egais does not work: pki partition is blocked. Cryptopro does not see the JaCarta key, we solve it in a minute Algorithm for solving problems with JaCarta

The Jacarta PKI/GOST carrier is blocked when multiple attempts are made to enter an incorrect PIN code. In this case, the connection with the FSRAR server is lost, and data on invoices does not arrive in your accounting system. How to quickly unlock the key and restore work with EGAIS?

By default, all new media have the following passwords:

PKI	11 11 11 11
PKI Administrator	00 00 00 00
GOST	0987654321
GOST Administrator	1234567890

To remove the lock, the Jacarta Unified Client must be installed on your computer. If the configuration and installation of EGAIS was carried out by our specialists, then you already have this program.

Run the program and wait until information about the Jacarta PKI/GOST media appears in the Unified Client window.

Removing the GOST lock

The GOST section contains the KEP certificate issued by the certification center. be careful- You cannot remove any components from this section. After deletion, you will have to contact the certification center again to issue a key.

To unlock the GOST pin code, top menu“Application operations” select the first item “Unlock user PIN”. A notification will appear on the screen that removing the lock will reset the counter of incorrect input attempts.

Click “OK” and in the newly opened window enter Jacarta administrator pin code GOST 1234567890. After resetting the error counter, enter the standard user PIN code GOST 0987654321.

Important: this procedure will only help you reset the counter, but not change it forgotten password on new. If you changed the default GOST password and forgot it, you will have to initialize and record the key again at the certification center.

Unblocking PKI

The PKI container contains an RSA key that is generated in personal account on the website egais.ru. If you lose your PIN code, this section can be initialized (completely cleared), since you can re-record the key yourself and for free, without contacting a certification center.

Good afternoon!. For the last two days I have had an interesting task of finding a solution to this situation, whether there is a physical or virtual server, it probably has the well-known CryptoPRO installed on it. Connected to the server , which is used to sign documents for VTB24 DBO. Locally on Windows 10 everything works, but on the server platform Windows Server 2016 and 2012 R2, Cryptopro doesn't see JaCarta key . Let's figure out what the problem is and how to fix it.

Description of the environment

Eat virtual machine on Vmware ESXi 6.5, as operating system installed Windows Server 2012 R2. The server is running CryptoPRO 4.0.9944, the latest version at the moment. WITH network USB hub, by USB over IP technology, JaCarta dongle is connected. Key in the system it seems, but not in CryptoPRO.

Algorithm for solving problems with JaCarta

CryptoPRO very often causes various errors in Windows, a simple example ( Windows installer service could not be accessed). This is what the situation looks like when the CryptoPRO utility does not see the certificate in the container.

As you can see in the UTN Manager utility, the key is connected, it is seen in the system in smart cards as a Microsoft Usbccid (WUDF) device, but CryptoPRO does not detect this container and you do not have the opportunity to install the certificate. The token was connected locally, everything was the same. We began to think about what to do.

Possible reasons with container definition

1. Firstly, this is a problem with the drivers, for example, in Windows Server 2012 R2, JaCarta should ideally be defined in the list of smart cards as JaCarta Usbccid Smartcard, and not Microsoft Usbccid (WUDF)
2. Secondly, if the device is seen as Microsoft Usbccid (WUDF), then the driver version may be outdated, which is why your utilities will not detect a protected device. USB storage.
3. Outdated version of CryptoPRO

How to solve the problem that cryptopro does not see the USB key?

Created a new virtual machine and began to install the software all sequentially.

Before installing any software working with USB drives containing certificates and private keys. Need to NECESSARILY disable the token, if inserted locally, then disable it, if over the network, terminate the session

• First thing updating your operating system, all available updates, as Microsoft fixes many errors and bugs, including drivers.
• The second point is, in the case of a physical server, install all the latest drivers on the motherboard and all peripheral equipment.
• Next, install the Unified JaCarta Client.
• Install the latest version of CryptoPRO

Installing a single JaCarta PKI client

Single JaCarta Client- This special utility from the Aladdin company, for proper operation with JaCarta tokens. You can download the latest version of this software product from the official website, or from my cloud, if suddenly you can’t get it from the manufacturer’s website.

Further received you are unpacking the archive and launch installation file, under your own Windows architecture, mine is 64-bit. Let's start installing the Jacarta driver. A single Jacarta client, it is very easy to install (I REMIND you that your token must be disabled at the time of installation). On the first window of the installation wizard, simply click next.

We accept license agreement and click "Next"

In order for the JaCarta token drivers to work correctly for you, you just need to perform a standard installation.

If you choose "Custom installation", be sure to check the following boxes:

• JaCarta Drivers
• Support modules
• Support module for CryptoPRO

After a couple of seconds, Jacarta Unified Client is successfully installed.

Be sure to restart the server or computer so that the system sees the latest drivers.

After installing JaCarta PKI, you need to install CryptoPRO, to do this, go to the official website.

https://www.cryptopro.ru/downloads

Currently the most latest version CryptoPro CSP 4.0.9944. Run the installer, leave the "Install root certificates" checkbox and click "Install (Recommended)"

The installation of CryptoPRO will be performed in the background, after which you will see a prompt to restart the browser, but I advise you to reboot completely.

After reboot, connect your JaCarta USB token. My connection is via the network, from a DIGI device, via . In the Anywhere View client, my Jacarta USB drive is successfully detected, but as Microsoft Usbccid (WUDF), and ideally it should be defined as JaCarta Usbccid Smartcard, but you need to check it anyway, since everything can work like that.

Having opened the Jacarta PKI Unified Client utility, no connected token was found, which means there is something wrong with the drivers.

Microsoft Usbccid (WUDF) is a standard Microsoft driver that is installed by default on various tokens, and sometimes it works, but not always. operating room Windows system by default, sets them in view of its architecture and settings, I personally like this moment this is not necessary. What we do is we need to remove the Microsoft Usbccid (WUDF) drivers and install the drivers for the Jacarta media.

Open the manager Windows devices, find the item "Smart card readers" click on Microsoft Usbccid (WUDF) and select "Properties". Go to the "Drivers" tab and click Uninstall

Agree to remove the Microsoft Usbccid (WUDF) driver.

You will be notified that a system reboot is required for the changes to take effect; we must agree.

After rebooting the system, you can see the installation of the ARDS Jacarta device and drivers.

Open the device manager, you should see that your device is now identified as JaCarta Usbccid Smartcar and if you go to its properties, you will see that the jacarta smart card is now using driver version 6.1.7601 from ALADDIN R.D.ZAO, this is how it should be .

If you open the single Jacarta client, you will see your electronic signature, this means that the smart card is detected normally.

We open CryptoPRO, and we see that CryptoPRO does not see the certificate in the container, although all the drivers have been identified as needed. There is one more trick.

1. In the RDP session you will not see your token, only locally, that’s how the token works, or I haven’t found how to fix it. You can try following the recommendations to resolve the "Unable to connect to the smart card management service" error.
2. You need to uncheck one box in CryptoPRO

BE SURE to uncheck the "Do not use outdated cipher suites" checkbox and reboot.

After these manipulations, CryptoPRO saw my certificate and the jacarta smart card became working, you can sign documents.

You can also see your JaCarta device in devices and printers,

If you, like me, have the jacarta token installed in the virtual machine, then you will have to install the certificate via console virtual machine, and also give rights to it responsible person. If this is a physical server, then you will have to grant rights to control port, which also has a virtual console.

When you have installed all the drivers for Jacarta tokens, you may see the following error message when connecting via RDP and opening the Jacarta PKI Unified Client utility:

1. The smart card service is not running on the local machine. The architecture of the RDP session developed by Microsoft does not provide for the use key media connected to a remote computer, so in an RDP session, the remote computer uses the local computer's smart card service. It follows from this that starting the smart card service inside an RDP session is not enough for normal operation.
2. Smart Card Management Service on local computer launched, but is not accessible to the program inside the RDP session due to Windows settings and/or RDP client.\

How to fix the error "Unable to connect to the smart card management service."

• Start the smart card service on the local machine with which you are initiating the session remote access. Configure it to start automatically when your computer starts.
• Allow the use of local devices and resources during the remote session (particularly smart cards). To do this, in the "Remote Desktop Connection" dialog, select the "Local Resources" tab in the parameters, then in the "Local devices and resources" group, click the "More details..." button, and in the dialog that opens, select "Smart cards" and click "OK", then "Connect".

• Make sure your RDP connection settings are safe. By default, they are saved in the file Default.rdp in the "My Documents" directory. Make sure that in this file there was a line "redirectsmartcards:i:1".
• Make sure that the remote computer, to which you are making an RDP connection, is not activated group policy
  -[Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow smart card reader redirection]. If it is Enabled, then disable it and reboot the computer.
• If you have Windows 7 SP1 or Windows 2008 R2 SP1 installed and you are using RDC 8.1 to connect to computers running Windows control 8 and higher, then you need to install an update for the operating system https://support.microsoft.com/en-us/kb/2913751

This was the troubleshooting for setting up the Jacarta token, CryptoPRO on the terminal server, for signing documents in VTB24 RBS. If you have any comments or corrections, please write them in the comments.

Greetings, reader!

After communicating with some actively interested readers, I decided to repeat my “search” experiment, which I did when I wrote the first review materials on token topics. This time I decided to collect unsuccessful experiences using tokens and collect Jacarta errors. I’m writing with specifics right away, since I’m thinking of making different selections for each brand. Let's start with the market leader, Aladdin R.D. and their product Jacarta, a token that is used specifically for EGAIS.

What this post won't include:

1. I won't give solutions for Jacarta errors because every situation is different.

2. It may also be that the Jakarta token is not the cause of the error. This could be UTM, etc. Therefore, each case must be analyzed separately

3. Multiplication of errors in order to denigrate the product. My task is to give an extremely third-party summary of what Jacarta token users most often encounter in EGAIS.

Selection and systematization of reviews about Jakarta

Last time my research was limited to the official EGAIS forum (http://egais2016.ru/), now I have expanded the range of study of forums to make the material more extensive.

So, the Jakarta token for EGAIS will be analyzed based on reviews from the following sources:

Naturally, most of the results were found on the EGAS forum

In total, we received 630 messages based on the request.

Found 3 thick branches

For example, here is a case when it flew 8 JaCarta tokens in a row because, I quote:

“Error 0x00000006 in the PKI partition when trying to format. Either Jakarta is simply not detected as a device. Updated the client to version 2.9. We tried it through jacarta format. Not a single method has ever helped."

The problem when the system simply does not see Jacarta is really serious and, perhaps, the most common. Another question is that the reasons for the appearance of this error may be various violations.

Another bug discovered, when again Jakarta is not detected, the devices do not see Jacarta. It's funny to note that Aladdin gives response letters to users' indignation, but about a different problem =)))) But they do! It is important.

There are often errors during detection and installation, but there may also be problems with UTM distribution kits, which also happens very often. I carefully read all the threads and therefore rest assured that I will not point out errors for Jacarta that do not exist here. Although the question here is very complicated, since when the system does not see Jacarta, this can be a mutual problem.

In one of the already mentioned threads there is such an interesting comment

What should Jacarta token users do now that the ties between Gemalto and Aladdin have been severed?

On the forum egaisa.net

Found 5 discussion threads

Mostly typical errors when initializing the work, as well as when all the settings have already been made, Jakarta’s operation is inconsistent. There are also frequent errors after updates when the system does not find or see Jacarta

If you read the forums more carefully, it turns out that at the initial stage everyone was sold the Jacarta token for EGAISA, without delving into the details and without educating clients at all that not only Jakarta could be... But we have already talked about this more than once, and you can see .

Let's return to the EGAIS forum.

In total, we have 630 answers to the search engine during our entire work. Naturally, there is no point in considering problems that are more than a year old.

For example, one of the most common mistakes

1. Errors when trying to generate an RSA certificate


2. Synchronization errors with UTM


3. Error during update


4. Error 610


5. Jacarta detection error

Why does Jakarta have bad reviews?

To summarize, the Jakarta token is used by many people, but its stability is poor. I also found the opinion that this might be. depending on the “delivery batch”, this is probably very strange, since the software should be the same for everyone. Perhaps this is the result of the fact that in the end Jakarta is assembled from many disparate parts, which leads to unstable work and the death of the entire organism as a whole.

In the next series we’ll talk about Rutoken, smart cards and other CIPF products.

Thanks for staying in touch.

Description of the problem. To work with EGAIS, the JaCarta PKI/GOST/SE carrier is used. Often one of the sections is blocked (PKI section). In this case further work with EGAIS is impossible.

Reason for blocking– frequent circulation of the universal transport module to the JaCarta carrier. If ten unsuccessful authorization attempts are made, the media locks the section and prevents further work.

There are two ways to solve the problem:

1. Contact the certification center that issued the media.
2. Unlock the JaCarta media yourself according to the instructions.

Instructions for Microsoft example Windows 10

Step-by-step instructions on how to unlock a PKI partition

Step 1. Switch to administration mode

In the Start menu, find the JaCarta Unified Client application and open it.

Rice. 1. Single JaCarta client

The program workspace will open.

Rice. 2. Switch to administration mode

The program workspace will open. If the PKI section is locked, the PKI tab will be red.

Rice. 3. Token information

Step 2. Checking the PKI partition blocking

To understand that the PKI section is really blocked, click on the “Full information...” link in the “Token Information” tab.

" detailed information about the token." In the new window, find the PKI Application Information section. If the status in the “PIN code” line is “Blocked,” then close the window and proceed to the next step in the instructions.

Rice. 4. Token details

Step 3. Unlocking the PKI partition

Go to the "PKI" tab. In the Application Operations panel, select Unblock User PIN....

The “User PIN Unlock” window will open, in which specify:

1. The current administrator PIN is 00000000 by default;
2. New user PIN - default 11111111;
3. Confirmation of the code (meaning the user's PIN code).

Rice. 6. Unlock user PIN code

After specifying PIN codes, click “Run”.

If everything is entered correctly, a notification will appear. Click "OK" to complete.

Rice. 7. Notification of successful unlocking

Go to the Token Information tab and click on the Full Information link to check the current PKI application status. The status should be "Installed".

Rice. 8. Status check

If the status has changed, the unlocking is complete.