 68) sectin. If the certificate is already installed in the cntainer, yu shuld install the certificate in the system stre in the viewing certificate windw (see Installing a Certificate frm Cntainer n page 71). Installing a Certificate Which Has Nt Been Added t the Cntainer If the certificate is nt added t the cntainer, t install the certificate in the system stre, d the fllwing: 1 In the main ViPNet CSP windw, select the Cntainers (see figure n page 61) sectin. 2 In the Cntainers sectin, click Install certificate frm a file. 3 In the Open windw, specify the path t the certificate file n a disk (see Key Cntainer n page 18). 4 In the certificates installatin wizard, n the start page, click Next. 5 On the Chse the certificate stre page, specify the stre t install yu certificate in and click Next. ViPNet CSP 4.0. User's Guide 68

69 Figure 28: Chsing a certificate stre Nte: We recmmend yu t install a certificate int the stre f the current user in rder t encrypt, decrypt, and sign files, as well as t get access t prtected resurces using a web brwser. In the machine cmputer's stre, install the certificates that will be used by services n this cmputer. If yu use ViPNet CSP n a web server t get access t prtected resurces, yu need t install a certificate int the stre. If yu can't install a certificate int the stre, lg nt the system as an administratr. 6 On the Ready t install this certificate page: ViPNet CSP 4.0. User's Guide 69

70 Check if the parameters have been cnfigured crrectly. If necessary, click Back t return t the previus page f the wizard and cnfigure the parameters in a different way. Figure 29: The certificate is ready fr installatin If the certificate is stred in a file separately frm the private key, select the Chse cntainer with yur private key check bx. Nte: The Chse cntainer with yur private key check bx is ptinal. If yu d nt select the check bx,, after the wizard cmpletes the peratin, yu will need t specify the private key cntainer lcatin. Click Next. 7 If the Chse cntainer with yur private key check bx is selected and the cntainer is nt fund r is unavailable, then, in the ViPNet CSP Key Cntainer Initializatin windw, specify the key cntainer lcatin: a flder n a disk (see Installing Cntainer frm a Flder n page 61); a device (yu will need t specify its parameters and a PIN (see Installing Cntainer frm an External Device n page 64)). Nte: T use an external device, yu need t cnnect it and install the required drivers. Yu can find the list f cmpatible strage devices and basic infrmatin n hw t use them in Supprted External Strage Devices (n page 175). ViPNet CSP 4.0. User's Guide 70

71 Then click OK. 8 In the D yu want t stre bth the certificate and the private key in the same cntainer? message windw, click Yes t stre the certificate in the key cntainer, r N t keep the certificate as a separate file. Tip: It is cnvenient t stre a certificate in a key cntainer if yu are ging t exprt and install the cntainer nt anther cmputer. 9 If the Chse cntainer with yur private key check bx is selected and the cntainer is available, in the ViPNet CSP Key Cntainer Passwrd windw, in the Passwrd bx, type the passwrd t access the cntainer and click OK. Nte: The ViPNet CSP Key Cntainer Passwrd windw is nt displayed if yu have previusly saved the passwrd and selected the D nt shw this windw again check bx. 10 On the Cmpleting the Certificates Installatin Wizard page, click Finish. As a result, the certificate is installed int the selected certificate stre. In case n private key has been fund when installing the certificate, yu shuld install the key cntainer crrespnding t this certificate. If during installatin the certificate was assciated with the private key, the cntainer with the private key crrespnding t this certificate appears n the list f cntainers (see figure n page 61) (see the figure n page ). Yu may install ne mre certificate and private key r begin wrking with prtected dcuments (see ViPNet CSP Scpe n page 22) using the previusly installed issuer s certificate and CRL (see Installing Issuer's Certificates and CRL n page 73). Installing a Certificate frm Cntainer T install certificate: 1 In the main ViPNet CSP windw, select the Cntainers (see figure n page 61) sectin. 2 In the Cntainers sectin, chse the cntainer, whse yu need t install the certificate, and click Prperties r duble-click the necessary cntainer. ViPNet CSP 4.0. User's Guide 71

72 3 In the Key Cntainer Prperties (see figure n page 77) windw, chse a necessary private key and click Certificate. 4 In the Certificate windw, n the General tab, click Install Certificate. The Certificate Renewal Wizard (see Installing the User Certificate in the System Stre n page 68) windw will be displayed. Figure 30: Viewing the certificate prperties 5 In the Certificates Installatin Wizard, n the start page, click Next. 6 On the Chse the certificate stre page, specify the necessary stre. 7 On the Ready t install this certificate page, clear the Chse the cntainer with yur private key check bx, and click Next. 8 On the Cmpleting the Certificates Installatin Wizard page, click Finish. As a result, the certificate will be installed int the stre. T wrk with prtected dcuments and t rganize cnnectins ver the TLS/SSL prtcl, yu need t install nt nly the user's certificate, but als the issuer's certificate and CRL (see Installing Issuer's Certificates and CRL n page 73). ViPNet CSP 4.0. User's Guide 72

73 Installing Issuer's Certificates and CRL T wrk with prtected dcuments and t rganize cnnectins ver the TLS/SSL prtcl, yu need t install the user's certificate, the issuer's certificate, and the CRL in the system stre. T install the user's certificate in a cntainer r separately, use the ViPNet CSP prgram means. Yu can install the issuer's certificate and CRL by using the perating system tls. Such a type f installing the certificate is als required if the ViPNet sftware is installed n a web server and used t rganize cnnectins ver TLS/SSL. T install certificates and CRL: 1 Open the flder, cntaining the certificate file r CRL. Right-click the necessary file and, n the cntext menu, select Install Certificate r Install CRL. 2 On the start page f the Certificate Imprt Wizard, click Next. 3 On the Certificate stre page, select Place all certificates in the fllwing stre. Figure 31: Chsing a stre fr the issuer's certificate r CRL 4 Click Brwse. In the Select Certificate Stre windw, select: Trusted Rt Certificatin Authrities, if yu are installing an issuer's certificate. ViPNet CSP 4.0. User's Guide 73

74 Intermediate Certificatin Authrities, if yu are installing CRL. Click OK. 5 After yu chse a certificatin stre, click Next. 6 On the Cmpleting the Certificate Imprt Wizard page, click Finish. Warning: If the system can't validate the certificate (fr example, if the Internet cnnectin r ViPNet hst is nt available), then the Security Warning windw will be displayed. T install the certificate, click Yes. Install nly the certificates, in which yu are cnfident. 7 In the The imprt was successful message bx, click OK. The installatin will be cmplete. After that, if yu have already installed the user's certificate, yu may begin wrking with prtected dcuments (see ViPNet CSP Scpe n page 22). ViPNet CSP 4.0. User's Guide 74

75 7 Wrking with Cntainers Viewing and Cnfiguring Cntainer Prperties 76 Creating a Backup Cpy f a Cntainer 81 Deleting a Cntainer 82 ViPNet CSP 4.0. User's Guide 75

76 Viewing and Cnfiguring Cntainer Prperties In the cntainer prperties windw yu may: View infrmatin abut a private key and a certificate, which are stred in the cntainer. Change the passwrd yu use t access a cntainer. Delete a previusly saved cntainer passwrd. Install a certificate manually. Check r delete a private key stred in a cntainer. Changing the Cntainer Passwrd T change the passwrd f the cntainer, which is lcated in a flder n the disk: 1 In the main ViPNet CSP windw, select the Cntainers (see figure n page 61) sectin. 2 T select a key cntainer frm the current user's key cntainers flder, click Current user. T select a key cntainer frm the cmputer's key cntainers flder, click Cmputer. 3 Select a key cntainer, whse yu need t change passwrd, and click Prperties r duble-click the necessary cntainer. 4 In the Cntainer Prperties windw, click Change Passwrd. ViPNet CSP 4.0. User's Guide 76

77 Figure 32: Cntainer prperties windw 5 In the Change passwrd dialg bx, type the current cntainer passwrd, then click OK. Nte: If yu have previusly selected the Save passwrd check bx, then the Change Passwrd windw will nt be displayed. 6 In the ViPNet CSP Key Cntainer Passwrd windw, type the new passwrd and cnfirm it. Click OK. Figure 33: Changing the cntainer passwrd The cntainer passwrd is changed. ViPNet CSP 4.0. User's Guide 77

78 Deleting a Previusly Saved Passwrd Yu may need t delete the saved passwrd t a key cntainer in case the passwrd strage cnditins and (r) yu crprate security regulatins have changed s that yu may nt stre the passwrd n yur cmputer anymre. T delete a previusly saved cntainer passwrd: 1 In the main ViPNet CSP windw, select the Cntainers (see figure n page 61) sectin. 2 T select a key cntainer frm the current user's key cntainers flder, click Current user. T select a key cntainer frm the cmputer's key cntainers flder, click Cmputer. 3 Select a key cntainer, whse yu need t delete passwrd, and click Prperties r duble-click the necessary cntainer. 4 In the Key Cntainer Prperties (see figure n page 77) windw, click Delete Saved Passwrd. The passwrd will be deleted. The previusly saved passwrd will be remved. Then yu shuld enter the passwrd every time yu access the key cntainer. Verifying a Key Cntainer Yu can verify a key cntainer t make sure that the cntainer file has nt been mdified, that the certificate and private key in the cntainer crrespnd t each ther and yu can use them t wrk with prtected dcuments. T verify a cntainer: 1 In the Cntainer Prperties windw (see figure n page 77), in the Private Keys list, chse the private key entry. 2 Click Check. 3 In the ViPNet CSP Key Cntainer Passwrd windw (see figure n page 79) type the passwrd t access the cntainer and click OK. ViPNet CSP 4.0. User's Guide 78

79 Figure 34: Typing the cntainer passwrd 4 Then the data fragment signed with the private key will be created, and the digital signature will be verified using the public key certificate. Thus, the private key validity and its cmpatibility with the certificate stred in the cntainer will be verified. Nte: Yu can verify a key cntainer nly if it cntains a certificate crrespnding t the private key. A certificate may be missing frm a key cntainer, when it is stred separately. A certificate is stred separately frm a key cntainer if the certificate renewal request has been generated in the ViPNet CSP sftware. If the renewal request has been generated in anther prgram, the certificate will be autmatically saved t the crrespnding key cntainer. When the private key is verified, the certificate validity (its validity perid, presence in CRL, and s n) is nt verified. Deleting a Private Key It is required t delete the private key (and, if present, its certificate) frm the cntainer key in the fllwing cases: If yu dn't need this private key any mre, fr example, if its validity perid has expired. If the certificate crrespnding t this private key has been cmprmised r revked. T delete a private key frm a cntainer: 1 In the Cntainer Prperties (see figure n page 77) windw, in the Private Keys list, chse the private key entry r several entries hlding the Shift key. 2 Click Delete. Yu will receive a warning message that yu will nt be able t restre the deleted private keys. ViPNet CSP 4.0. User's Guide 79

80 3 Cnfirm the peratin by clicking Yes. The private key yu have chsen and the crrespnding certificate will be deleted. Yu shuld delete the key cntainer after that. ViPNet CSP 4.0. User's Guide 80

81 Creating a Backup Cpy f a Cntainer Yu can transfer a key cntainer t a flder n a hard drive r t an external device. This functin is useful fr creating backup cpy f key cntainer and fr increasing the data prtectin level. T cpy cntainer: 1 In the main ViPNet CSP windw, select the Cntainers (see figure n page 61) sectin. 2 T select a key cntainer frm the current user's key cntainers flder, click Current user. T select a key cntainer frm the cmputer's key cntainers flder, click Cmputer. 3 Select cntainer that yu want t cpy and click Cpy. 4 In the ViPNet CSP - Key Cntainer Initializatin (see figure n page 77) windw, specify and cnfirm a passwrd, which will be used t access created backup cpy. 5 In the ViPNet CSP - Key Cntainer Initializatin windw, specify a new cntainer name and lcatin. Yu can cpy a key cntainer t a flder n a hard drive r t an external device. 6 In the ViPNet CSP - Key Cntainer Initializatin (see figure n page 79) windw, type passwrd (r PIN, if cntainer lcated n the external device) t access cntainer, which yu need t cpy. T save passwrd fr next reference t cntainer, select the Save passwrd check bx. Nte: If yu save PIN f the device in the system, the security level becmes lwer. 7 The cntainer cpy will be displayed in the specified flder (r n an external device). ViPNet CSP 4.0. User's Guide 81

82 Deleting a Cntainer If yu dn't want t use sme certificate r a private key, yu may delete the crrespnding cntainer. T d this: 1 In the main ViPNet CSP windw, select the Cntainers (see figure n page 61) sectin. 2 T select a cntainer frm the current user's key cntainers flder, click Current user. T select a cntainer frm the cmputer's key cntainers flder, click Cmputer. 3 Select a cntainer yu want t delete and click Delete. Warning: A deleted cntainer can't be used. We strngly recmmend yu t create a backup cpy f the cntainer (see Creating a Backup Cpy f a Cntainer n page 81). 4 T cnfirm deleting f the cntainer, in the displayed windw, click OK. The cntainer will be deleted frm the cntainers list and als frm the flder r frm an external device, where it is stred. ViPNet CSP 4.0. User's Guide 82

83 8 Managing External Devices Viewing the Cnnected Devices List 84 Cnfiguring the Devices List 86 External Device Initializatin 87 Changing PIN 88 Using a Randm Number Generatr 89 ViPNet CSP 4.0. User's Guide 83

84 Viewing the Cnnected Devices List ViPNet CSP allws yu t wrk with key cntainers, which are stred n an external devices. T view cnnected device list and key cntainers, stred n them: 1 In the main ViPNet CSP windw, select Devices sectin. Figure 35: The Devices sectin 2 In the Available devices list, chse necessary device. Nte: In the Available devices list, nly thse devices are displayed, that are cnnected t the crrespnding card reader at the mment. 3 In the Cntainers lcated n the selected device list, chse a cntainer. T view the cntainer prperties, click View (see Viewing and Cnfiguring Cntainer Prperties n page 76). T delete the cntainer frm an external device, click Delete. ViPNet CSP 4.0. User's Guide 84

85 Nte: If the Cntainers lcated n the selected device list is empty, there are n cntainers n this device. ViPNet CSP 4.0. User's Guide 85

86 Cnfiguring the Devices List On the Devices list cnfiguratin tab, yu can specify the types f devices, which shuld be plled when the search fr keys is perfrmed. If the check bx assciated with a device type is cleared, such devices can't wrk with the prgram. By default, all supprted devices are plled. T increase the speed f key search, disable devices yu dn't use. T d this: 1 In the main ViPNet CSP windw, select the Devices list cnfiguratin sectin. Figure 36: Devices list cnfiguratin 2 Clear the check bxes crrespnding t the devices, that yu dn't use. 3 T save the settings, click Apply. ViPNet CSP 4.0. User's Guide 86

87 External Device Initializatin Initializatin means frmatting the device memry. During initializatin, all data stred n the device are remved. Passwrd and ther settings are dumped. T initialize yur cnnected device: 1 Make sure that the device yu are ging t initialize des nt cntain any imprtant infrmatin. If necessary, cpy the infrmatin frm the external device t anther device r hard drive. 2 In the main ViPNet CSP windw, select the Devices (see figure n page 84) sectin. 3 Chse a device frm the Available devices list. Nte: In the Available devices list, nly thse devices are displayed, that are cnnected t the crrespnding card reader at the mment. 4 Click Initialize. 5 In the message windw warning yu abut deleting all data frm the device, click Yes. 6 In the Initializatin windw: 7 Click OK. Type the device administratr PIN. If necessary, change the user PIN. T d that, type a new PIN and cnfirm it in the crrespnding bxes. The device will be initialized. All data saved n a device will be lst. Nw yu need t use the new user PIN t access the device. ViPNet CSP 4.0. User's Guide 87

88 Changing PIN Device PIN change may be required when the passwrd expires accrding t the crprate security plicy r by ther reasns regulated. T change the device PIN: 1 In the main ViPNet CSP windw, select the Devices (see figure n page 84) sectin. 2 Chse a device frm the Available devices list. Nte: In the Available devices list, nly thse devices are displayed, that are cnnected t the crrespnding card reader at the mment. 3 Click Change PIN. 4 In the Change PIN windw, select the PIN yu need t change. 5 In the Type ld PIN bx, type the current PIN. In the ther tw bxes, type yur new PIN and then click OK. PIN will be changed. ViPNet CSP 4.0. User's Guide 88

89 Using a Randm Number Generatr A randm number generatr creates a sequence f numbers, based n which private keys are generated. As a randm number generatr, in ViPNet CSP, yu can use an integrated bilgical randm number generatr (Digital Rulette). T chse randm number generatr, that yu want t use: 1 In the main ViPNet CSP windw, select the Randm number generatr sectin. Figure 37: Randm number generatr tab 2 In the The fllwing randm number generatrs are installed list, chse ne f the fllwing: Bilgical, t use Digital Rulette fr generating randm numbers. External device (Tken) PKCS#11, t use external devices etken Aladdin r etken GOST fr generating randm numbers. Randm binary sequence, t use a previusly generated sequence f numbers. If yu chse this ptin: Click Prperties. ViPNet CSP 4.0. User's Guide 89

90 In the Prperties windw, click Add binary sequence. In the Brwse windw, select a flder, where the files cntaining binary sequence are lcated. Hardware randm numbers generatr, installed n cmputer. 3 T save prperties, click OK. 4 T view infrmatin abut chsen randm number generatr, click Prperties. T check the perability f bilgical r hardware randm number generatrs, in the Prperties dialg bx, click Test. After the test, the results will be displayed. ViPNet CSP 4.0. User's Guide 90

91 9 Digital Signature in Micrsft Office Dcuments Digitally Signing a Dcument 92 Viewing a Digital Signature 96 Remving a Digital Signature 99 Visible Representatin f a Signature Line in Wrd and Excel Dcuments 101 ViPNet CSP 4.0. User's Guide 91

92 Digitally Signing a Dcument When yu wrking with dcuments in Micrsft Office prgrams, yu may use a digital signature. This sectin cntains infrmatin abut adding a digital signature in Micrsft Wrd, Excel and PwerPint dcuments f varius Micrsft Office versins. Micrsft Office 2003 T add a digital signature in Micrsft Wrd, Excel, and PwerPint dcuments: 1 Save a dcument. 2 On the Tls menu, click Optins. 3 On the Security tab, click Digital Signatures. 4 In the Digital Signature windw, click Add. Figure 38: Adding a digital signature in Micrsft Office 2003 ViPNet CSP 4.0. User's Guide 92

93 Nte: If yu haven't saved the dcument earlier, yu will be prmpted t save it befre adding a digital signature. In the message windw, click Yes. 1 The Select a Certificate windw will be displayed. T view infrmatin abut certificate, select it and click View Certificate. 2 In the Select a Certificate windw, select the certificate and click OK. The ViPNet CSP Key Cntainer Passwrd (see figure n page 79) windw will be displayed. 3 Type yur passwrd and click OK. The chsen certificate will appear in the The fllwing have digitally signed this dcument list in the Digital Signature windw. 4 Duble-click OK, t clse the windws. On the status bar f the dcument windw, the icn will be displayed. This icn means that the dcument cntains a digital signature. If yu edit a dcument after it was signed and try t save it, yu will be ntified that all digital signatures will be remved. If necessary yu may sign it again after saving. Micrsft Office 2007 T add a digital signature in Micrsft Wrd, Excel, and PwerPint dcuments: 1 Click the Micrsft Office buttn, pint t Prepare, and then click Add a Digital Signature. The Sign windw will be displayed. Figure 39: Adding a digital signature in Micrsft Office 2007 Nte: If yu haven't saved the dcument earlier, yu will be prmpted t save it befre adding a digital signature. In the message windw, click Yes. ViPNet CSP 4.0. User's Guide 93

94 1 In the Sign windw, yu can fill ut the Purpse fr signing this dcument bx. Als, this windw cntains brief descriptin f certificate that yu use fr signing this dcument. If necessary, click Change and chse anther certificate. 2 When yu have chsen the certificate, click Sign. The ViPNet CSP Key Cntainer Passwrd (see figure n page 79) windw will be displayed. 3 Type yur passwrd and click OK. The message abut the successful additin f the digital signature and saving a dcument will be displayed. On the status bar f the dcument windw, the icn cntains a digital signature. will be displayed. This icn means that the dcument After yu have added a digital signature, yu can't edit the dcument. T edit signed dcument, yu need t remve a digital signature (see Remving a Digital Signature n page 99). Micrsft Office 2010 T add a digital signature in Micrsft Wrd, Excel and PwerPint dcuments: 1 Click the File tab, and click the Inf sectin. 2 Under Permissins, click Prtect Dcument, Prtect Wrkbk r Prtect Presentatin, and click Add a Digital Signature. 3 Read the Micrsft Wrd, Excel r PwerPint message, and click OK. The Sign windw will be displayed. Nte: If yu haven't saved the dcument earlier, yu will be prmpted t save it befre adding a digital signature. In the message windw, click Yes. 1 In the Sign windw, yu can fill ut the Purpse fr signing this dcument bx. Als, this windw cntains brief infrmatin abut the certificate that yu use fr signing this dcument. If necessary, click Change and chse anther certificate. ViPNet CSP 4.0. User's Guide 94

95 Figure 40: Adding a digital signature in Micrsft Office When yu have chsen the certificate, click Sign. The ViPNet CSP Key Cntainer Passwrd (see figure n page 79) windw will be displayed. 3 Type yur passwrd and click OK. The message abut the successful additin f the digital signature will be displayed. In the Inf sectin, this dcument will be marked as final t discurage editing. Figure 41: The dcument has been marked as final t discurage editing On the status bar f the dcument windw, the icn that the dcument cntains a digital signature. will be displayed. This icn means After yu have added a digital signature, yu can't edit the dcument. T edit the signed dcument, yu need t remve a digital signature (see Remving a Digital Signature n page 99). ViPNet CSP 4.0. User's Guide 95

96 Viewing a Digital Signature Micrsft Office 2003 T view a digital signature in Micrsft Wrd, Excel r PwerPint dcument: 1 On the Tls menu, click Optins. 2 On the Security tab, click Digital Signatures. 3 In the Digital Signature windw, chse a certificate and click View Certificate (see figure n page 92). If the certificate is nt trusted, n the General tab f the Certificate windw, the message (see figure n page 96) will be displayed. The untrusted certificate is marked with a red X. Figure 42: A revked certificate Micrsft Office 2007 Warning: The dcuments signed in Micrsft Office 2010 r 2013 prgrams can't be crrectly recgnized in Micrsft Office 2007 prgrams f the builds earlier than We recmmend yu nt t use the earlier builds. T view a digital signature in Micrsft Wrd, Excel, r PwerPint dcument: 1 Click the Micrsft Office buttn, pint t Prepare, and then click View Signatures. The Signatures (see figure n page 97) pane will be displayed. ViPNet CSP 4.0. User's Guide 96

97 Figure 43: Viewing yur digital signatures in Micrsft Office 2007 Nte: Mrever, yu may pen the Signatures pane by clicking the digital signature icn n the status bar. 2 On the Signatures pane, right-click the signature string and click Signature Details. 3 The Signature Details (see figure n page 98) windw cntains brief infrmatin abut the signature and the certificate. In this windw, yu may perfrm the fllwing tasks: T pen a certificate, click View. T view the additinal signing infrmatin, click the See the additinal signing infrmatin that was cllected link. If any certificate validatin errrs ccur, the crrespnding message will be displayed under the windw title. Figure 44: Signature details Micrsft Office 2010 Warning: Dcuments that were signed in Micrsft Office 2003 r Micrsft Office 2007 prgrams can't be pen in Micrsft Office 2010 up t build We recmmend yu t use this build r later builds. ViPNet CSP 4.0. User's Guide 97

98 T view a digital signature in Micrsft Wrd, Excel r PwerPint dcument: 1 Click the File tab and, in the Inf sectin, click View signatures. The Signatures pane will be displayed. Figure 45: Viewing yur digital signatures in Micrsft Office 2010 Nte: Mrever, yu may pen the Signatures pane by clicking the digital signature icn n the status bar. 2 On the Signatures pane, right-click the signature string and click Signature Details. On the menu, click Signature Details. 3 The Signature Details (see figure n page 98) windw cntains brief infrmatin abut the signature and the certificate. If any certificate validatin errrs ccur, the crrespnding message will be displayed under the windw title. Figure 46: Signature details 4 T pen a certificate, click View. T view the additinal signing infrmatin, click the See the additinal signing infrmatin that was cllected link. ViPNet CSP 4.0. User's Guide 98

99 Remving a Digital Signature Micrsft Office 2003 T remve a digital signature frm a Micrsft Wrd, Excel r PwerPint dcument: 1 On the Tls menu, click Optins. 2 On the Security tab, click Digital Signatures. 3 In the Digital Signature (see figure n page 92) windw, chse a certificate t remve. T view the signing certificate, click View Certificate. 4 After chsing a digital signature, click Remve. The digital signature will be remved. Micrsft Office 2007 T remve a digital signature frm a Micrsft Wrd, Excel r PwerPint dcument: 1 Open the Signatures pane by ding ne f the fllwing: Click Micrsft Office buttn, click Prepare, and then click View Signatures. Click the digital signature icn n the status bar f the dcument. 2 On the Signatures pane (see figure n page 97), mve the muse cursr n a signature string and right-click it (r click the menu buttn n the right), and chse Remve signature. 3 T cnfirm the peratin, click Yes. The digital signature will be remved frm the dcument. Micrsft Office 2010 T remve a digital signature frm a Micrsft Wrd, Excel r PwerPint dcument: 1 Open the Signatures pane by ding ne f the fllwing: Click the File tab and, in the Inf sectin, click View signatures. Click the digital signature icn n the status bar f the dcument. ViPNet CSP 4.0. User's Guide 99

100 2 On the Signatures pane (see figure n page 97), mve the muse cursr n a signature string and right-click it (r click the menu buttn n the right), and chse Remve signature. 3 T cnfirm the peratin, click Yes. The digital signature will be remved frm the dcument. ViPNet CSP 4.0. User's Guide 100

101 Visible Representatin f a Signature Line in Wrd and Excel Dcuments Yu can add a visible representatin f a signature line in the Micrsft Office sftware f 2007 and 2010 versins. A signature line resembles a typical signature placehlder that might appear in a printed dcument. When a signature line is inserted int an Office file, the authr can specify infrmatin abut the intended signer. When an electrnic cpy f the file is sent t the intended signer, this persn sees the signature line and a ntificatin that their signature is requested. Adding a Signature Line t a Dcument T add a signature line t a dcument: 1 Place yur pinter where yu want t create a signature line. 2 On the Insert tab, under the Text grup, click Signature line. The Signature Setup windw will be displayed. Figure 47: Signature setup 3 Fill in the fllwing bxes: Suggested signer, Suggested signer s title, and Suggested signer s address. Yu may add shrt instructins fr the signer, allw the signer t type the purpse fr signing and enable date displaying. Yu can d it by selecting the crrespnding check bxes. 4 After yu cmplete the signature setup, click OK. An empty signature line will be inserted in yur dcument and als will be displayed n the Signatures pane. ViPNet CSP 4.0. User's Guide 101

102 Figure 48: A visible signature line and its representatin in the interface Befre yu add a digital signature t a signature line, yu can change the signature settings. T d this: 1 Depending n the MS Office sftware versin, d ne f the fllwing: Click Micrsft Office buttn, and chse Prepare, and then click View Signatures. The Signatures (see figure n page 97) pane will be displayed. In the Signatures pane, right-click the signature name r the signature line, and then click Signature Setup. In MS Office 2010, right-click the signature line, and then click Signature Setup. 2 In the Signature Setup (see figure n page 101) windw, make the necessary changes and click OK. Nte: After yu sign a signature line, yu may view its prperties in the Signature Setup windw, but yu can't edit it after signing. Adding a Signature Line t a Dcument In Micrsft Wrd 2007 and Wrd 2010, Excel 2007 and Excel 2010 prgrams, yu can sign a signature line. Nte: If yu will pen a Micrsft Office 2007 dcument in previus versins f MS ffice, the signature line will be replaced by the cmmn image and yu can't sign it. ViPNet CSP 4.0. User's Guide 102

103 T add a signature in a signature line: 1 Depending n the MS Office sftware versin, d ne f the fllwing: In MS Office 2007, click Micrsft Office buttn, and chse Prepare, and then click View Signatures. The Signatures (see figure n page 97) pane will be displayed. In the Signatures pane, right-click the signature name r the signature line, and then click Signature Setup. In MS Office 2010 right-click a signature string, and chse Sign. 2 In the Sign windw, type yur name r click Select Image link, if yu want t paste a graphical image f a signature line. Belw is a brief descriptin f the certificate, which the dcument will sign. T sign a dcument, using anther certificate, click Change and chse anther certificate. Figure 49: Signing a signature line 3 After yu type a name and chse a certificate, click Sign. The ViPNet CSP Key Cntainer Passwrd (see figure n page 79) windw will be displayed. 4 Type yur passwrd and click OK. In the signature line the signer's name r signature graphical image will be displayed. If by sme reasns the prgram can't verify the authenticity f certificate, the mark Invalid Signature will be displayed abve the signature line. ViPNet CSP 4.0. User's Guide 103

104 Figure 50: An invalid signature Nte: Yu can sign an Invalid signature line again. T d it, right-click n the signature line (r n the signature name n the Signatures panel) and chse Sign again. T view signature details (see Viewing a Digital Signature n page 96) r t remve signature (see Remving a Digital Signature n page 99) frm visible signature line is the same as in the case f the invisible signature: 1 Depending n the MS Office sftware versin, d ne f the fllwing: In MS Office 2007, click Micrsft Office buttn, pint t Prepare, and then click View Signatures (r click the digital signature icn dcument). In MS Office 2010, click the File tab, and then click View signatures. The Signatures (see figure n page 97) pane will be displayed. n the status bar f the 2 In the Signatures pane, right-click the signature name r the signature line. Depending f what yu need t d, click Signature Details r Remve signature. ViPNet CSP 4.0. User's Guide 104

105 10 Digital Signature and Encryptin in Micrsft Mail Prgrams Organizing Encrypted Messages Exchange 106 Exchanging Certificates with the Message Recipient 107 Advanced Cnfiguring f Digital Signature and Encryptin 109 Adding a Digital Signature t All Messages 111 Adding a Digital Signature t a Message 116 Viewing the Message's Digital Signature 119 Encryptin 121 Viewing the Encrypted Messages 126 Encrypting Dcuments and Files 127 ViPNet CSP 4.0. User's Guide 105

106 Organizing Encrypted Messages Exchange This sectin describes encrypted messages exchange between ViPNet CSP and Micrsft Outlk mail prgrams (2003, 2007 r 2010 versins) and Micrsft Windws Live (2009 versin). T rganize encrypted messages exchange between ViPNet CSP and ne f these mail prgrams: 1 Install (see Ways t Install a Private Key and a Certificate n page 60) the cntainer and the certificate in ViPNet CSP, and install the issuer's certificate and CRL (see Installing Issuer's Certificates and CRL n page 73). 2 Exchange certificates with the recipient (sender) f the message (see Exchanging Certificates with the Message Recipient n page 107). 3 If necessary, yu can cnfigure a mail prgram fr wrking with a digital signature and encrypted (see Advanced Cnfiguring f Digital Signature and Encryptin n page 109). messages. 4 Depending n whether yu are a sender r a recipient f an encrypted message: Sign a message using yur digital signature (see Adding a Digital Signature t All Messages n page 111, Adding a Digital Signature t a Message n page 116). Create and send an encrypted message (see Encryptin n page 121). Decrypt the received message (see Viewing the Encrypted Messages n page 126). Warning: T sign messages, yu need a public key certificate where the certificate wner's address is specified and, in the Enhanced Key Usage bx, the attribute Secure is enabled. If yu dn't have such a certificate, yu can't add a digital signature t a message. T sign messages, create a request fr a new certificate, specify yur address and deliver yur request t the administratr f yur Certificatin authrity. Micrsft Outlk and Windws Live prgrams allw yu nt nly exchange encrypt messages, but als encrypt dcuments and files (see Encrypting Dcuments and Files n page 127). ViPNet CSP 4.0. User's Guide 106

107 Exchanging Certificates with the Message Recipient T encrypt an message, yu need a certificate f its recipient. Yu can exchange certificates by: Sending a message with a digital signature (see Adding a Digital Signature t a Message n page 116). Saving the sender's int cntacts, the recipient adds the sender's certificate. Sending the certificate file (.cer) t a recipient in an message r a remvable drive. Or string the certificate file in a public netwrk stre. This feature allws the recipient t imprt the certificate file int cntacts. Creating and sending a cntact with the certificate file. Warning: he recipient's certificate and yur certificate shuld cntain the wner's addresses (see Address f the Certificate Is Nt Fund n the List f Cntact Addresses n page 159). T imprt the certificate int cntacts: 1 In the Micrsft Outlk r Micrsft Windws Live prgram, in the navigatin pane, chse Cntacts. 2 Duble-click the required cntact. 3 Open the windw fr managing the user's certificates: In the Outlk 2003 prgram, pen the Certificates tab. In the Outlk 2007 r Outlk 2010 prgram, n the Cntact tab, under Shw, click Certificates. In the Windws Live Mail prgram, chse the IDs sectin. 4 Click Imprt. 5 In the Select digital ID file t imprt windw, specify the path t the certificate file, and click Open. The chsen certificate will be added t this cntact. ViPNet CSP 4.0. User's Guide 107

108 6 T make sure that yu can trust the added certificate, chse it and click Prperties. If, in the Certificate windw, n the General tab, the r is displayed, the certificate can't be trusted. 7 If the certificate is nt trusted, in the Certificate windw, n the General tab, click Trust this certificate. Then click OK. Warning: If after the certificate's imprt a message is displayed that the address specified in this certificate is nt fund in the list (see Address f the Certificate Is Nt Fund n the List f Cntact Addresses n page 159) then yu can't encrypt an message using this certificate. T send the cntact's card with a certificate: 1 In the Micrsft Outlk r Windws Live Mail prgram, create a new cntact and fill cntact with yur data. 2 Imprt yur certificate int a cntact. 3 On the cntact cntext menu: In the Outlk 2003 prgram, click Frward. In the Outlk 2007 prgram, click Send Full Cntact, and then chse In Outlk Frmat. In the Outlk 2010 prgram, click Frward, and then chse As an Outlk Cntact. 4 In the message windw, specify the recipient's address, add a text, and then click Send. Nte: Yu can't send a cntact in the Windws Live Mail prgram. After yu have exchanged certificates with the recipient, yu can start sending encrypted messages. ViPNet CSP 4.0. User's Guide 108

109 Advanced Cnfiguring f Digital Signature and Encryptin In the Micrsft Outlk prgram, t chse a signing r encryptin certificate, a cryptgraphic message frmat, r t make sme ther settings, d the fllwing: 1 Open the Change Security Settings windw: In Micrsft Outlk 2003, n the Tls menu, select Optins, g t the Security tab, and click Settings. In Micrsft Outlk 2007, n the Tls menu, select Trust Center, and then select the Security sectin, and click Settings. In Micrsft Outlk 2010 r in Micrsft Outlk 2013, n the File tab, click Optins. In the Outlk Optins windw, select the Trust Center sectin, and click Trust Center Settings. In the Trust Center windw, select Security sectin, and click Settings. 2 In the Cryptgraphy Frmat list, chse S/MIME. 3 Click Chse near the Signing Certificate bx and specify the certificate. Figure 51: Chsing a certificate fr signing and encrypting 4 Click Chse near the Encryptin Certificate bx and specify the certificate. ViPNet CSP 4.0. User's Guide 109

110 Warning: If the certificate chsen fr creating a digital signature des nt cntain any address r the specified address des nt crrespnd t the utging message's address, yu can chse this certificate as a digital signature certificate. If the chsen certificate des nt cntain an utging address, the fllwing prblems may ccur: In the system stre, there is anther certificate with the address similar t the utging address. When yu sign yur message, the digital signature will be created using this certificate, but nt using the certificate specified befre. In the system stre, there are n certificates with the address similar t the utging address. When yu try t sign the message, the digital signature will nt be added. T sign an message with a certificate, create a request fr a new certificate, specify the crrect address, and send yur request t yur certificatin authrity administratr. 5 If necessary, cnfigure ther ptins and click OK. T chse a certificate in the Windws Live Mail prgram: 1 On the Tls menu, click Accunts. 2 In the Accunts windw, chse an accunt and click Prperties. 3 In the accunt prperties windw, click the Security tab. 4 Under Signing certificate, near the Certificate bx, click Select and specify the necessary certificate, which yu will use t sign messages. 5 Under Encrypting preferences, near the Certificate bx, click Select and specify the necessary certificate, which yu will use t sign messages. 6 In the Algrithm list, chse an encryptin algrithm. 7 Click OK. ViPNet CSP 4.0. User's Guide 110

111 Adding a Digital Signature t All Messages Micrsft mail clients allw yu t add a digital signature t messages, t guarantee the authenticity and integrity f yur message, and als t ensure nn-repudiatin. T ensure the cnfidentiality f a message, yu need t encrypt it (see Encryptin n page 121). Belw yu can find the scenari f adding a digital signature t yur utging messages in the Micrsft Outlk and Windws Live Mail prgrams. Warning: T sign messages, yu need a public key certificate where the certificate wner's address is specified and, in the Enhanced Key Usage bx, the attribute Secure is enabled. If yu dn't have such a certificate, yu can't add a digital signature t a message. T sign messages, create a request fr a new certificate, specify yur address and deliver yur request t the administratr f yur Certificatin authrity. Micrsft Outlk T add a digital signature t all messages: 1 Open the security management windw. T d this: If yu use Micrsft Outlk 2003: On the Tls menu, select Optins. In the Optins windw, click the Security tab. If yu use Micrsft Outlk 2007: On the Tls menu, select Trust Center. In the Trust Center windw, click the Security tab. If yu use Micrsft Outlk 2010 r 2013: Click the File tab and select Optins. In the Outlk Optins windw, select Trust Center and click Trust Center Settings. In the Trust Center windw, select the Security sectin. ViPNet CSP 4.0. User's Guide 111

112 2 Under Encrypted , select the Add digital signature t utging messages check bx. Figure 52: Cnfiguring encrypted parameters in the Trust Center windw 3 Make sure that the Send clear text signed message when sending signed messages check bx is selected (therwise the recipients, wh d nt use the S/MIME prtcl, can't read yur message). 4 Click Settings. The Change Security Settings windw will be displayed. Figure 53: The Change Security Settings windw 5 Fill the Security Settings Name bx. 6 Click Chse near the Signing Certificate bx. 7 In the Select a Certificate windw, select a certificate frm the list. T view a certificate, click the Click here t view certificate prperties link. After chsing the certificate, click OK. The same certificate will be autmatically chsen fr encryptin. ViPNet CSP 4.0. User's Guide 112

113 Warning: If the certificate chsen fr creating a digital signature des nt cntain any address r the specified address des nt crrespnd t the utging message's address, yu can chse this certificate as a digital signature certificate. If the chsen certificate des nt cntain an utging address, the fllwing prblems may ccur: In the system stre, there is anther certificate with the address similar t the utging address. When yu sign yur message, the digital signature will be created using this certificate, but nt using the certificate specified befre. In the system stre, there are n certificates with the address similar t the utging address. When yu try t sign the message, the digital signature will nt be added. T sign an message with a certificate, create a request fr a new certificate, specify the crrect address, and send yur request t yur certificatin authrity administratr. 8 T save the settings, duble-click OK. Windws Live Mail T add a digital signature t all messages: 1 In the main Windws Live Mail windw, n the Tls menu, select Safety Optins. 2 In the Safety Optins windw, click the Security tab. 3 Under Secure Mail, select the Digitally sign all utging messages check bx. ViPNet CSP 4.0. User's Guide 113

114 Figure 54: Adding a digital signature t all utging messages 4 Click Advanced. The Advanced Security Settings windw will be displayed. Figure 55: Advanced security settings 5 Make sure that the Include my digital ID when sending signed messages check bx is selected. ViPNet CSP 4.0. User's Guide 114

115 6 Make sure that the Add senders' certificates t my Windws Live Cntacts check bx is selected. 7 T save the settings, duble-click OK. ViPNet CSP 4.0. User's Guide 115

116 Adding a Digital Signature t a Message T add a digital signature t a single message, fllw the instructins in this sectin. Warning: T sign messages, yu need a public key certificate where the certificate wner's address is specified and, in the Enhanced Key Usage bx, the attribute Secure is enabled. If yu dn't have such a certificate, yu can't add a digital signature t a message. T sign messages, create a request fr a new certificate, specify yur address and deliver yur request t the administratr f yur Certificatin authrity. Micrsft Outlk T digitally sign yur message: 1 Create a new message and depending n the Micrsft Office sftware versin d ne f the fllwing: In Micrsft Outlk 2003, n the tlbar, click Digitally Sign. In Micrsft Outlk 2007, click the Message tab. Under Optins, click Digitally Sign. In Micrsft Outlk 2010, click the Optins tab. Under Permissin, click Sign. In Micrsft Outlk 2013, click the Optins tab. Under Permissin, click Sign. Nte: The Digitally Sign r Sign ( ) buttns may be missing frm the tlbar if yu have nt chsen the certificate set by default in the Change Security Settings (see Adding a Digital Signature t All Messages n page 111) windw. 2 If there is n Digitally Sign (r Sign / ) buttn, refer t Digitally Sign/Sign Buttn Isn't Displayed. (see Digitally Sign/Sign Buttn Isn't Displayed n page 117) 3 Type yur message, and specify a subject and the recipient. If necessary, yu may add an attachment. ViPNet CSP 4.0. User's Guide 116

117 4 Click Send. The ViPNet CSP Key Cntainer Passwrd (see figure n page 79) windw will be displayed. 5 Type yur passwrd and click OK. Digitally Sign/Sign Buttn Isn't Displayed In case the Digitally sign/sign buttn is nt displayed: 1 Open the Security Prperties windw. T d this, depending n the Micrsft Office sftware versin, d ne f the fllwing: In Micrsft Outlk 2003, click Optins, then, in the Message Optins windw, click Security Settings. In Micrsft Outlk 2007, click the Optins tab, click Mre Optins. In the Message Optins windw, click Security Settings. In Micrsft Outlk 2010 r Micrsft Outlk 2013, click the Optins tab, and, under Mre Optins, click Prperties. In the Prperties windw, click Security Settings. The Security Prperties windw will be displayed. Figure 56: Security Prperties windw 2 Select the Add digital signature t this message check bx. 3 If necessary, in the Security setting list, chse preset parameters f signing and encrypting. ViPNet CSP 4.0. User's Guide 117

118 By default in the Security setting list, the value is set t <Autmatic>. This means that the certificate will be chsen autmatically. T chse the certificate manually, click Change Settings (see Advanced Cnfiguring f Digital Signature and Encryptin n page 109). 4 T save the settings, click OK. Windws Live Mail T digitally sign a message: 1 Create a new message in the Windws Live Mail prgram. 2 In the New message windw, n the Tls menu, select Digitally sign. Nte: If, in the New message windw, the menu is nt displayed, n the tlbar, click and select Shw menu bar. 3 Type yur message, specify the subject and the recipient. If necessary, yu may add an attachment. 4 Click Send. The ViPNet CSP Key Cntainer Passwrd (see figure n page 79) windw will be displayed. 5 Type yur passwrd and click OK. ViPNet CSP 4.0. User's Guide 118

119 Viewing the Message's Digital Signature Micrsft Outlk T verify a message's digital signature, d the fllwing: 1 Open the message with a digital signature. 2 In the Signed by status line, check the address f the user wh signed the message. Figure 57: Verifying the digital signature f the message Warning: If the address in the Signed by status line des nt match the senders' address, specified in the Frm line, then the true sender is the user wh signed this message. If during the digital signature verificatin sme prblems ccur, the Signed by status line will be underlined. Figure 58: Message with an invalid digital signature 3 T see mre infrmatin abut this prblem, click Digital Signature. The Digital Signature: Valid windw will be displayed. If a digital signature yu want t use is nt valid, the Digital Signature: Invalid windw will be displayed. 4 Fr mre infrmatin abut the certificate, click Details. ViPNet CSP 4.0. User's Guide 119

120 Windws Live Mail T verify a message's digital signature, d the fllwing: 1 Chse the signed message frm the list. 2 In the reading pane, in the message header, the icn f a digital signature will be displayed. If during the digital signature verifying sme prblems ccurs, yu will be warned infrmed that yu can t trust this digital signature (this infrmatin will be displayed in the message header with the red backgrund). Message text will be replaced with Security Warning. If the message is signed with an invalid digital signature, yu can d the fllwing: T view the message, click Open message. T view the certificate the message has been signed with, click View Certificate. T add the certificate which the messages was signed with t trusted certificates, click Change the rules f trust. ViPNet CSP 4.0. User's Guide 120

121 Encryptin Encryptin in Outlk 2003 T encrypt a message: 1 In the Outlk prgram, create a new message and specify the recipient. 2 In the message windw, d ne f the fllwing: On the tlbar, click Encrypt. Click Optins. Then in the Message Optins windw, click Security Settings and select the Encrypt message cntents and attachments check bx. Figure 59: Cnfiguring parameters fr encrypting a message 3 T change additinal settings (see Advanced Cnfiguring f Digital Signature and Encryptin n page 109), such as using a specific certificate, click Change Settings. 4 Click OK three times. 5 Send the encrypted message t the recipient. Tip: If during sending an encrypted message an errr message is displayed, see Prblems and Trubleshting (n page 150). ViPNet CSP 4.0. User's Guide 121

122 T encrypt all utging messages: 1 In the main Outlk windw, n the Tls menu, click Optins, and then click the Security tab. 2 Select the Encrypt cntents and attachments fr utging messages check bx. Figure 60: Cnfiguring all messages encryptin 3 T chse yur certificate fr signing and encrypting, click Settings and, in the Change Security Settings windw, select the required certificates. 4 After that, all yur utging messages will be encrypted if the certificate has been added t the recipient's cntact card. Encryptin in Outlk 2007 T encrypt a single message: 1 Create a new message in the Outlk prgram and specify the recipient. 2 Enable encryptin in ne f the fllwing ways: In the message, n the Message tab, under Optins, click Encrypt. ViPNet CSP 4.0. User's Guide 122

123 In the message, n the Message tab, under Optins, pen the Security Settings (see figure n page 121), and select Encrypt message cntents and attachments check bx. T change additinal settings (see Advanced Cnfiguring f Digital Signature and Encryptin n page 109), such as using a specific certificate, click Change Settings. 3 Send yur message. T encrypt all utging messages: 1 In the main Outlk windw, n the Tls menu, click Trust Center, and then click E- mail Security. 2 Under Encrypted , select the Encrypt cntents and attachments fr utging messages check bx. 3 T change additinal settings (see Advanced Cnfiguring f Digital Signature and Encryptin n page 109), such as chsing a specific certificate, click Settings. 4 Duble-click OK. 5 After that, all yur utging messages will be encrypted if the recipient's certificates have been added t the cntacts. Encryptin in Micrsft Outlk 2010 and Micrsft Outlk 2013 T encrypt a single message: 1 Create a new message in the Outlk prgram and specify the recipient. 2 Enable the encryptin functin using ne f the fllwing: In the message, n the Optins tab, under Permissin, click Encrypt (Encrypt ). In the message, pen the Optins tab, and under Mre Optins, click Prperties. In the Prperties windw, click Security Settings. In the Security Prperties (see figure n page 121) windw, select the Encrypt message cntents and attachments check bx. T change additinal settings (see Advanced Cnfiguring f Digital Signature and Encryptin n page 109), such as chsing a specific certificate, click Change Settings. ViPNet CSP 4.0. User's Guide 123

124 3 Send a message. T encrypt all utging messages: 1 In the main Outlk windw, n the File tab, click Optins. 2 In the Outlk Optins windw, select Trust Center, and click Trust Center Settings. 3 In the Trust Center windw, select the Security sectin. Under Encrypted e- mail, select the Encrypt cntents and attachments fr utging messages check bx. Figure 61: Cnfiguring parameter fr encrypting all messages 4 T change additinal settings (see Advanced Cnfiguring f Digital Signature and Encryptin n page 109), such as chsing a specific certificate, click Settings. 5 Duble-click OK. 6 After that, all yur utging messages will be encrypted if the recipient's certificates have been added t the cntacts. ViPNet CSP 4.0. User's Guide 124

125 Encryptin in the Windws Live Mail Prgram T encrypt an message: 1 Create a new message in Windws Live Mail and specify the recipient. 2 In the New message windw, n the Tls menu, select Encrypt. Nte: If, in the New message windw, the menu is nt displayed, click tlbar and select the Shw menu bar. n the 3 Send a message. T encrypt all utging messages: 1 In the main Windws Live Mail windw, n the Tls menu, select Safety Optins. 2 In the Safety Optins windw, click the Security (see figure n page 114) tab. 3 Under Secure Mail, select the Encrypt cntents and attachments fr all utging messages check bx. 4 Click OK. After that, all yur utging messages will be encrypted if the recipient's certificates were added t the cntacts. ViPNet CSP 4.0. User's Guide 125

126 Viewing the Encrypted Messages The encrypted message yu've received is marked with (in Micrsft Outlk) r (in Micrsft Windws Live). When yu chse an encrypted message in the Micrsft Outlk prgram, in the reading pane, the ntificatin message will be displayed: This item can't be displayed in the Reading Pane. Open the item t read its cntents. In the Windws Live Mail prgram, when yu chse an encrypted message, yu are prmpted t type the passwrd t the key cntainer. Thus, yur message is prtected frm unauthrized access. Warning: Yu need the ViPNet CSP prgram t view an encrypted message. T view an encrypted message: 1 In the Micrsft Outlk prgram, duble-click the required message in the list. In the Windws Live Mail prgram, chse the required message frm the list. In Windws Live Mail, chse a message frm a list. 2 In the ViPNet CSP Key Cntainer Passwrd (see figure n page 79) windw, type the passwrd used fr yur private key prtectin. After that the message with all its attachments will be decrypted and displayed in the reading pane. ViPNet CSP 4.0. User's Guide 126

127 Encrypting Dcuments and Files If yu want t encrypt certain dcuments r files, yu can d ne f the fllwing: 1 Create an encrypted message (see Encryptin n page 121). 2 Specify necessary dcuments r files as an attachment. 3 Send a message t the recipient r t yurself. In the first case, nly specified recipient can view encrypted dcuments, in the secnd ne, nly yu. ViPNet CSP 4.0. User's Guide 127

128 11 Digital Signature in Micrsft Office InfPath Permissin t Sign an InfPath Frm with a Digital Signature 129 Signing an InfPath Frm 133 Viewing an InfPath Frm Signature 136 Unsigning an InfPath Frm 137 ViPNet CSP 4.0. User's Guide 128

129 Permissin t Sign an InfPath Frm with a Digital Signature When yu are creating a frm template in Micrsft Office InfPath, yu may allw users t digitally sign it. Filling in the frm, users can sign the whle frm r its parts. Micrsft Office InfPath 2003 T allw users t sign a Micrsft Office InfPath 2003 frm, d the fllwing: 1 Create r pen a frm template in the cnstructr mde. 2 On the Tls menu, click Frm Optins. 3 In the Frm Optins windw, n the Digital Signatures tab, select the Enable digital signatures fr the entire frm check bx. 4 If necessary, select the Prmpt user t sign the frm if it is submitted withut a signature check bx. 5 T save the settings, click OK. Micrsft Office InfPath 2007 T allw users t sign a Micrsft Office InfPath 2007 frm, d the fllwing: 1 Create r pen a frm template in a cnstructr mde. 2 On the Tls menu, click Frm Optins. 3 In the Frm Optins windw, click the Digital Signatures tab. ViPNet CSP 4.0. User's Guide 129

130 Figure 62: The Digital Signatures tab 4 If yu want the user t sign the entire frm, chse the Enable digital signatures fr the entire frm. If necessary, yu may als select the Prmpt user t sign the frm if it is submitted withut a signature check bx. 5 If yu want the user t sign a part f the frm, chse the Enable digital signatures fr specific data in the frm. T specify data fr signing, click Add. The Set f Signable Data windw will be displayed. Figure 63: The Set f Signable Data windw Type the name f the data intended fr signing in the crrespnding bx. ViPNet CSP 4.0. User's Guide 130

131 Click Select XPath next t the Fields and Grups t be signed bx. In the Select a Field r Grup windw, chse the field which yu want t sign and click OK. T specify the relatin type between several signatures, select the required type (the Allw nly ne signature is specified by default), and add a message t cnfirm the signature. T save the settings, click OK. The chsen field will be displayed in the Set f Signable Data (see figure n page 130) list. If yu want the user t sign several frm fields, repeat the step 5 as many times as necessary. 6 T save the settings, click OK. Micrsft Office InfPath 2010 T allw users t sign a Micrsft Office InfPath 2010 frm, d the fllwing: 1 Create r pen a frm template in the cnstructr mde. 2 Click the File tab and, in the Inf sectin, click Frm Optins. 3 In the Frm Optins windw, click the Digital Signatures tab. Figure 64: The Digital Signatures tab 4 T specify data fr signing, click Add. 5 The Set f Signable Data windw will be displayed. Type the name f the data intended fr signing in the crrespnding bx. ViPNet CSP 4.0. User's Guide 131

132 Click Select XPath next t the Fields and Grups t be signed bx. In the Select a Field r Grup windw, chse the field which yu want t sign and click OK. T specify the relatin type between several signatures, select the required type (the Allw nly ne signature is specified by default), and add a message t cnfirm the signature. T save the settings, click OK. The chsen field will be displayed in the Set f Signable Data (see figure n page 130) list. Figure 65: The Set f Signable Data windw 6 T save the settings, click OK. ViPNet CSP 4.0. User's Guide 132

133 Signing an InfPath Frm When creating a frm, yu can allw a user t digitally sign this frm. Infrmatin f hw a user can sign the frm is given belw. Micrsft Office InfPath 2003 T sign a frm, d the fllwing: 1 Open a frm r a template. 2 On the Tls menu, select Digital signatures (r, n the tlbar, click Digital Signatures ). The Digital Signatures windw will be displayed. Figure 66: The Digital Signatures windw 3 Click Add and, in the Digital Signature Wizard windw, click Select Certificate. 4 Select yur certificate frm the list. T pen the certificate, click View Certificate. After chsing the certificate, click OK. 5 In the Cmment bx, type a cmment, which will be included in yur signature. Click OK. 6 In the ViPNet CSP Key Cntainer Passwrd (see figure n page 79) windw, type the passwrd and click OK. Yu can't change the frm after signing. ViPNet CSP 4.0. User's Guide 133

134 Micrsft Office InfPath 2007, 2010, and 2013 T sign a frm, d the fllwing: 1 Open a frm r a template in the InfPath 2007, InfPath Filler 2010, r InfPath Filler 2013 prgram. 2 Depending n the Micrsft Office InfPath sftware versin, d ne f the fllwing: In InfPath 2007, n the Tls menu, select Digital signatures (r, n the tlbar, click Digital Signatures ). In InfPath 2010, pen the File tab and, in the Inf sectin, click Digital Signatures. The Digital Signatures windw will be displayed. Figure 67: The Digital Signatures windw 3 Click Add. The Select the data t Sign windw will be displayed. 4 If a digital signature shuld be applied t the entire frm, chse Entire frm. If a digital signature shuld be applied t a part f the frm, select the data yu want t sign frm the list. 5 Click OK. The Sign (see figure n page 103) windw will be displayed. 6 If yu are signing a separate data, type yur name in the bx next t the X, and click the Select Image link, t paste an image f yur signature. 7 If necessary, fill in the Purpse fr signing this dcument bx. In InfPath Filler 2013, this windw als allws yu t chse a signing reasn frm several pre-defined ptins in the Cmmitment type list. 8 In the Sign windw, yu can find a brief descriptin f the certificate, which yu use fr signing the data. T sign a dcument using anther certificate, click Change, and chse anther certificate. ViPNet CSP 4.0. User's Guide 134

135 9 Click Sign. The ViPNet CSP Key Cntainer Passwrd (see figure n page 79) windw will be displayed. 10 Type yur passwrd and click OK. Yu can't change the frm r fields after signing. ViPNet CSP 4.0. User's Guide 135

136 Viewing an InfPath Frm Signature T view a digital signature in a Micrsft InfPath 2003 frm: 1 Depending n the Micrsft InfPath sftware versin, d ne f the fllwing: In Micrsft InfPath 2003 r Micrsft InfPath 2007, n the Tls menu, select Digital signatures (r, n the tlbar, click Digital Signatures ). In Micrsft InfPath Filler 2010, click the File tab and, in the Inf sectin, click Digital Signatures. In Micrsft InfPath Filler 2013, click the File tab and, in the Inf sectin, click View signatures. The Digital Signatures windw will be displayed. 2 If yu use Micrsft InfPath 2003, chse a certificate frm the list and click View Certificate. If the certificate is untrusted, then, in the Certificate windw, n the General (see figure n page 96) tab, a message infrming yu abut the prblem will be displayed. An untrusted certificate is marked with a red X. 3 In Micrsft InfPath 2007, Micrsft InfPath Filler 2010, r Micrsft InfPath Filler 2013, chse a digital signature frm the list and click View Signature. The Signature Details (see figure n page 98) windw will be displayed. The Signature Details windw cntains brief infrmatin abut the signature and the certificate. If any certificate validatin errrs ccur, the crrespnding message will be displayed under the windw title. T pen a certificate, click View. T view the additinal signing infrmatin, click the See the additinal signing infrmatin that was cllected link. ViPNet CSP 4.0. User's Guide 136

137 Unsigning an InfPath Frm T unsign a Micrsft InfPath frm: 1 Depending n the Micrsft InfPath sftware versin, d ne f the fllwing: In Micrsft InfPath 2003 r Micrsft InfPath 2007, n the Tls menu, select Digital signatures (r, n the tlbar, click Digital Signatures ). In Micrsft InfPath Filler 2010 r Micrsft InfPath Filler 2013, click the File tab and, in the Inf sectin, click Digital Signatures. The Digital Signatures windw will be displayed. 2 Chse a digital signature frm the list. T view a digital signature befre unsigning: In Micrsft InfPath 2003 r Micrsft InfPath Filler 2013, click View Certificate. The Certificate windw will be displayed. In Micrsft InfPath 2007 r Micrsft InfPath Filler 2010, click View Signed Frm. The Signature Details windw will be displayed. T pen the certificate, click View. 3 After chsing a digital signature, click Remve. Nte: T remve all digital signatures at nce, in Micrsft Office InfPath 2003, click Remve all. 4 In the cnfirmatin windw, click Yes. The digital signature will be remved frm the frm. ViPNet CSP 4.0. User's Guide 137

138 12 Digital Signature fr Macrs and Databases Macr Digital Signature 139 Signing Micrsft Access 2007 and 2010 Databases 142 ViPNet CSP 4.0. User's Guide 138

139 Macr Digital Signature Digitally Signing a Macr In the Micrsft Office sftware, yu can digitally sign a macr. Digital signature allws t cnfirm the rigin f the macr and its security. Yu can create and sign a macr in Micrsft Wrd, Excel, Outlk, PwerPint, Access, Publisher, and Visi. Warning: Fr yu t sign a macr, yur certificate must cntain a Cde signing attribute f the Enhanced Key Usage field. If yu dn't have such a certificate, yu can't sign a macr. T get a certificate with this attribute, cntact yur Key and Certificatin Authrity administratr (see ViPNet Administratr Key and Certificatin Authrity. Administratr s Guide ). T sign a macr, d the fllwing: 1 Open the Micrsft Visual Basic editr. If yu use Micrsft Office 2003 r Micrsft Outlk 2007, Publisher 2007, Visi 2007, n the Tls menu, select Macr, and the click Visual Basic Editr. If yu use Micrsft Wrd 2007, Excel 2007 r PwerPint 2007, n the Develper tab, under Cde, click Visual Basic. Nte: By default, the Develper tab is nt displayed. T display it, n the File menu, select Optins and, in the pened windw, in the Advanced sectin, select the Develper check bx. If yu use Micrsft Access 2007, Micrsft Access 2010, r Micrsft Access 2013, n the Database Tls tab, under Macr, click Visual Basic. If yu use Micrsft Office 2010 r Micrsft Office 2013, except fr Micrsft Access, n the Develper tab, under Cde, click Visual Basic. Nte: T pen Micrsft Visual Basic Editr in any f these applicatins, press Alt+F11. ViPNet CSP 4.0. User's Guide 139

140 2 In Micrsft Visual Basic editr, n the Tls menu, select Digital Signature. The Digital Signature windw will be displayed. Figure 68: Adding a digital signature 3 Click Chse, chse a certificate frm the list, and click OK. A digital signature will be added t a macr. Verifying a Macr's Digital Signature T verify a digital signature in a macr prject, d the fllwing: 1 In Micrsft Visual Basic editr, n the Tls menu, select Digital Signature. The Digital Signature windw will be displayed. Figure 69: The Digital Signature windw 2 In the Digital signature windw, the current certificate is specified. T pen certificate, click Detail. If the chsen certificate is nt valid, then, in the Certificate windw, n the General (see figure n page 96) tab, the crrespnding message will be displayed. The untrusted certificate is marked with a red X. ViPNet CSP 4.0. User's Guide 140

141 Unsigning a Macr T remve a digital signature frm a macr prject, d the fllwing: 1 In Micrsft Visual Basic editr, n the Tls menu, select Digital Signature. The Digital Signature (see figure n page 140) windw will be displayed. 2 T remve a digital signature, click Remve. A digital signature will be remved frm the prject. ViPNet CSP 4.0. User's Guide 141

142 Signing Micrsft Access 2007 and 2010 Databases Micrsft Access 2007 and Micrsft Access 2010 sftware allws yu t sign databases during publishing. After yu create a Micrsft Access 2007 r Micrsft Access 2010 database file, yu can pack it and add a digital signature, and then share the signed package with ther users. The users wh received the package may extract the database frm it and wrk with this database. Nte: Yu can't sign separate database cmpnents, if they were created in Micrsft Access versins earlier than Micrsft Access Fr mre details, see Macr Digital Signature (n page 139). T pack and sign a Micrsft Access database: 1 Depending n yur sftware versin, d ne f the fllwing: In MS Office 2007, click Micrsft Office buttn, pint t Publish, and then click Package and Sign. In Micrsft Access 2010 prgram, n the File tab, click Save & Publish. Under Save Database As, click Package & Sign, and then click Save As. The Select a Certificate windw will be displayed. 2 Chse a certificate and click OK. The Create Micrsft Office Access Signed Package windw will be displayed. Warning: Yu can sign a database nly using a certificate with the Cde signing attribute f the Extended Key Usage extensin. If yu have n such attribute in yur certificate, yu can't create a signed package. T get a certificate with this attribute, cntact yur Key and Certificatin Authrity administratr (see ViPNet Administratr Key and Certificatin Authrity. Administratr s Guide ). 3 Chse a flder fr saving signed package. 4 Type the name fr the signed package in the File name bx, and then click Create. ViPNet CSP 4.0. User's Guide 142

143 The signed package will be placed it in the flder that yu have chsen. ViPNet CSP 4.0. User's Guide 143

144 13 Organizing a Prtected Cnnectin via TLS/SSL Checklist: Organizing Access t a Prtected Web Server 145 Cnfiguring a Server Hst 146 Cnfiguring a Client Hst 147 Cnfiguring Internet Explrer fr Wrk ver the TLS/SSL Prtcl 148 Checking the Web Hst's Availability ver the Secure HTTPS Prtcl 149 ViPNet CSP 4.0. User's Guide 144

145 Checklist: Organizing Access t a Prtected Web Server T rganize access t a prtected web server using the ViPNet CSP cryptgraphic service prvider, yu need t cnfigure a server hst and a web client hst. 1 T cnfigure a server hst: Cnfigure IIS. Install the ViPNet CSP cryptgraphic service prvider. In the system stre, install the server's user certificate, the issuer's certificate (rt certificate), and the actual CRL. Fr mre infrmatin, see Cnfiguring a Server Hst (n page 146) sectin. 2 T cnfigure a client hst: Install the ViPNet CSP cryptgraphic service prvider. In the system stre, install the client's user certificate, the issuer's certificate (rt certificate), and the actual CRL. If necessary, cnfigure Internet Explrer fr wrk ver the TLS/SSL prtcl. Fr mre infrmatin, see Cnfiguring a Client Hst (n page 147) sectin. ViPNet CSP 4.0. User's Guide 145

146 Cnfiguring a Server Hst T cnfigure the server hst, d the fllwing: 1 Cnfigure IIS. 2 Install the ViPNet CSP cryptgraphic service prvider (see Setting Up and Starting ViPNet CSP n page 25). 3 Create a certificate request fr a server (see Creating a Certificate Request and Generating a Private Key n page 53) and send it t the Certificatin Authrity. 4 Get a certificate fr IIS, issued by request, frm the administratr f yur Certificatin Authrity, and als get a rt certificate and CRL. Warning: Server user certificate shuld cntain Data Encipherment attribute in the Key Usage field and Client Authenticatin attribute in the Enhanced Key Usage field. 5 Install the received certificate in a key cntainer (see Installing Certificates in a Cntainer n page 66). 6 In the system stre f a lcal cmputer, install the server certificate (see Installing the User Certificate in the System Stre n page 68), the issuer's certificate and the CRL (see Installing Issuer's Certificates and CRL n page 73). 7 Check that the netwrk hst is accessible ver the secure HTTPS prtcl (see Checking the Web Hst's Availability ver the Secure HTTPS Prtcl n page 149). ViPNet CSP 4.0. User's Guide 146

147 Cnfiguring a Client Hst T cnfigure a client hst, d the fllwing: 1 Install the ViPNet CSP cryptgraphic service prvider (see Setting Up and Starting ViPNet CSP n page 25). 2 Create a user certificate request fr a web client (see Creating a Certificate Request and Generating a Private Key n page 53) and send it t the Certificatin Authrity. 3 Get the certificate fr a web client issued n yur request and the issuer's certificate with a CRL frm the administratr f yur Certificatin authrity. Warning: The user certificate fr a client hst shuld cntain Client Authenticatin attribute in Enhanced Key Usage field. 4 Install the received certificate in a key cntainer (see Installing Certificates in a Cntainer n page 66). 5 In the system stre f the current user, install the received certificate (see Installing the User Certificate in the System Stre n page 68), the issuer's certificate and the CRL (see Installing Issuer's Certificates and CRL n page 73). 6 Cnfigure Internet Explrer fr wrk ver the secure prtcl. 7 Check that the netwrk hst is accessible ver the secure HTTPS prtcl (see Checking the Web Hst's Availability ver the Secure HTTPS Prtcl n page 149). ViPNet CSP 4.0. User's Guide 147

148 Cnfiguring Internet Explrer fr Wrk ver the TLS/SSL Prtcl As a rule, default brwser settings allw yu t wrk ver the TLS/SSL prtcl. If the default settings have been changed r yu can't cnnect t the server, d the fllwing: 1 In the Internet Optins windw (Tls: Internet Optins). T d this: In the Internet Explrer Tls menu, click Internet Optins. In the Ggle Chrme and Yandex.Brwser ptin windws, click Change Prxy Settings. 2 Click the Details tab. 3 Select the SSL 3.0, and TLS 1.0 check bxes. 4 Clear the SSL 2.0 check bx. 5 Check that the netwrk hst is accessible ver the secure HTTPS prtcl (see Checking the Web Hst's Availability ver the Secure HTTPS Prtcl n page 149). Nte: T wrk in Yandex.Brwser and Ggle Chrme ver the TLS/SSL prtcl, in the shrtcut prperties, in the Object bx, at the end f the path t the prgram flder add the cmmand --use-system-ssl. ViPNet CSP 4.0. User's Guide 148

149 Checking the Web Hst's Availability ver the Secure HTTPS Prtcl T get access t a web hst ver the HTTPS, d the fllwing: 1 In the Internet Explrer address bar, type: 2 After yu lg n t the server, the web server page will be displayed. If the cnnectin t the web server culd nt be established, refer t the Prblems and Trubleshting (n page 150). ViPNet CSP 4.0. User's Guide 149

150 14 Prblems and Trubleshting Checking the Prgram Cmpnents Integrity 151 The Prgram Wn't Start 152 ViPNet CSP Cnflicts with Other Prgrams 154 Can't Use Accrd-TSHM Electrnic Lck 156 When Yu Are Using etken Aladdin, the System Irrespnsive 157 Unable t Check the Certificate 158 Dcument Can't be Encrypted 159 Can't Use the Digital Signature 163 N Cnnectin t the Server ver HTTPS 165 When Yu Cnnect t a Server, Security Warning Is Displayed 170 Prviding Additinal Infrmatin Abut the Prblem 171 ViPNet CSP 4.0. User's Guide 150

151 Checking the Prgram Cmpnents Integrity Fr visual mnitring f the libraries availability: 1 In the main ViPNet CSP windw, in the navigatin pane, select Details. 2 In the Executables table, check the libraries list. T check the libraries integrity: 1 In the main ViPNet CSP windw, select Details. Figure 70: The Details pane 2 Click Test. Thus, yu frce recalculatin f checksums and the check f their cnfrmity t the sums specified in each f the mdules. After the check is finished, results f the check will be displayed. ViPNet CSP 4.0. User's Guide 151

152 The Prgram Wn't Start If, n the ViPNet CSP prgram start, yu are ntified that the integrity check has failed r that sme cmpnents are missing, then yu can't wrk with the prgram. Figure 71: Errr messages n the ViPNet CSP prgram start T restre the perability f ViPNet CSP, install the prgram again ver the previus versin (withut remving it). T d that: 1 Click the Setup.exe file. 2 In the ViPNet CSP Installatin windw, select Upgrade, and then click Cntinue. The prgram cmpnents' upgrading will start. ViPNet CSP 4.0. User's Guide 152

153 Figure 72: Updating ViPNet CSP 3 After upgrading is finished, yu will be prmpted t restart yur cmputer. In the restart message, click Yes. After restart the ViPNet CSP prgram will be fully peratinal. If the prgram has been registered earlier, yu dn't need t register it again. ViPNet CSP 4.0. User's Guide 153

154 ViPNet CSP Cnflicts with Other Prgrams ViPNet sftware peculiarities may lead t sme failures in the perability f sme third-party prgrams. T eliminate any cnflicts between ViPNet sftware and third-party prgrams, make sme changes in the Windws system registry: 1 Click the Start buttn. In the search bx, type run, and then, in the list f results, click Run. 2 In the Open bx, type regedit and click OK. The registry editr windw will be displayed. Warning: D nt change any ther system registry parameters but Flags. An incrrect change in the registry may lead t cmputer malfunctin. 3 Under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentCntrlSet\Cntrl\inftecs\PatchEngine, set the Flags parameter value t 0. 4 Restart yur cmputer. If yu have applied the changes, but the prblem still arises, cntact Inftecs technical supprt. If ViPNet CSP cnflicts with third-party cryptgraphic service prviders, yu may disable ViPNet CSP wrk via the MS Crypt API interface. Warning: After disabling the MS Crypt API interface supprt, yu can't use ViPNet CSP cryptgraphic functins in Micrsft Office prgrams and ther applicatins, which use this interface. Hwever, yu still may use ViPNet CSP functins in varius ViPNet prgrams. ViPNet CSP 4.0. User's Guide 154

155 T disable the wrk f ViPNet CSP via the MS Crypt API interface, in the General (see figure n page 32) sectin, clear the Allw ViPNet CSP t use MS Crypt API check bx. The change will take effect when yu restart Windws. ViPNet CSP 4.0. User's Guide 155

156 Can't Use Accrd-TSHM Electrnic Lck If Accrd-TSHM electrnic lck is installed n yur cmputer, but yu can't use it in ViPNet CSP as a randm numbers generatr, d the fllwing: 1 Make sure that drivers fr the Accrd-TSHM electrnic lck are installed n yur cmputer. 2 Cpy the tmdv32.dll file frm the drivers installatin flder (by default C:\Accrd) t the fllwing flder: If yu use a 64-bit Windws OS, cpy the file t the C:\Windws\System32 flder. If yu use a 32-bit Windws OS, cpy the file t the C:\Windws\SysWOW64 flder. 3 In ViPNet CSP, chse Accrd-TSHM as a randm number generatr (see Using a Randm Number Generatr n page 89). ViPNet CSP 4.0. User's Guide 156

157 When Yu Are Using etken Aladdin, the System Irrespnsive If yu are using an etken Aladdin device and yur system irrespnsive, make sure that etken PKI Client 5.1 (r later) sftware have been installed. ViPNet CSP 4.0. User's Guide 157

158 Unable t Check the Certificate During the certificate's installatin, the certificate verificatin errr may ccur. This means that the issuer's certificate and CRL have nt been installed in the system (see Installing Issuer's Certificates and CRL n page 73). ViPNet CSP 4.0. User's Guide 158

159 Dcument Can't be Encrypted Address f the Certificate Is Nt Fund n the List f Cntact Addresses During the certificate's imprt t the cntact the fllwing message may be displayed: Figure 73: Certificate imprt errr This means that the certificate des nt cntain an address, which crrespnds t this cntact's address. That's why yu can't encrypt a message using this certificate. Pssible reasns and ways f slving the prblem: If the certificate des nt belng t this cntact: Open the Certificate windw by duble-clicking the certificate file n yur hard drive. ViPNet CSP 4.0. User's Guide 159

160 On the General tab, make sure that this certificate is intended fr the cntact in questin. If nt, select the certificate yu want t imprt. Figure 74: Certificate's wner verificatin If the certificate des nt cntain the address f this cntact: Open the Certificate windw by duble-clicking the certificate file n yur hard drive. ViPNet CSP 4.0. User's Guide 160

161 On the Details tab, click the Subject bx and make sure, that the E parameter has the crrect address as its value. Figure 75: Certificate address check If nt, create a request fr a new certificate: the recipient, if yu have imprted the cntact's certificate; the administratr f yur Certificatin authrity, if yu have added yur certificate t the system stre. Invalid Certificate During an encrypted message sending, the warning message may be displayed: Figure 76: The message abut invalid certificate in Outlk 2003 ViPNet CSP 4.0. User's Guide 161

162 Figure 77: The message abut invalid certificate in Outlk 2007 The reasn may be as fllws: The recipient's certificate des nt cntain the address f this recipient (see Address f the Certificate Is Nt Fund n the List f Cntact Addresses n page 159). Yur certificate des nt cntain yur address (see Address f the Certificate Is Nt Fund n the List f Cntact Addresses n page 159). The recipient's certificate r yur certificate is invalid. Request a new certificate frm the recipient r frm the administratr f yur Certificatin authrity. The certificate fr signing and encrypting (see Advanced Cnfiguring f Digital Signature and Encryptin n page 109) is nt specified. The issuer's certificate is nt installed (see Installing Issuer's Certificates and CRL n page 73) in the system stre. ViPNet CSP 4.0. User's Guide 162

163 Can't Use the Digital Signature The Crrespnding Private Key Is Nt Fund When yu are chsing a certificate fr signing, the ViPNet CSP - Key Cntainer Initializatin windw may be displayed, which means that the private key crrespnding t the chsen certificate is nt fund. This may happen if the private key cntainer has been disabled in the ViPNet CSP prgram (see Deleting a Cntainer n page 82). T sign a dcument using the chsen certificate, in the ViPNet CSP - Key Cntainer Initializatin windw, specify the path t the private key cntainer and its certificate. If yu dn't knw the cntainer's lcatin, yu can't use the chsen certificate. If, in the ViPNet CSP - Key Cntainer Initializatin windw, yu specify the keys cntainer lcatin, this cntainer will be added t the list n the Cntainers tab. The Message Can't be Signed When yu are signing an message, yu may be ntified that there is n any certificate cntaining yur address. In this case, yu shuld ask the Key and Certificatin Authrity fr such a certificate. Yur address and Secure attribute in Enhanced Key Usage field shuld be specified in the certificate. An Message Is Signed with a Certificate That Yu Have Nt Selected fr Signing Such an errr ccurs when the certificate chsen fr signing des nt cntain its wner's address r the specified address des nt crrespnd t the utging message's address. Mrever, when the message is signed, a different certificate that cntains the sender's address is chsen frm the system stre. T reslve this errr: 1 Create a new certificate request and specify the crrect address in it. 2 Send the certificate request t the administratr f yur Certificatin authrity and wait until receive a new certificate. 3 Specify the received certificate as a certificate fr signing. ViPNet CSP 4.0. User's Guide 163

164 Macrs r Micrsft Access 2007 Database Can't be Signed When yu are signing a macrs r a Micrsft Access 2007 package, there may be n certificates that yu can select fr signing. Thus, yu can't sign a cde. T eliminate the prblem, ask yur Key and Certificatin Authrity fr a certificate with a Cde signing attribute in the Enhanced Key Usage field. The Signature Line in Micrsft Wrd 2003 r Excel 2003 Can't be Signed Yu can't sign a signature line in Micrsft Wrd and Excel versins earlier than Micrsft Office T sign a signature line, yu need t pen a dcument in Micrsft Office Signed Micrsft Wrd r Excel Dcument Can't be Edited T edit a signed Micrsft Wrd r Excel dcument, yu need t remve a digital signature (see Remving a Digital Signature n page 99) and then make necessary changes. After that yu can sign this dcument again. Warning: We strngly recmmend yu nt t remve a digital signature frm a dcument, which was signed by anther persn, if this dcument has legal validity. ViPNet CSP 4.0. User's Guide 164

165 N Cnnectin t the Server ver HTTPS The IIS Server and the Web Client Have Different ViPNet CSP Versins On the web client, yu need t install the same versin f the sftware as n the server. User's Certificates, the Issuer's Certificate, and CRL Were Installed in the Wrng Stre Check that the certificates are installed in the required stre using the standard MMC (Micrsft Management Cnsle). T view certificates installed in a system stre: 1 Open the MMC: Press Win+R. On the Start menu, select Run. In the Open bx, type mmc, and click OK. 2 On the File menu, select Add/Remve Snap-in. 3 In the Add/Remve Snap-in windw, in the Available snap-ins list, select Certificates, and click Add. 4 In the Certificates snap-in windw, chse snap-in type, that yu want t add: My user accunt, t view web client's certificates; Cmputer accunt, t view server's certificates; Nte: If yu dn't want t add a Certificates snap-in t the cnsle every time yu need it, yu may save it. T d this, n the File menu, click Save. ViPNet CSP 4.0. User's Guide 165

166 User's certificates, issuer's certificate and CRL shuld be installed in the crrect system stre, and when yu pen them there shuld be n errrs. Figure 78: Web client certificate is in the current user's system stre In the MMC snap-in, the fllwing lcal cmputer certificates shuld be added fr the IIS: The Persnal > Certificates sectin shuld cntain a user's (server's) certificate. The Trusted Rt Certificatin > Certificates sectin shuld cntain the issuer's certificates. The Intermediate Certificatin Authrities > Certificate Revcatin List sectin shuld cntain the CRL. In the MMC snap-in, the fllwing current user's certificates shuld be added fr the web client: The Persnal > Certificates sectin shuld cntain a user's (web-client) certificate. The Trusted Rt Certificatin > Certificates sectin shuld cntain the issuer's certificates. ViPNet CSP 4.0. User's Guide 166

167 The Intermediate Certificatin Authrities > Certificate Revcatin List sectin shuld cntain the CRL. If a certificate is nt installed r has been installed incrrectly, yu need t install r reinstall it crrectly in the system stre (see Installing Issuer's Certificates and CRL n page 73). The Brwser Is Nt Cnfigured t Wrk ver the TLS Prtcl By default Internet Explrer settings allw yu t wrk ver encrypted TLS prtcl. If yu can't cnnect t the server, make sure that the necessary certificate is added t the web brwser and the TLS/SSL prtcl is enabled in the brwser settings. T check that the certificate is added t yur web brwser: 1 In the Internet Explrer brwser, n the Tls menu, click Internet Optins. 2 In the Internet Optins windw, n the Cntent tab, click Certificates. 3 In the Certificates windw, n the Persnal tab, make sure that necessary certificate is present n the list. 4 Chse the certificate and click View. 5 In the Certificate windw, make sure that the certificate cntains the Client Authenticatin attribute (see figure n page 168). If yur certificate des nt cntain this attribute, ask fr a certificate with this attribute in the Key and Certificatin Authrity (see ViPNet Administratr Key and Certificatin Authrity. Administratr s Guide ). ViPNet CSP 4.0. User's Guide 167

168 Figure 79: Web client certificate details T check the TLS/SSL prtcl activity: 1 In the Internet Explrer brwser, n the Tls menu, click Internet Optins. 2 In the Internet Optins windw, click the Advanced tab. 3 Make sure that the SSL 3.0, TLS 1.0 check bxes are selected, and the SSL 2.0 check bx is cleared. 4 Check cnnectin t the web server. The IIS Services Shuld Be Restarted In sme cases, yu need t restart the IIS service t cnnect t a server ver the newly cnfigured TLS prtcl. T d this: 1 Open the Windws Task Manager windw. 2 End the inetinf.exe prcess. 3 After the service has started autmatically, check the cnnectin t a server. ViPNet CSP 4.0. User's Guide 168

169 Passwrd t Server's Certificate Shuld Be Saved In sme cases, t access the server yu need t save the key cntainer passwrd. T d this: 1 In the MMC snap-in, pen a certificate. 2 In the Certificate windw, n the Details tab, click Cpy t File. 3 On the start page f the Certificates Exprt Wizard, click Next. 4 In the key cntainer lgn windw, type the server's user passwrd and select the Save Passwrd and the D nt shw this windw again check bxes. 5 Click OK. Nw yu can clse the wizard, the passwrd has been saved. ViPNet CSP 4.0. User's Guide 169

170 When Yu Cnnect t a Server, Security Warning Is Displayed When yu are cnnecting t the server, a Security warning may be displayed by yur web brwser: Specified in the certificate name is incrrect r des nt match the name f the site. In this case, check that the server dmain name is the same as the name f the user this certificate is issued fr. Figure 80: Security warning abut names mismatch ViPNet CSP 4.0. User's Guide 170

171 Prviding Additinal Infrmatin Abut the Prblem A specialist f the Inftecs technical supprt may ask yu t prvide mre infrmatin t slve the prblem. In this case: 1 Press Win+R. On the Start menu, select Run. 2 In the Open bx, type regedit and press Enter. 3 In the Registry Editr prgram, g t the Lgs flder, which is accessible by the fllwing path: in the 32-bit Windws OS: HKEY_LOCAL_MACHINE\SOFTWARE\inftecs\Lgs; in the 64-bit Windws OS: HKEY_LOCAL_MACHINE\SOFTWARE\Ww6432Nde\inftecs\Lgs. 4 Change the Level and dbg_level values t 0xff (255). 5 Restart yur cmputer. Nte: It may take a lng time t start yur cmputer. 6 Dwnlad the DebugView prgram. 7 Run DbgView.exe as a system administratr. 8 Repeat the steps that have caused the prblem. 9 In the DebugView prgram, select all strings and cpy them t a text file. 10 Add this text file t an archive and send it t the supprt with a descriptin f the prblem. Nte: If third-party sftware is required t reprduce the prblem, yu shuld nte it in yur . ViPNet CSP 4.0. User's Guide 171

172 11 Set the dbg_level key value t Restart yur cmputer. ViPNet CSP 4.0. User's Guide 172

173 A External Strage Devices Overview External strage devices are designed fr string key cntainers (see Key cntainer n page 178) that yu can use fr authenticatin, digital signing (see Digital signature n page 178), r ther purpses. On an external device, yu can stre keys created using different encryptin algrithms in ViPNet sftware r third-party prgrams. Maximum number f key cntainers stred n a device depends n the device's memry space. ViPNet sftware supprts tw authenticatin methds invlving external strage devices: ViPNet user's persnal key stred n an external device with the fllwing limitatins: Each external strage device can be used fr authenticatin f nly ne ViPNet user. Each external strage device can be used fr authenticatin f ne ViPNet user n several ViPNet hsts. If yu use this authenticatin methd, then stre yur digital signature keys (created in a certificatin authrity using ViPNet sftware) and the persnal key n ne external strage device. Certificate with its private key stred n an external device. Yu can request fr the certificate in Windws dmain and stre the crrespnding key cntainer n yur external strage device that supprts PKCS#11. ViPNet CSP 4.0. User's Guide 173

174 Yu can perfrm all the required cnfiguring cncerning key cntainers and external strage devices in the ViPNet CSP prgram. Make sure that yu've installed the drives required fr yur external device. Befre yu stre keys n yur device, make sure that the device is frmatted. ViPNet CSP 4.0. User's Guide 174

175 Supprted External Strage Devices In the table belw, yu can find the list f devices supprted by the ViPNet sftware. Fr each external device, the table cntains descriptin, cnditins, peratin specifics, and infrmatin n PKCS#11 standard supprt. Nte: PKCS#11 (als knwn as Cryptki) is ne f the PKCS standards (Public Key Cryptgraphy Standards cryptgraphic standards f public keys) develped by the RSA Labratries cmpany. The standard defines the API interface independent f the platfrm and intended fr the wrk with cryptgraphic devices f identificatin and data strage. Table 5: Supprted external devices Device name in ViPNet CSP Device name and type Requirements PKCS#11 supprt etken Aladdin etken PRO (Java), etken PRO persnal electrnic keys, etken PRO (Java), etken PRO smart cards by Aladdin Cmpany The PKI Client sftware f the 5.1 versin r later shuld be installed n the cmputer. Nte: Yu can use etken PRO SmartCard with any standard PC/SC-cmpatible USB card reader. Yes ibuttn Aladdin ibuttn (Dallas) electrnic keys f the DS1993, DS1994, DS1995, and DS1996 types A reader device must be cnnected t the cmputer. The 1-Wire Drivers sftware versin 3.20 r 4.0.3, which ensures data exchange with ibuttn, shuld be installed n the cmputer. N Smartcard Athena Smartcards with memry f the I2C (ASE M4) type, synchr cards with a 2/3 bus and prtected memry meeting the requirements f the ISO (ASE MP42) standard The ASEDrive III PRO-S reader by Athena cmpany is used t prcess data n a smart card. Drivers f the 2.6 versin shuld be installed n the cmputer. N ViPNet CSP 4.0. User's Guide 175

176 Siemens CardOS CardOS/M4.01a, CardOS V4.3B, CardOS V4.2B, CardOS V4.2B DI, CardOS V4.2C, and CardOS V4.4 smart cards by Ats (Siemens) Siemens CardOS API V5.0 and later shuld be installed n the cmputer. Yes Nte: Fr each device, the list f supprted perating systems is available n the manufacturer's fficial web page. ViPNet CSP 4.0. User's Guide 176

177 B Glssary C CA administratr An authrized persn privileged t sign certificates n behalf f a certificatin authrity. See als: Certificatin authrity (CA) (n page 177). Certificate request A message prtected with a digital signature that cntains the user name, the public key and its prperties, the desired validity perid f the certificate, certificate intended purpses, and sme ther infrmatin (depends n the request frmat and the sftware used t create the request). See als: Digital signature (n page 178), Private key (n page 179), Public key (n page 179), Public key certificate (n page 179). Certificate revcatin list (CRL) A list f certificates that have been revked r held by the Certificatin Authrity administratr, and are nt valid at the mment specified in this certificate revcatin list. See als: CA Administratr (n page 177), Certificate hld, Certificate revcatin. ViPNet CSP 4.0. User's Guide 177

178 Certificatin authrity (CA) An entity that issues digital certificates, including public key certificates. In ViPNet netwrks, certificates are issued in Key and Certificatin Authrity. See als: Public key certificate (n page 179), ViPNet Key and Certificatin Authrity, ViPNet netwrk. D Digital rulette An integrated ViPNet sftware cmpnent which allws yu t launch a randm number generatr based n yur chance mvements. Digital signature An attribute f an electrnic dcument intended t prtect the dcument authenticity. It is generated when encrypting infrmatin using a private key f a digital signature. A digital signature identifies the public key certificate wner, as well as prves nn-repudiatin f the dcument cntents. See als: Private key (n page 179), Public key certificate (n page 179). I Issuer's certificate A certificate f a Certificatin Authrity administratr that is used fr verifying ther certificates issued by this CA. See als: Public key certificate (n page 179). K Key cntainer A file where a private key and the crrespnding public key certificate are stred. See als: Public key certificate (n page 179). ViPNet CSP 4.0. User's Guide 178

179 P PKI (public key infrastructure) A set f hardware, sftware, plicies, and prcedures intended fr creating, managing, distributing, using, string, and revking public key certificates, binding public keys with respective user identities by means f a certificatin authrity. See als: Certificatin authrity (CA) (n page 177), Public key (n page 179), Public key certificate (n page 179). Private key The secret part f a key pair used in asymmetric encryptin. A private key is intended t generate a digital signature that can be verified by the crrespnding public key and t decrypt a received message encrypted by using the crrespnding public key. A digital signature key is a private key. See als: Digital signature (n page 178), Public key (n page 179). Public key An asymmetric encryptin key, ne f an asymmetric keys pair. It needs nt t be kept secret and can be distributed freely and published in a netwrk accessible directry. A public key is used t verify digital signature. In ViPNet CSP, it is used fr encryptin. See als: Digital signature (n page 178). Public key certificate An electrnic dcument f a previusly specified frmat that uses a digital signature t bind a public key with an identity, infrmatin such as the name f a persn r an rganizatin, their address, and s frth. The certificate can be used t verify that a public key belngs t an individual. A certificate cntains infrmatin abut the key wner, the public key, abut its purpse and usage, abut the certificatin authrity that has issued the certificate, the certificate validity perid, and sme ther parameters. In a ViPNet netwrk, certificates are issued in ViPNet Key and Certificatin Authrity r in ViPNet Netwrk Manager and verified with the digital signature f the ViPNet Key and Certificatin Authrity administratr r ViPNet Netwrk Manager administratr. This prvides authenticity and integrity f the infrmatin specified in the certificate, including its public key and descriptin f its subject. See als: Digital signature (n page 178), Public key (n page 179), ViPNet Key and Certificatin Authrity, ViPNet Key and Certificatin Authrity administratr. ViPNet CSP 4.0. User's Guide 179

180 R Rt certificate A self-signed certificate f a ViPNet netwrk administratr that is the tp ne in the certificate trust chain. In ther wrds, there is n certificate yu can validate a rt certificate with. Rt certificates are used t validate ViPNet user r issuer's certificates. See als: Public key certificate (n page 179). ViPNet CSP 4.0. User's Guide 180

181 C Index A Adding a Digital Signature t a Message 108, 109 Adding a Digital Signature t All Messages 108, 118 Advanced Cnfiguring f Digital Signature and Encryptin 108, 120, 123, 125, 126, 164 B Buying Prgram (Getting a Serial Number) 36, 39, 41, 51 C CA administratr 179 Certificate revcatin list (CRL) 18, 23 Certificatin authrity (CA) 179, 181 Checking the Web Hst's Availability ver the Secure HTTPS Prtcl 148, 149, 150 Cnfiguring a Client Hst 147 Cnfiguring a Server Hst 147 Creating a Backup Cpy f a Cntainer 83 Creating a Certificate Request and Generating a Private Key 18, 53, 148, 149 D Deleting a Cntainer 165 Digital rulette 57 Digital signature 11, 175, 179, 181 Digital Signature and Encryptin in Micrsft Mail Prgrams 22 Digital Signature in Micrsft Office Dcuments 22 Digital Signature in Micrsft Office InfPath 22 Digitally Sign/Sign Buttn Isn't Displayed 118 E Address f the Certificate Is Nt Fund n the List f Cntact Addresses 109, 110, 164 Encryptin 22, 108, 113, 129 Encrypting Dcuments and Files 108 Exchanging Certificates with the Message Recipient 108 I If the Cnfiguratin f Yur Cmputer Has Been Changed 35 Installing a Certificate frm Cntainer 24, 63, 64, 66, 69 Installing a Certificate Which Has Nt Been Added t the Cntainer 69 Installing Certificates in a Cntainer 53, 61, 148, 149 Installing Cntainer frm a Flder 18, 59, 61, 71 Installing Cntainer frm an External Device 18, 61, 71 Installing Cntainers and Certificates 18, 32 ViPNet CSP 4.0. User's Guide 181

182 Installing Issuer's Certificates and CRL 18, 24, 53, 61, 64, 66, 72, 73, 108, 148, 149, 160, 164, 169 Installing the User Certificate in the System Stre 18, 53, 57, 61, 62, 73, 148, 149 Issuer's certificate 18, 23 K Key cntainer 175 Key Cntainer 20, 69 M Macr Digital Signature 22, 144 O Obtaining and Installing a Private Key and a Certificate 18, 23 Organizing a Prtected Cnnectin via TLS/SSL 22, 24 P Private key 179, 180 Prblems and Trubleshting 123, 151 Public key 179, 181 Public key certificate 16, 179, 180, 181, 182 R Receiving Yur Registratin Cde frm the Administratr 38, 51 Registering ViPNet CSP 33, 36, 43, 44, 46 Remving a Digital Signature 95, 96, 106, 166 Requesting a Registratin Cde 36, 37, 49 Requesting Yur Registratin Cde by 38 Requesting Yur Registratin Cde by Phne 38 Requesting Yur Registratin Cde n the Internet (nline) 38, 41, 45 S Saving Registratin Data 35, 41, 44, 48 Setting Up and Starting ViPNet CSP 148, 149 Starting the Registratin Prcess 37, 47 Supprted External Strage Devices 12, 65, 71 System Administratr Actins fr Registratin Using a File 35, 44 U Using a Randm Number Generatr 158 V Viewing a Digital Signature 106 Viewing and Cnfiguring Cntainer Prperties 85 Viewing the Encrypted Messages 108 ViPNet CSP Licensing 31, 35 ViPNet CSP Purpse 11, 23 ViPNet CSP Scpe 24, 64, 66, 72, 75 ViPNet CSP Setup 23 W Ways t Install a Private Key and a Certificate 24, 108 ViPNet CSP 4.0. User's Guide 182