User's Guide - infotecs.de
Contents
1. 2 Install a certificate with a public key in the system store see Installing the User Certificate in the System Store on page 68 3 Install the issuer s certificate and CRL in the system store see Installing Issuer s Certificates and CRL on page 73 ViPNet CSP 4 0 User s Guide 60 Installing Container from a Folder To work with protected documents and to organize connections over the TLS SSL protocol you need a private key and a corresponding certificate You can install a private key and a certificate in the same container or install a certificate and a container with a private key separately see Installing the User Certificate in the System Store on page 68 To install the container located in a folder on the hard drive in the system store 1 Inthe main ViPNet CSP window select Containers a ViPNet CSP Settings E E General Containers Details E Devices Devices list configuration B Use the following key containers Random number generator Containers r 7 Conatiner name Path rnd 9 cec1 3bb4 c users maksim appdata local infotecs containers C Add Copy Delete l Properties CurrentUser Install certificate from a file LocalMachine o a App Help Figure 24 Containers control panel 2 Inthe Containers section click Add 3 Inthe ViPNet CSP Key Container Initialization window click Browse o Ifa container is stored on the hard drive2. CRL E Certificate Revocation List B Certificates Active Directory User Object C Trusted Publishers Issued to Ildus Nasyrov gt C Untrusted Certificates ie Third Party Root Certification Authorities Issued by Administrator C Trusted People C Other People b Certificate Enrollment Requests E Smart Card Trusted Roots You have a private key that corresponds to this certificate Valid from 2 11 2013 to 2 11 2018 Learn more about certificates Personal store contains 4 certificates Figure 78 Web client certificate is in the current user s system store In the MMC snap in the following local computer certificates should be added for the IIS e The Personal gt Certificates section should contain a user s server s certificate e The Trusted Root Certification gt Certificates section should contain the issuer s certificates e The Intermediate Certification Authorities gt Certificate Revocation List section should contain the CRL In the MMC snap in the following current user s certificates should be added for the web client e The Personal gt Certificates section should contain a user s web client certificate e The Trusted Root Certification gt Certificates section should contain the issuer s certificates ViPNet CSP 4 0 User s Guide 166 The Intermediate Certification Authorities gt Certificate Revocation List section should contain the CRL If a certifica
3. On an external device you can store keys created using different encryption algorithms in ViPNet software or third party programs Maximum number of key containers stored on a device depends on the device s memory space ViPNet software supports two authentication methods involving external storage devices e ViPNet user s personal key stored on an external device with the following limitations o Each external storage device can be used for authentication of only one ViPNet user o Each external storage device can be used for authentication of one ViPNet user on several ViPNet hosts o Ifyou use this authentication method then store your digital signature keys created in a certification authority using ViPNet software and the personal key on one external storage device e Certificate with its private key stored on an external device You can request for the certificate in Windows domain and store the corresponding key container on your external storage device that supports PKCS 11 ViPNet CSP 4 0 User s Guide 173 You can perform all the required configuring concerning key containers and external storage devices in the ViPNet CSP program Make sure that you ve installed the drives required for your external device Before you store keys on your device make sure that the device is formatted ViPNet CSP 4 0 User s Guide 174 Supported External Storage Devices In the table below you can find the list of devices supported b
4. o i eS E E C 7 Aways encrypt to myse when sending encrypted mai Ongtally Signed messages 7 Include my digtal ID when sending signed messages F Encode message before signing opaque signing jy Add senders certificates to my Windows Live Cortacts Revocation Checking Check for revoked Digtal IDs Never Go Gere Figure 55 Advanced security settings 5 Make sure that the Include my digital ID when sending signed messages check box is selected ViPNet CSP 4 0 User s Guide 114 6 Make sure that the Add senders certificates to my Windows Live Contacts check box is selected 7 To save the settings double click OK ViPNet CSP 4 0 User s Guide 115 Adding a Digital Signature to a Message To add a digital signature to a single message follow the instructions in this section A Warning To sign email messages you need a public key certificate where the certificate owner s email address is specified and in the Enhanced Key Usage box the attribute Secure Email is enabled If you don t have such a certificate you can t add a digital signature to a message To sign email messages create a request for a new certificate specify your email address and deliver your request to the administrator of your Certification authority Microsoft Outlook To digitally sign your message 1 Create a new message and depending on the Microsoft Office software version do one of the following In Microsoft
5. 175 Key Container 20 69 M Macro Digital Signature 22 144 O Obtaining and Installing a Private Key and a Certificate 18 23 Organizing a Protected Connection via TLS SSL 22 24 P Private key 179 180 Problems and Troubleshooting 123 151 Public key 179 181 Public key certificate 16 179 180 181 182 R Receiving Your Registration Code from the Administrator 38 51 Registering ViPNet CSP 33 36 43 44 46 Removing a Digital Signature 95 96 106 166 Requesting a Registration Code 36 37 49 Requesting Your Registration Code by Email 38 Requesting Your Registration Code by Phone 38 Requesting Your Registration Code on the Internet online 38 41 45 S Saving Registration Data 35 41 44 48 Setting Up and Starting ViPNet CSP 148 149 Starting the Registration Process 37 47 Supported External Storage Devices 12 65 71 System Administrator Actions for Registration Using a File 35 44 U Using a Random Number Generator 158 V Viewing a Digital Signature 106 Viewing and Configuring Container Properties 85 Viewing the Encrypted Messages 108 ViPNet CSP Licensing 31 35 ViPNet CSP Purpose 11 23 ViPNet CSP Scope 24 64 66 72 75 ViPNet CSP Setup 23 W Ways to Install a Private Key and a Certificate 24 108 ViPNet CSP 4 0 User s Guide 182
6. ViPNet CSP 4 0 User s Guide Virteal Private Belwerk infotecs 1991 2013 Infotecs All rights reserved Version 00106 01 34 01 ENU This document is included in the software distribution kit and is subject to the same terms and conditions as the software itself No part of this publication may be reproduced published stored in an electronic database or transmitted in any form or by any means electronic mechanical recording or otherwise for any purpose without the prior written consent of Infotecs JSC ViPNet is a registered trademark of Infotecs JSC Moscow Russia All brands and product names that are trademarks or registered trademarks are the property of their owners Infotecs GmbH Oberwallstr 24 10117 Berlin Deutschland Tel 49 0 30 206 43 66 0 Fax 49 0 30 206 43 66 66 Email support infotecs biz Web http www infotecs biz Contents Introductio ccaeicscsustceussuvsiadasesbesstnavibasetins tens tessausasiabstubsavaiabsoeebeubaguvguaneyssoiuessedsaubopiedsubsavduabateioaeasy 8 About This Document ese e avis Mies ean sees hadi Moen E 9 PUGIONICE 2 fe secieisiscekishtizetsisbadee se lelecwslcuscchiecelastaactageeusdecesuphslagetss delete slates E 9 Document Conventions enn een e te AU ee a as 9 About ViPNet CSP is uinie ane r E T e E E E sp N siete 11 System Requirements sienne ee e Ee eea EE E EE EEEE AES 11 Distribution Kitssneein inr aan lala EEE S E e RANSE 12 Feedback aais
7. Configuring a Client Host 147 Configuring a Server Host 147 Creating a Backup Copy of a Container 83 Creating a Certificate Request and Generating a Private Key 18 53 148 149 D Deleting a Container 165 Digital roulette 57 Digital signature 11 175 179 181 Digital Signature and Encryption in Microsoft Mail Programs 22 Digital Signature in Microsoft Office Documents 22 Digital Signature in Microsoft Office InfoPath 22 Digitally Sign Sign Button Isn t Displayed 118 E Email Address of the Certificate Is Not Found on the List of Contact Addresses 109 110 164 Email Encryption 22 108 113 129 Encrypting Documents and Files 108 Exchanging Certificates with the Message Recipient 108 I If the Configuration of Your Computer Has Been Changed 35 Installing a Certificate from Container 24 63 64 66 69 Installing a Certificate Which Has Not Been Added to the Container 69 Installing Certificates in a Container 53 61 148 149 Installing Container from a Folder 18 59 61 71 Installing Container from an External Device 18 61 71 Installing Containers and Certificates 18 32 ViPNet CSP 4 0 User s Guide 181 Installing Issuer s Certificates and CRL 18 24 53 61 64 66 72 73 108 148 149 160 164 169 Installing the User Certificate in the System Store 18 53 57 61 62 73 148 149 Issuer s certificate 18 23 K Key container
8. ViPNet CSP 4 0 User s Guide 16 If user B can t decrypt the message received from user A this means that the message has been changed by unauthorized persons or damaged during sending In this case user B can ask user A to resend the message The process of digital signature generation and verification is shown below Network certificate store 8 C Pi haa 8 Sl p A ind B i Prion signature verification 8 D Figure 2 The process of digital signature generation and verification aN Suppose that user A needs to digitally sign a document for example an Outlook message so that other users can t change it and each user can make sure that the author of the document is user A 1 User A signs the document using his or her private key 2 User A sends the document to all persons concerned to users B C and D or shares the document with them User B requests user A s public key certificate from the certificate store User B verifies the document with user A s public key stored in user B s certificate If verification is successful the document s author is user A and this document has not been changed after signing If verification is not successful the document s author is not user A or that the document has been modified by unauthorized persons or damaged during sending In this case user B can ask user A to resend the message ViPNet CSP 4 0 User s Guide 17 Key Container A key pair a public key and a
9. in the Browse for Folder window specify the location of the container o Ifa container is stored on a removable flash drive in the Browse for Folder window select this drive In the Folderbox the path will be automatically substituted for example E infotecs Containers ViPNet CSP 4 0 User s Guide 61 Warning On a removable flash drive the container should be located in the folder Infotecs Containers ViPNet CSP Key Container Initialization eal Container name _ rnd 6 1874 E2CA 9347 8598 B10D 46D2 9F1D v Folder C Users Maksim AppData Local Infotecs Cor Browse D Choose device Not found Figure 25 Installing the key container from the folder In the Container name list choose the container file or leave the default value Click OK In the Key container window a message about the successful container addition will be displayed and you will be prompted to install the certificate in the store To use certificates you should install them in the system store of the current user Warning If the ViPNet CSP program is installed on a server and is used to organize A connections over the TLS SSL protocols you should install your certificate in the local computer s store see Installing a Certificate from Container on page 71 manually If you want to install the certificates automatically in the user s store click Yes Certificates will be automatically installed in the user s store I
10. 0 User s Guide 163 Macros or Microsoft Access 2007 Database Can t be Signed When you are signing a macros or a Microsoft Access 2007 package there may be no certificates that you can select for signing Thus you can t sign a code To eliminate the problem ask your Key and Certification Authority for a certificate with a Code signing attribute in the Enhanced Key Usage field The Signature Line in Microsoft Word 2003 or Excel 2003 Can t be Signed You can t sign a signature line in Microsoft Word and Excel versions earlier than Microsoft Office 2007 To sign a signature line you need to open a document in Microsoft Office 2007 Signed Microsoft Word or Excel Document Can t be Edited To edit a signed Microsoft Word or Excel document you need to remove a digital signature see Removing a Digital Signature on page 99 and then make necessary changes After that you can sign this document again Warning We strongly recommend you not to remove a digital signature from a document which was signed by another person if this document has legal validity ViPNet CSP 4 0 User s Guide 164 No Connection to the Server over HTTPS The IIS Server and the Web Client Have Different ViPNet CSP Versions On the web client you need to install the same version of the software as on the server User s Certificates the Issuer s Certificate and CRL Were Installed in the Wrong Store Check that the certificates are installed in the required
11. 2 After you log on to the server the web server page will be displayed If the connection to the web server could not be established refer to the Problems and Troubleshooting on page 150 ViPNet CSP 4 0 User s Guide 149 Problems and Troubleshooting Checking the Program Components Integrity The Program Won t Start ViPNet CSP Conflicts with Other Programs Can t Use Accord TSHM Electronic Lock When You Are Using eToken Aladdin the System Irresponsive Unable to Check the Certificate Document Can t be Encrypted Can t Use the Digital Signature No Connection to the Server over HTTPS When You Connect to a Server Security Warning Is Displayed Providing Additional Information About the Problem 151 152 154 156 157 158 159 163 165 170 171 ViPNet CSP 4 0 User s Guide 150 Checking the Program Components Integrity For visual monitoring of the libraries availability 1 Inthe main ViPNet CSP window in the navigation pane select Details 2 Inthe Executables table check the libraries list To check the libraries integrity 1 Inthe main ViPNet CSP window select Details Figure 70 The Details pane 2 Click Test a ViPNet CSP Settings General Details peta Devices Containers eg Executables Module Path Checksum a asntools dil C Program Files InfoTeCS iPNet CSP 9A 16 25BD boxregmngr dil C Program Files InfoTeCS ViPNet CSP DD
12. 3 Email the file to Infotecs at reg infotecs biz Name the email ViPNet Registration Using File 4 After Infotecs company has processed the request you will receive an email with an attached txt file This file will contain registration codes for all users taking part in the group registration Deliver this file to users for example via network disk who can then register their installed ViPNet program ViPNet CSP 4 0 User s Guide 50 Obtaining a Certificate and Private Key Obtaining and Installing a Private Key and a Certificate 52 Creating a Certificate Request and Generating a Private Key 53 Using Signing Keys of the ViPNet Host s User 57 ViPNet CSP 4 0 User s Guide 51 Obtaining and Installing a Private Key and a Certificate To have an opportunity to sign electronic documents you need to get a user private key and to verify a digital signature you need to get a public key certificate Note The order of obtaining and commissioning a certificate and private key is Fa determined by the rules of your Certification Authority To generate a certificate request ask your Certification Authority s administrator whether requests generated in the Create a certificate request program will be accepted To obtain and to commission a new certificate or to renew already existing certificate you need to 1 Create a certificate request in the Create a certificate request program see Creating a Certificate Request a
13. 32FE 40 cert dll C Program Files InfoTeCS iPNet CSP 32F8 3311 certcspactivex C Program Files InfoTeCS ViPNet CSP 7C 8E 30 80 certui dil C Program Files InfoTeCS viPNet CSP OA 2A 5A D6 csp_settings dil C Program Files InfoTeCS ViPNet CSP 27 7EB8F3 csp_settings_ C Program Files InfoTeCS ViPNet CSP DA D7 12E3 guiext dll C Program Files InfoTeCS ViPNet CSP AC EE B2F4 itcad dil C Program Files InfoTeCS viPNet CSP 6C 59 A5B6 3 itrenn ell F MWiindawelevetom 271 Er OR 41 2a lt Hi Test Thus you force recalculation of checksums and the check of their conformity to the sums specified in each of the modules After the check is finished results of the check will be displayed ViPNet CSP 4 0 User s Guide 151 The Program Won t Start If on the ViPNet CSP program start you are notified that the integrity check has failed or that some components are missing then you can t work with the program Checking data integrity of executables is i The following errors have been found during the executables data integrity check f Module Error itecspqui dil Integrity check failed Close Figure 71 Error messages on the ViPNet CSP program start To restore the operability of ViPNet CSP install the program again over the previous version without removing it To do that ge 1 Click the setup exe file SO 2 In the ViPNet CSP Installation window select Upgrade and then click Continue
14. CSP 4 0 User s Guide 156 When You Are Using eToken Aladdin the System Irresponsive If you are using an eToken Aladdin device and your system irresponsive make sure that eToken PKI Client 5 1 or later software have been installed ViPNet CSP 4 0 User s Guide 157 Unable to Check the Certificate During the certificate s installation the certificate verification error may occur This means that the issuer s certificate and CRL have not been installed in the system see Installing Issuer s Certificates and CRL on page 73 ViPNet CSP 4 0 User s Guide 158 Document Can t be Encrypted Email Address of the Certificate Is Not Found on the List of Contact Addresses During the certificate s import to the contact the following message may be displayed Microsoft Outlook The e mai address in the certificate is not found in the contact s e mail Ist Do you want to continue to add this certificate into this contact No Figure 73 Certificate import error This means that the certificate does not contain an email address which corresponds to this contact s address That s why you can t encrypt a message using this certificate Possible reasons and ways of solving the problem e If the certificate does not belong to this contact o Open the Certificate window by double clicking the certificate file on your hard drive ViPNet CSP 4 0 User s Guide 159 o On the General tab make sure that this certificate i
15. Serial Number XXXX XXXX XXXX XXXX ViPNet CSP 4 0 User s Guide 26 E mail email infotecs ru User name lt User first second and last name gt Company lt Company name gt Note The User name and Company fields are optional ViPNet CSP 4 0 User s Guide 27 Running Setup from the Command Line You may run ViPNet CSP setup program from the Windows command line specifying a number of standard Windows Installer arguments Table 3 Setup mode arguments Argument Description qn Installation without displaying user interface Silent mode qb Installation with basic user interface only a standard indicator of progress and informational messages are displayed qf Installing with full user interface default Table 4 Restart mode arguments Argument Description norestart Disable restart after installation promptrestart Display a dialog box prompting you to restart forcerestart Restart the computer after installation and force other applications to close without saving opened files This parameter is valid only in conjunction with the qn argument Here is an example of the setup command setup exe qn norestart ViPNet CSP 4 0 User s Guide 28 Adding Uninstalling and Restoring ViPNet CSP Components If necessary you can install or uninstall ViPNet CSP components and restore the software in case of a failure To add or remove a component or to restore ViPNet CSP ei 1 Run the setup f
16. The program components upgrading will start ViPNet CSP 4 0 User s Guide 152 wn Reinstall or remove your ViPNet software Reinstall Reinstall components by installing newer versions over the old ones and save all user information Remove All Components Figure 72 Updating ViPNet CSP 3 After upgrading is finished you will be prompted to restart your computer In the restart message click Yes After restart the ViPNet CSP program will be fully operational If the program has been registered earlier you don t need to register it again ViPNet CSP 4 0 User s Guide 153 ViPNet CSP Conflicts with Other Programs ViPNet software peculiarities may lead to some failures in the operability of some third party programs To eliminate any conflicts between ViPNet software and third party programs make some changes in the Windows system registry 1 Click the Start button In the search box type run and then in the list of results click Run 2 Inthe Open box type regedit and click OK The registry editor window will be displayed Warning Do not change any other system registry parameters but Flags An incorrect change in the registry may lead to computer malfunction 3 Under the registry key HKEY LOCAL MACHINE SYSTEM CurrentControlSet Control infotecs PatchEngine set the Flags parameter value to 0 4 Restart your computer If you have applied the changes but the problem still
17. To reg infotecs biz Subject Infotecs product registration z This letter was created by the ViPNet products registration system 4 Figure 12 Requesting registration code by email A Warning We don t recommend you to modify anything in this auto generated email 3 To complete the procedure send this email When Infotecs has checked your registration data you will receive your registration code in response A Warning If you don t receive a response e mail from Infotecs for a long period of time you may try to resend your email To do this repeat all steps described in this topic If you still can t register your ViPNet CSP contact Infotecs Support Team ViPNet CSP 4 0 User s Guide 42 4 Upon receiving a response email with registration code register your ViPNet CSP see Registering ViPNet CSP on page 47 Requesting Your Registration Code by Phone If you select By phone the Registration request by phone page will be displayed ViPNet CSP Registration Wizard j Registration request by phone by Call Infotecs on 44 20 32398132 and give us the following registration data We will supply you with a registration code Provide registration data User name Supplied by user Company Supplied by user Product Supplied by user Program version 4 Computer code 7LPY2W4 5X833K4 6NH4CQX 6548N8L 654S7FM Serial number Supplied by user When you call Infotecs you will be asked t
18. Type PIN box specify the PIN of the selected external storage device Select the Save PIN check box if you don t want to enter PIN every time you connect the container fa Note If you save PIN of the device in the system the security level becomes lower For more information see the Supported External Storage Devices on page 175 5 Click OK In the Key container see figure on page Oumm6xka 3aksagqka He onpeaenena window the message about successful container addition will be displayed and you will be prompted to install the certificate in the store To use certificates you should install them in the system store of the current user ViPNet CSP 4 0 User s Guide 64 If you want to install the certificates automatically in the user s store click Yes Certificates will be automatically installed in the store If you don t need to install the certificates or you will install them manually click No To view the container s certificate list click Certificates 6 After you have installed the certificates in a store or after you have canceled the certificates installation in the available containers list see figure on page 61 the added container will be displayed Note You can install certificates from container manually using certificate settings window see Installing a Certificate from Container on page 71 After you have added the container install the issuer s certificate and CRL see Installing Issuer s Certif
19. ViPNet CSP can be registered in two ways by yourself common registration and by the system administrator To register by yourself follow the scenario below If you are a system administrator and you need to register several copies at once you can use the group registration feature allowing you to collect several users registration requests in one e mail and receive all required registration codes at once For more information see System Administrator Actions for Registration Using a File on page 50 Note If ViPNet CSP has been reinstalled and registered on your computer you can restore the previously saved registration data using the brg file see Saving E Registration Data on page 49 If you are planning to perform minor upgrades to the computer where you are going to use ViPNet CSP consider the topic If the Configuration of Your Computer Has Been Changed on page 49 ViPNet CSP 4 0 User s Guide 35 To register ViPNet CSP 1 In the ViPNet CSP main window on the Help menu click Registration The Registration of ViPNet CSP Wizard will be launched ViPNet CSP Registration Wizard Dg ViPNet CSP Registration Wizard Welcome to the wizard that will help you to register ViPNet CSP To register the program you should get a serial number f you already have a serial number you should request a registration code from Infotecs After that you can register the program _ Select an appropriate option and clic
20. arises contact Infotecs technical support If ViPNet CSP conflicts with third party cryptographic service providers you may disable ViPNet CSP work via the MS Crypto API interface Warning After disabling the MS Crypto API interface support you can t use ViPNet A CSP cryptographic functions in Microsoft Office programs and other applications which use this interface However you still may use ViPNet CSP functions in various ViPNet programs ViPNet CSP 4 0 User s Guide 154 To disable the work of ViPNet CSP via the MS Crypto API interface in the General see figure on page 32 section clear the Allow ViPNet CSP to use MS Crypto API check box The change will take effect when you restart Windows ViPNet CSP 4 0 User s Guide 155 Can t Use Accord TSHM Electronic Lock If Accord TSHM electronic lock is installed on your computer but you can t use it in ViPNet CSP as a random numbers generator do the following 1 Make sure that drivers for the Accord TSHM electronic lock are installed on your computer 2 Copy the tmdv32 d11 file from the drivers installation folder by default c Accord to the following folder o If you use a 64 bit Windows OS copy the file to the c Windows System32 folder o If you use a 32 bit Windows OS copy the file to the c windows Syswow 4 folder 3 In ViPNet CSP choose Accord TSHM as a random number generator see Using a Random Number Generator on page 89 ViPNet
21. data and message authentication with modification detection code in accordance with the GOST 28147 89 algorithm e Generate random number pseudo random numbers and session encryption keys e Authenticate and create the session key when transferring data via SSL TLS e Store public keys certificates directly in the key container e Use various tokens and other devices for storing digital keys and certificates securely eToken and others ViPNet CSP is compatible with third party cryptographic service providers if they comply with RFC 4357 https tools ietf org html rfc4357 4490 https tools ietf org html rfc4490 and 4491 https tools ietf org html rfc449 1 System Requirements Compatible with ote The compatibility of ViPNet CSP with Windows 7 OS is officially recognized by Microsoft ViPNet CSP 4 0 User s Guide 11 The minimum system requirements for your computer to run ViPNet CSP are as follows e Processor Intel Core 2 Duo or any other x86 compatible processor of similar characteristics with two or more cores e Minimum RAM 512 MB e Free disk space 100 MB e Operating system Microsoft Windows XP SP3 32 bit Windows Server 2003 32 bit Windows Vista 32 64 bit Windows 7 32 64 bit Windows Server 2008 64 bit Windows Server 2008 R2 64 bit Windows 8 32 64 bit Server 2012 64 bit You must install the latest service pack for your version of Windows e Internet Explorer 6 0 or later e If M
22. document will be displayed On the status bar of the document window the icon g will be displayed This icon means that the document contains a digital signature After you have added a digital signature you can t edit the document To edit signed document you need to remove a digital signature see Removing a Digital Signature on page 99 Microsoft Office 2010 To add a digital signature in Microsoft Word Excel and PowerPoint documents 1 2 Click the File tab and click the Info section Under Permissions click Protect Document Protect Workbook or Protect Presentation and click Add a Digital Signature Read the Microsoft Word Excel or PowerPoint message and click OK The Sign window will be displayed Note If you haven t saved the document earlier you will be prompted to save it before adding a digital signature In the message window click Yes In the Sign window you can fill out the Purpose for signing this document box Also this window contains brief information about the certificate that you use for signing this document If necessary click Change and choose another certificate ViPNet CSP 4 0 User s Guide 94 sion re ls You are about to add a digital signature to this document This signature will not be visible within the content of this document Purpose for signing this document Signing as Idus Nasyrov Change Issued by Administrator z Figure 40 Adding a digital signature in Mic
23. is used to process data on a smart card Drivers of the 2 6 version should be installed on the computer ViPNet CSP 4 0 User s Guide PKCS 11 support Yes No 175 Siemens CardOS M4 01a Siemens CardOS API V5 0 and later should Yes CardOS CardOS V4 3B be installed on the computer CardOS V4 2B CardOS V4 2B DI CardOS V4 2C and CardOS V4 4 smart cards by Atos Siemens Note For each device the list of supported operating systems is available on the manufacturer s official web page ViPNet CSP 4 0 User s Guide 176 Glossary C CA administrator An authorized person privileged to sign certificates on behalf of a certification authority See also Certification authority CA on page 177 Certificate request A message protected with a digital signature that contains the user name the public key and its properties the desired validity period of the certificate certificate intended purposes and some other information depends on the request format and the software used to create the request See also Digital signature on page 178 Private key on page 179 Public key on page 179 Public key certificate on page 179 Certificate revocation list CRL A list of certificates that have been revoked or held by the Certification Authority administrator and are not valid at the moment specified in this certificate revocation list See also CA Administrator on page 177 Certificate hold
24. module called a cryptographic service provider see ViPNet CSP Purpose on page 15 To start using the cryptographic service provider ViPNet CSP 1 Install ViPNet CSP see ViPNet CSP Setup on page 26 2 Geta public key certificate and a container with a private key o Your Certification authority administrator may have given you a certificate file and a container file with a private key or a container file containing both a private key and a certificate earlier Make sure that you already have these files o Ifyou don t have a container or a certificate create a certificate request see Obtaining and Installing a Private Key and a Certificate on page 52 Together with the certificate and the key container you receive the issuer s certificate on page 178 and the certificate revocation list CRL on page 177 Note A certificate contains a public key corresponding to only one private key The private key is stored on a user s computer and is used to generate a digital signature and to decrypt encrypted messages A public key is used to verify a digital signature and to encrypt messages and it is distributed in a certificate The issuer s certificate and CRL are used to verify the authenticity of your certificate ViPNet CSP 4 0 User s Guide 23 3 Install a public key certificate and the corresponding private key or several certificates and keys see Ways to Install a Private Key and a Certificate on page 60 Note When y
25. on page 73 6 Configure Internet Explorer for work over the secure protocol 7 Check that the network host is accessible over the secure HTTPS protocol see Checking the Web Host s Availability over the Secure HTTPS Protocol on page 149 ViPNet CSP 4 0 User s Guide 147 Configuring Internet Explorer for Work over the TLS SSL Protocol As a rule default browser settings allow you to work over the TLS SSL protocol If the default settings have been changed or you can t connect to the server do the following 1 In the Internet Options window Tools Internet Options To do this o In the Internet Explorer Tools menu click Internet Options o In the Google Chrome and Yandex Browser option windows click Change Proxy Settings 2 Click the Details tab 3 Select the SSL 3 0 and TLS 1 0 check boxes 4 Clear the SSL 2 0 check box 5 Check that the network host is accessible over the secure HTTPS protocol see Checking the Web Host s Availability over the Secure HTTPS Protocol on page 149 Note To work in Yandex Browser and Google Chrome over the TLS SSL protocol in Zz the shortcut properties in the Object box at the end of the path to the program folder add the command use system ssl ViPNet CSP 4 0 User s Guide 148 Checking the Web Host s Availability over the Secure HTTPS Protocol To get access to a web host over the HTTPS do the following 1 Inthe Internet Explorer address bar type https server_name
26. password expires according to the corporate security policy or by other reasons regulated To change the device PIN 1 Inthe main ViPNet CSP window select the Devices see figure on page 84 section 2 Choose a device from the Available devices list Note In the Available devices list only those devices are displayed that are connected to the corresponding card reader at the moment 3 Click Change PIN 4 Inthe Change PIN window select the PIN you need to change 5 Inthe Type old PIN box type the current PIN In the other two boxes type your new PIN and then click OK PIN will be changed ViPNet CSP 4 0 User s Guide 88 Using a Random Number Generator A random number generator creates a sequence of numbers based on which private keys are generated As a random number generator in ViPNet CSP you can use an integrated biological random number generator Digital Roulette To choose random number generator that you want to use 1 Inthe main ViPNet CSP window select the Random number generator section a ViPNet CSP Settings x General Random number generator Details E Devices Devices list configuration The following random numbers generators are installed aes Biological Properties 4 m gt Gave seo it Figure 37 Random number generator tab 2 Inthe The following random number generators are installed list choose one of the following o Biological to use Digital Roulette f
27. period presence in CRL and so on is not verified Deleting a Private Key It is required to delete the private key and if present its certificate from the container key in the following cases e If you don t need this private key any more for example if its validity period has expired e If the certificate corresponding to this private key has been compromised or revoked To delete a private key from a container 1 Inthe Container Properties see figure on page 77 window in the Private Keys list choose the private key entry or several entries holding the Shift key 2 Click Delete You will receive a warning message that you will not be able to restore the deleted private keys ViPNet CSP 4 0 User s Guide 79 3 Confirm the operation by clicking Yes The private key you have chosen and the corresponding certificate will be deleted You should delete the key container after that ViPNet CSP 4 0 User s Guide 80 Creating a Backup Copy of a Container You can transfer a key container to a folder on a hard drive or to an external device This function is useful for creating backup copy of key container and for increasing the data protection level To copy container 1 Inthe main ViPNet CSP window select the Containers see figure on page 61 section 2 To select a key container from the current user s key containers folder click Current user To select a key container from the computer s key containers folder c
28. private key included in a certificate is used to encrypt and digitally sign documents A private key is generated by the administrator in a Certification Authority or by the user It is stored in a key container on a hard drive or an external device A user certificate is created in a Certification Authority on user s request see Creating a Certificate Request and Generating a Private Key on page 53 or in some cases on the Certification Authority administrator s initiative You can create a certificate request or a renewal request in the client software such as ViPNet Client and the Create a certificate request see Obtaining and Installing a Private Key and a Certificate on page 52 program included in the ViPNet CSP installation package or a third party program Besides you need the issuer s certificate on page 178 chain and CRL see Certificate revocation list CRL on page 177 to validate the user certificate To implement a secure electronic document flow system the program you create electronic documents in a Microsoft Office program the Internet Explorer web browser the IIS addresses the cryptographic service provider and provides it with the certificates parameters and location of the private key For the program to access certificates you need to install them in the system certificates store e You can use the ViPNet CSP program to install the user certificate and the user private key see Installing Containers and Ce
29. sees the signature line and a notification that their signature is requested Adding a Signature Line to a Document To add a signature line to a document 1 Place your pointer where you want to create a signature line 2 On the Insert tab under the Text group click Signature line The Signature Setup window will be displayed Signature Setup ex Suggested signer for example John Doe Suggested signe s title for example Manager Suggested signer s e mal address Instructions to the signer Before sging this document verify that the content you are signing is correct Allow the signer to add comments in the Sign dialog J Show sign date in signature ine CaS Gee Figure 47 Signature setup 3 Fill in the following boxes Suggested signer Suggested signer s title and Suggested signer s e mail address You may add short instructions for the signer allow the signer to type the purpose for signing and enable date displaying You can do it by selecting the corresponding check boxes 4 After you complete the signature setup click OK An empty signature line will be inserted in your document and also will be displayed on the Signatures pane ViPNet CSP 4 0 User s Guide 101 a Paste Options R Sign Signature Setup rks Wb L ert Caption X Nasyrov Borders and Shading f ormat Picture Figure 48 A visible signature line and its representation in the interface Before you add a d
30. sending signed messages Request S MIME receipt for all S MIME signed messages Attachment Handling Default Setting My S MIME Settings iidus727 live ru Settings Automatic Download Digital IDs Certificates Macro Settings Digital IDs or Certificates are documents that allow you to prove your identity in electronic transactions Programmatic Access aE import port Get a Digital Read as Pisin Text Regd all standard mail in plain text Read all digitally signed mail in plain text Script in Folders Allow script in shared folders Allow script in Public Folders Figure 61 Configuring parameter for encrypting all messages 4 Tochange additional settings see Advanced Configuring of Digital Signature and Encryption on page 109 such as choosing a specific certificate click Settings 5 Double click OK 6 After that all your outgoing messages will be encrypted if the recipient s certificates have been added to the contacts ViPNet CSP 4 0 User s Guide 124 Email Encryption in the Windows Live Mail Program To encrypt an email message 1 2 3 Create a new message in Windows Live Mail and specify the recipient In the New message window on the Tools menu select Encrypt Note If in the New message window the menu is not displayed click on the toolbar and select the Show menu bar Send a message To encrypt all outgoing messages 1 2 In the main Window
31. signature If you edit a document after it was signed and try to save it you will be notified that all digital signatures will be removed If necessary you may sign it again after saving Microsoft Office 2007 To add a digital signature in Microsoft Word Excel and PowerPoint documents n 1 Click the Microsoft Office a button point to Prepare and then click Add a Digital Signature The Sign window will be displayed Sign O onal informaten what yo You are about to add a digital signature to this document This signature wil not be visible within the content of this document Purpose for signing this document Signing as Idus Nasyrov Change Issued by Adminstrator Figure 39 Adding a digital signature in Microsoft Office 2007 Note If you haven t saved the document earlier you will be prompted to save it before adding a digital signature In the message window click Yes ViPNet CSP 4 0 User s Guide 93 1 In the Sign window you can fill out the Purpose for signing this document box Also this window contains brief description of certificate that you use for signing this document If necessary click Change and choose another certificate When you have chosen the certificate click Sign The ViPNet CSP Key Container Password see figure on page 79 window will be displayed Type your password and click OK The message about the successful addition of the digital signature and saving a
32. store using the standard MMC Microsoft Management Console To view certificates installed in a system store 1 Open the MMC o Press Win R On the Start menu select Run o In the Open box type mmc and click OK 2 On the File menu select Add Remove Snap in 3 Inthe Add Remove Snap in window in the Available snap ins list select Certificates and click Add 4 In the Certificates snap in window choose snap in type that you want to add o My user account to view web client s certificates o Computer account to view server s certificates Note If you don t want to add a Certificates snap in to the console every time you need it you may save it To do this on the File menu click Save ViPNet CSP 4 0 User s Guide 165 User s certificates issuer s certificate and CRL should be installed in the correct system store and when you open them there should be no errors m Consolel Console Root Certificates Current User Personal Certificates fo S ls i File Action View Favorites Window Help a e9 20M 4al xELe BE E Console Root General Details Certification Path a G Certificates Current User Iss Ge LP 4 ersona Trusted Root Certification Authorities on EEE hac te Weleda pares E Certificate Revocation List eni a renot Cocker _ Certificates mail messages E Enterprise Trust a e Class Sign Tools KC1 e Class Sign Tools KC2 Intermediate Certification Authorities
33. the Certificate window the message see figure on page 96 will be displayed The untrusted certificate is marked with a red X Certificate eS General Details Certification Path Certificate Information This certificate was revoked by its certification authority Figure 42 A revoked certificate Microsoft Office 2007 Warning The documents signed in Microsoft Office 2010 or 2013 programs can t be A correctly recognized in Microsoft Office 2007 programs of the builds earlier than 12 0 6554 We recommend you not to use the earlier builds To view a digital signature in Microsoft Word Excel or PowerPoint document tr 1 Click the Microsoft Office re button point to Prepare and then click View Signatures The Signatures see figure on page 97 pane will be displayed ViPNet CSP 4 0 User s Guide 96 Signature Details Remove Signature Figure 43 Viewing your digital signatures in Microsoft Office 2007 Note Moreover you may open the Signatures pane by clicking the digital signature icon R on the status bar 2 On the Signatures pane right click the signature string and click Signature Details 3 The Signature Details see figure on page 98 window contains brief information about the signature and the certificate In this window you may perform the following tasks o To open a certificate click View o To view the additional signing information click the See the additional signing information t
34. the certificate in the system store in the viewing certificate window see Installing a Certificate from Container on page 71 Installing a Certificate Which Has Not Been Added to the Container If the certificate is not added to the container to install the certificate in the system store do the following 1 Inthe main ViPNet CSP window select the Containers see figure on page 61 section 2 Inthe Containers section click Install certificate from a file 3 Inthe Open window specify the path to the certificate file on a disk see Key Container on page 18 4 In the certificates installation wizard on the start page click Next 5 On the Choose the certificate store page specify the store to install you certificate in and click Next ViPNet CSP 4 0 User s Guide 68 AN Choose the certificate store Certificate store is a storage location for your certificates The certificate will be installed into the certificate store of Current user This computer administrator privileges required Install issuers certificates Install CRL oe Ga ae Figure 28 Choosing a certificate store Note We recommend you to install a certificate into the store of the current user in order to encrypt decrypt and sign files as well as to get access to protected resources using a web browser In the machine computer s store install the certificates that will be used by services on this computer If you u
35. to send the message using an account that you have certificates for Change Security Settings funna Figure 77 The message about invalid certificate in Outlook 2007 The reason may be as follows e The recipient s certificate does not contain the email address of this recipient see Email Address of the Certificate Is Not Found on the List of Contact Addresses on page 159 e Your certificate does not contain your email address see Email Address of the Certificate Is Not Found on the List of Contact Addresses on page 159 e The recipient s certificate or your certificate is invalid Request a new certificate from the recipient or from the administrator of your Certification authority e The certificate for signing and encrypting see Advanced Configuring of Digital Signature and Encryption on page 109 is not specified e The issuer s certificate is not installed see Installing Issuer s Certificates and CRL on page 73 in the system store ViPNet CSP 4 0 User s Guide 162 Can t Use the Digital Signature The Corresponding Private Key Is Not Found When you are choosing a certificate for signing the ViPNet CSP Key Container Initialization window may be displayed which means that the private key corresponding to the chosen certificate is not found This may happen if the private key container has been disabled in the ViPNet CSP program see Deleting a Container on page 82 To sign a document using the chosen c
36. v Change Settings Security Label Figure 59 Configuring parameters for encrypting a message To change additional settings see Advanced Configuring of Digital Signature and Encryption on page 109 such as using a specific certificate click Change Settings Click OK three times Send the encrypted message to the recipient Tip If during sending an encrypted message an error message is displayed see Problems and Troubleshooting on page 150 ViPNet CSP 4 0 User s Guide 121 To encrypt all outgoing messages 1 Inthe main Outlook window on the Tools menu click Options and then click the Security tab 2 Select the Encrypt contents and attachments for outgoing messages check box Preferences Mai Setup Mai Format Spefing Searity Other Encrypted e mai 2 Encrypt contents and attachments for outgoing messages D Add Ggital signature to outgoing messages V Send dear text signed message when sending signed messages Request S MIME receipt for all S MIME signed messages Settings Seasity Zones Seaxity zones allow you to customize whether scripts and active content can be run in HTML messages Zone Restricted sites X Zone Settings Download Pictures _ Change Automatic Download Settings Digtal IDs Certificates Digital IDs or Certificates are documents that allow you to prove your identity in electronic transactons Import Export Get a Digtal iD Figure 60 Configuring all m
37. you are signing is correct as well as the additonal information that wil be stored with your signature ox cancel Figure 63 The Set of Signable Data window o Type the name of the data intended for signing in the corresponding box ViPNet CSP 4 0 User s Guide 130 o Click Select XPath next to the Fields and Groups to be signed box o In the Select a Field or Group window choose the field which you want to sign and click OK o To specify the relation type between several signatures select the required type the Allow only one signature is specified by default and add a message to confirm the signature o To save the settings click OK The chosen field will be displayed in the Set of Signable Data see figure on page 130 list o If you want the user to sign several form fields repeat the step 5 as many times as necessary 6 To save the settings click OK Microsoft Office InfoPath 2010 To allow users to sign a Microsoft Office InfoPath 2010 form do the following 1 Create or open a form template in the constructor mode 2 Click the File tab and in the Info section click Form Options 3 Inthe Form Options window click the Digital Signatures tab Digital signatures Do not alow signing the form Allow signing the entire form Submit is not configured Allow signing parts of the form Data in the form that can be signed Set of signable data Add Figure 64 The Digital Signatures tab 4 To spec
38. 0 Zensen nna cevennczsees thee gloves goth ecetee EE E TEE EE 94 Viewing a Digital SiSmature n tsesen etenei dove es eiat aeii n i eaae 96 Microsoft Office 200 imaan a a a a 96 Microsoft Offic 2007 varn E EE NRE E EE TEE E 96 Microsoft Office 2010 ose aaeeea ee e aian E Ea EA ne A eiriaa EERME 97 Removing a Digital Signature 0 0 eee eeeeeseeeeeeeeeeeeeacecsaeceaecaecsecsaeesseeeseeseeeeeeeees 99 Microsoft OLA Ce 2003 usunn r E NEE E ENE TEE EE 99 Microsoft Oee 20T A eaaa deeds ni er AT ei ERa cds TEAS ETEA RATAA 99 Microsoft Office 20O nranasan a T A 99 Visible Representation of a Signature Line in Word and Excel Documents 101 Adding a Signature Line to a Document oe eeeeeeeeeeeeeeeeeeseeeneeceaeensecaeeeaeens 101 Adding a Signature Line to a Document eee eeeeeeeeeeeeeeeecneeeaeecnaecaecnaeenaeens 102 Chapter 10 Digital Signature and Encryption in Microsoft Mail Program sscssessesee 105 Organizing Encrypted Messages Exchange cccsccessceceseceesseceeeeceeeeeceeeeesaeeeeaeecenees 106 Exchanging Certificates with the Message Recipient ccccessscceeseceeeeeesteceeneeeeenees 107 Advanced Configuring of Digital Signature and Encryption cccceeesceeseeceenteeeenees 109 Adding a Digital Signature to All Messages 00 cccccessseceeceeceseceesneceeaeeceeeeeesaeeeeaaecneees 111 Microsoft QutlOOK 7 secs EAEE E PEE SEE A EN AE NEST 111 Widows Eire Mil zenro an a a Ate 113 A
39. 0 program click Forward and then choose As an Outlook Contact 4 Inthe message window specify the recipient s address add a text and then click Send Zz Note You can t send a contact in the Windows Live Mail program After you have exchanged certificates with the recipient you can start sending encrypted messages ViPNet CSP 4 0 User s Guide 108 Advanced Configuring of Digital Signature and Encryption In the Microsoft Outlook program to choose a signing or encryption certificate a cryptographic message format or to make some other settings do the following 1 Open the Change Security Settings window o In Microsoft Outlook 2003 on the Tools menu select Options go to the Security tab and click Settings o In Microsoft Outlook 2007 on the Tools menu select Trust Center and then select the E mail Security section and click Settings o In Microsoft Outlook 2010 or in Microsoft Outlook 2013 on the File tab click Options In the Outlook Options window select the Trust Center section and click Trust Center Settings In the Trust Center window select E mail Security section and click Settings 2 Inthe Cryptography Format list choose S MIME 3 Click Choose near the Signing Certificate box and specify the certificate Change Security Settings Seounty Setting Prefererxes Seasity Settings Name Cryptography Format Default Security Setting for this cryptographic message format Seaunty La
40. 010 open the File tab and in the Info section click Digital Signatures The Digital Signatures window will be displayed Digital Signatures o Use the folowing options to add or remove a digital signature or view an existing signature s properties The folowing people have digitally signed this form Signer Status Signed data Comment Remove View Signature Wew Certificate Figure 67 The Digital Signatures window Click Add The Select the data to Sign window will be displayed If a digital signature should be applied to the entire form choose Entire form If a digital signature should be applied to a part of the form select the data you want to sign from the list Click OK The Sign see figure on page 103 window will be displayed If you are signing a separate data type your name in the box next to the X and click the Select Image link to paste an image of your signature If necessary fill in the Purpose for signing this document box In InfoPath Filler 2013 this window also allows you to choose a signing reason from several pre defined options in the Commitment type list In the Sign window you can find a brief description of the certificate which you use for signing the data To sign a document using another certificate click Change and choose another certificate ViPNet CSP 4 0 User s Guide 134 9 Click Sign The ViPNet CSP Key Container Password see figure on page 79 window
41. 8 ViPNet CSP 4 0 User s Guide 37 Requesting a Registration Code To request a registration code for ViPNet CSP 1 On the Registration of ViPNet CSP page choose Request registration code and click Next On the Registration request options page choose the means of requesting your registration code To do this choose one of the following options O On the Internet online see Requesting Your Registration Code on the Internet online on page 38 By email see Requesting Your Registration Code by Email on page 41 By phone see Requesting Your Registration Code by Phone on page 43 Using file see Receiving Your Registration Code from the Administrator on page 44 ViPNet CSP Registration Wizard Ex Registration request options Select a registration request option On the Intemet online D By email By phone 5 Using file Figure 9 Selecting a registration request option Click Next ViPNet CSP 4 0 User s Guide 38 Requesting Your Registration Code on the Internet online Warning For requesting a registration code on the Internet you need an Internet connection If you select On the Internet online the Registration data page will be displayed ViPNet CSP Registration Wizard ea Registration data by Enter your registration data if you do not have a serial number yet please retumto fis the start of the Registration Wizard Computer code TLPY2W4 5X833K4 6NH4CQ
42. Certificate revocation ViPNet CSP 4 0 User s Guide 177 Certification authority CA An entity that issues digital certificates including public key certificates In ViPNet networks certificates are issued in Key and Certification Authority See also Public key certificate on page 179 ViPNet Key and Certification Authority ViPNet network D Digital roulette An integrated ViPNet software component which allows you to launch a random number generator based on your chance movements Digital signature An attribute of an electronic document intended to protect the document authenticity It is generated when encrypting information using a private key of a digital signature A digital signature identifies the public key certificate owner as well as proves non repudiation of the document contents See also Private key on page 179 Public key certificate on page 179 I Issuer s certificate A certificate of a Certification Authority administrator that is used for verifying other certificates issued by this CA See also Public key certificate on page 179 K Key container A file where a private key and the corresponding public key certificate are stored See also Public key certificate on page 179 ViPNet CSP 4 0 User s Guide 178 P PKI public key infrastructure A set of hardware software policies and procedures intended for creating managing distributing using storing and revoking public ke
43. Certification Path E Certificate Information This certificate Proves your identity to a remote computer e Protects email messages KC1 class of the digital signature generation tool KC2 dass of the digital signature generation tooll Issued to Ildus Nasyrov Issued by Administrator Valid from 2 11 2013 to 2 11 2018 P You have a private key that corresponds to this certificate The private key validity period from 2 11 2013 to 2 11 2014 Install Certificate Issuer Statement Figure 30 Viewing the certificate properties 5 In the Certificates Installation Wizard on the start page click Next 6 On the Choose the certificate store page specify the necessary store 7 On the Ready to install this certificate page clear the Choose the container with your private key check box and click Next 8 On the Completing the Certificates Installation Wizard page click Finish As a result the certificate will be installed into the store To work with protected documents and to organize connections over the TLS SSL protocol you need to install not only the user s certificate but also the issuer s certificate and CRL see Installing Issuer s Certificates and CRL on page 73 ViPNet CSP 4 0 User s Guide 72 Installing Issuer s Certificates and CRL To work with protected documents and to organize connections over the TLS SSL protocol you need to install the user s certificate the issuer s
44. For example you can type here how to contact you or post some problems or suggestions on ViPNet registration utility or ViPNet software in the whole In the Computer code box a code that uniquely identifies your computer is displayed You can t change this value 6 Click Next The page showing your registration request status will be displayed On this page you will also see how much time elapsed since you had begun your registration request Please note that you have no more than three minutes to complete your online registration request ViPNet CSP Registration Wizard eee Request for registration by Please wait Registration can take several minutes nooo Waiting for connection 4 sec lt Back Next Cancel Hep Figure 11 Requesting for registration If within the three minutes a connection to the Infotecs registration server is not established the corresponding message will be displayed If a connection to the Infotecs registration server is established the registration may failed by the following reasons ViPNet CSP 4 0 User s Guide 40 7 o You have supplied incorrect data In this case you will be prompted to check the correctness of supplied data In the message window click OK to return to the Registration data page o The entered serial number has been already registered for another computer In this case you will be prompted to to get another serial number free of ch
45. Outlook 2003 on the toolbar click Digitally Sign ka i In Microsoft Outlook 2007 click the Message tab Under Options click Digitally Sign ka i In Microsoft Outlook 2010 click the Options tab Under Permission click Sign a F In Microsoft Outlook 2013 click the Options tab Under Permission click Sign R Note The Digitally Sign or Sign Ra P buttons may be missing from the toolbar if T you have not chosen the certificate set by default in the Change Security Settings see Adding a Digital Signature to All Messages on page 111 window If there is no Digitally Sign ka or Sign ka IR button refer to Digitally Sign Sign Button Isn t Displayed see Digitally Sign Sign Button Isn t Displayed on page 117 Type your message and specify a subject and the recipient If necessary you may add an attachment ViPNet CSP 4 0 User s Guide 116 4 Click Send The ViPNet CSP Key Container Password see figure on page 79 window will be displayed 5 Type your password and click OK Digitally Sign Sign Button Isn t Displayed In case the Digitally sign Sign button is not displayed 1 Open the Security Properties window To do this depending on the Microsoft Office software version do one of the following o In Microsoft Outlook 2003 click Options then in the Message Options window click Security Settings o In Microsoft Outlook 2007 click the Options tab click More Options In the Message Options window click Security
46. PNet CSP and Microsoft Outlook mail programs 2003 2007 or 2010 versions and Microsoft Windows Live 2009 version To organize encrypted messages exchange between ViPNet CSP and one of these mail programs 1 Install see Ways to Install a Private Key and a Certificate on page 60 the container and the certificate in ViPNet CSP and install the issuer s certificate and CRL see Installing Issuer s Certificates and CRL on page 73 2 Exchange certificates with the recipient sender of the message see Exchanging Certificates with the Message Recipient on page 107 3 If necessary you can configure a mail program for working with a digital signature and encrypted see Advanced Configuring of Digital Signature and Encryption on page 109 messages 4 Depending on whether you are a sender or a recipient of an encrypted message o Sign a message using your digital signature see Adding a Digital Signature to All Messages on page 111 Adding a Digital Signature to a Message on page 116 o Create and send an encrypted message see Email Encryption on page 121 o Decrypt the received message see Viewing the Encrypted Messages on page 126 Warning To sign email messages you need a public key certificate where the certificate owner s email address is specified and in the Enhanced Key Usage box the attribute Secure Email is enabled If you don t have such a certificate you can t add a A digital signature to a message To sign email me
47. Select a Certificate window will be displayed 2 Choose a certificate and click OK The Create Microsoft Office Access Signed Package window will be displayed Warning You can sign a database only using a certificate with the Code signing attribute of the Extended Key Usage extension If you have no such attribute in your A certificate you can t create a signed package To get a certificate with this attribute contact your Key and Certification Authority administrator see ViPNet Administrator Key and Certification Authority Administrator s Guide 3 Choose a folder for saving signed package 4 Type the name for the signed package in the File name box and then click Create ViPNet CSP 4 0 User s Guide 142 The signed package will be placed it in the folder that you have chosen ViPNet CSP 4 0 User s Guide 143 Organizing a Protected Connection via TLS SSL Checklist Organizing Access to a Protected Web Server Configuring a Server Host Configuring a Client Host Configuring Internet Explorer for Work over the TLS SSL Protocol Checking the Web Host s Availability over the Secure HTTPS Protocol ViPNet CSP 4 0 User s Guide 145 146 147 148 149 144 Checklist Organizing Access to a Protected Web Server To organize access to a protected web server using the ViPNet CSP cryptographic service provider you need to configure a server host and a web client host 1 To configure a serve
48. Settings o In Microsoft Outlook 2010 or Microsoft Outlook 2013 click the Options tab and under More Options click Properties In the Properties window click Security Settings The Security Properties window will be displayed Security Properties Encrypt message contents and attachments J Add dgital sgnature to this message J Send this message as dear text signed Request S MIME receipt for this message Security Settings Searity setting lt Automatc gt Security Label Poly Module lt None gt Figure 56 Security Properties window 2 Select the Add digital signature to this message check box 3 If necessary in the Security setting list choose preset parameters of signing and encrypting ViPNet CSP 4 0 User s Guide 117 4 By default in the Security setting list the value is set to lt Automatic gt This means that the certificate will be chosen automatically To choose the certificate manually click Change Settings see Advanced Configuring of Digital Signature and Encryption on page 109 To save the settings click OK Windows Live Mail To digitally sign a message 1 2 Create a new message in the Windows Live Mail program In the New message window on the Tools menu select Digitally sign F Note If in the New message window the menu is not displayed on the toolbar click D7 and select Show menu bar Type your message specify the subject and the recipient If necessary y
49. Subject Key Identifier 70 50 fc 06 ea f5dc 67 c4aa Enhanced Key Usage Client Authentication 1 3 6 1 k Certificate Policies 1 Certificate Policy Policy Ide l Authority Key Identifier KeyID 8d 90 8a 6e 88 42 26 Sal Private Key Usage Period since Monday February 11 2 flav eane Ninital Sianahwe Non Renidia Edit Properties Learn more about certificate details Figure 79 Web client certificate details To check the TLS SSL protocol activity 1 2 In the Internet Explorer browser on the Tools menu click Internet Options In the Internet Options window click the Advanced tab Make sure that the SSL 3 0 TLS 1 0 check boxes are selected and the SSL 2 0 check box is cleared Check connection to the web server The IIS Services Should Be Restarted In some cases you need to restart the IIS service to connect to a server over the newly configured TLS protocol To do this 1 Open the Windows Task Manager window 2 End the inetinfo exe process 3 After the service has started automatically check the connection to a server ViPNet CSP 4 0 User s Guide 168 Password to Server s Certificate Should Be Saved In some cases to access the server you need to save the key container password To do this 1 2 In the MMC snap in open a certificate In the Certificate window on the Details tab click Copy to File On the start page of the Certificates Export Wizard
50. The Corresponding Private Key Is Not Found sseesseseeeeseereeresreererrreserrresresrssreee 163 The Email Message Can t be Signed 00 cece ceeceeceeceeeeeeeeeeeseeeseeeaeecsaecaecnaeenaeen 163 An Email Message Is Signed with a Certificate That You Have Not Selected fOr SISMING save see ites een eee Lea aati ee ache et eee yee 163 Macros or Microsoft Access 2007 Database Can t be Signed eeeeeseeeeeees 164 The Signature Line in Microsoft Word 2003 or Excel 2003 Can t be Signed 164 Signed Microsoft Word or Excel Document Can t be Edited eeeeeeeeee 164 No Connection to the Server over HTTPS 0 0 eceesceeseesceeneeceseceseceseceseceeceseeeseeeeeeeees 165 The IIS Server and the Web Client Have Different ViPNet CSP Versions 165 User s Certificates the Issuer s Certificate and CRL Were Installed in the Wrong Store sess teu erte aa il er ee tite ed ee hee ae 165 The Browser Is Not Configured to Work over the TLS Protocol 0 0 0 eee 167 The IIS Services Should Be Restarted 2 0 0 cee ceeceeeeeseeeeneeeeeeseeeseecnaeensecnaeenaeees 168 Password to Server s Certificate Should Be Saved 0 0 eeceeseesseesecnseceseceeeenseees 169 When You Connect to a Server Security Warning Is Displayed eee cee eeeeeeeeeeee 170 Providing Additional Information About the Problem cee eeceseceseceseceeeeeeeeeeneeees 171 Appendix A External Storage Devices ccssccsssscssssscsssscsssscessescssssscssscsssssssssassss
51. When you start ViPNet CSP demo version you will be offered to register the program You may register the program or run a demo version see ViPNet CSP Licensing on page 33 fa This is a fully functional demonstration version that will work 14 days remaining days 14 Register ViPNet CSP Run ViPNet CSP Figure 6 Starting a demo version After the ViPNet CSP startup the General section of the main window will be displayed This section contains information about the program version license owner and ViPNet CSP operation mode ViPNet CSP 4 0 User s Guide 31 a ViPNet CSP Settings a E General General Devices i Containers ViPNet CSP 4 0 0 15243 1991 2013 Infotecs All rights reserved Company Infotecs License expiration date Expires in 14 days User Ildus V Allow ViPNet CSP to use MS Crypto API Figure 7 Displaying information about ViPNet CSP Started using ViPNet CSP First we recommend you to install a key container and a certificate see Installing Containers and Certificates on page 59 ViPNet CSP 4 0 User s Guide 32 ViPNet CSP Licensing If you install the ViPNet CSP program as part of another ViPNet software registration is not required If you install the ViPNet CSP separate you need to register it Using a demo license you can work with ViPNet CSP only for 14 days After that the program will stop functioning
52. X 6548N8L 6S4S 7FM User name Admin Company Company Email admin company ru Serial number Additional information Required lt Back Next Cancel Help Figure 10 Entering registration data On the Registration data page 1 In the Serial number box type your serial number Note If you do not have a serial number make request to purchase it see Buying fa Program Getting a Serial Number on page 37 If you have ever previously typed your serial number in this box your serial number will be entered automatically 2 Inthe User name box type your name to be used when issuing your license and contacting you This box is optional By default the user name you have typed at the ViPNet CSP installation will be displayed 3 Inthe Company box type your company name This box is optional By default the company name you have typed at the ViPNet CSP installation will be displayed ViPNet CSP 4 0 User s Guide 39 4 Inthe Email box type your e mail address which will be used to contact you in case of need Warning We will not sell distribute or lease your e mail addresses We are committed A to ensuring that your information is secure In order to prevent unauthorized access or disclosure we have put in place suitable physical electronic and managerial procedures to safeguard and secure the information we collect from you 5 Inthe Additional information box feel free to type any additional information
53. an issued certificate in return Then in the ViPNet CSP Settings program install the issued certificate see Installing the User Certificate in the System Store on page 68 and specify the key container corresponding to this certificate ViPNet CSP 4 0 User s Guide 56 Using Signing Keys of the ViPNet Host s User You can transfer the key container installed on your ViPNet host using the ViPNet CryptoService ViPNet Client or ViPNet Coordinator program version 3 2 2 or later to another computer and use this key container in the ViPNet CSP program To use the signature keys of the ViPNet host s user in the ViPNet CSP program do the following 1 Inthe ViPNet CryptoService ViPNet Client of ViPNet Coordinator open the Security Service Settings dialog box click the Keys tab 2 Under Signature click Transfer Security Service Settings nese User _ Signature Encryption Password Keys Administrator Cryptorpovider ViPNet user logon Logon mode password only Storage type folder Key storage Signature Container name sgn_cont Storage type folder Key storage C Program Files InfoTeCS ViPNet Coordinator user_0001 key_disk View Install container Transfer J Figure 23 Transferring the key container 3 Inthe ViPNet CSP Key Container Initialization window click Browse and specify a folder or removable device for transferring the container Then click OK The container will be t
54. and you will need to register it However there are no limitations in the demo version and all features are available You can register ViPNet CSP for free so we strongly recommend you to do it as soon as possible to avoid any inconvenience when demo period expires When the demo period expires you can t work with unregistered ViPNet CSP program To continue the work you need to register the program see Registering ViPNet CSP on page 34 The registration is free ViPNet CSP 4 0 User s Guide 33 Registering ViPNet CSP Before You Begin 35 Buying Program Getting a Serial Number 37 Requesting a Registration Code 38 Registering ViPNet CSP 47 System Administrator Actions for Registration Using a File 50 ViPNet CSP 4 0 User s Guide 34 Before You Begin Why You Need to Register ViPNet CSP 35 Starting the Registration Process 35 Why You Need to Register ViPNet CSP After you install ViPNet CSP it starts in the demo mode and you can use it only for a limited period of time see ViPNet CSP Licensing on page 33 If you find that ViPNet CSP meets your requirements you should register it to enjoy a full featured version That is why we recommend you the following workflow e install ViPNet CSP and feel free to use the demo version to find out all its features and advantages e When the validity period of your demo license expires you need to register your ViPNet CSP copy Starting the Registration Process
55. apernctpnposann nporpammubili npopyKT ViPNet CSP Ha cnyyaii nepeycTaHoBKM nporpamme PEKOMEHAYETCA caenaTe PesepBHyto KONO pa na csp brg C pervicTpaLMOHHbIMM AAHHbIMV KOTOPbI Ha XOMMTCA B Nanke rae YCTaHOBNeHa Nporpamma Cnacu6o sa BbIGop nporpammHoro oecnesenna ViPNet No scem BOSHMKaIOWMM sonpocam Obpawlalitect B mupmy Vinpotekc Web http www infotecs u E mail soft infotecs ru Tenewon 495 737 6192 Pac 495 737 7278 Aapec 127287 r Mocksa Crappii Netposcko PasymoscKkn np aom 1 23 ctpoenne 1 Figure 19 3aeepwenue peeucmpayuu 6 Click Finish 7 Back up your registration data see Saving Registration Data on page 49 by copying your registration file to a secure location The file of fmanager brg is located in the same folder as the ViPNet CSP application ViPNet CSP 4 0 User s Guide 48 Saving Registration Data The registration process saves registration data to the brg file which is created in one of the following folders e C ProgramData infotecs ViPNet CSP for the operating systems Windows Vista Windows 7 and Windows Server 2008 C Documents and Settings All Users Application Data infotecs ViPNet CSP for the operating systems Windows XP and Windows Server 2003 Zz Note The name of the brg file depends on the ViPNet program version We recommend you to save this file in a secure place because it will be useful in some cases of re installation for example if you ne
56. arge Click the link in the message and request a new serial number see Buying Program Getting a Serial Number on page 37 If online registration was successful the Registration of ViPNet CSP was successful page will be displayed This page will also display some suggestions on how to securely backup your registration data see Saving Registration Data on page 49 Click Finish Requesting Your Registration Code by Email Warning For requesting a registration code on the Internet you need an Internet connection If you select By email the Registration data page will be displayed On the Registration data page 1 Provide all your data as described in Requesting Your Registration Code On the Internet Online on page 38 Click Next An email summarizing your registration data will be automatically opened in your default email application It will be addressed to reg infotecs biz ViPNet CSP 4 0 User s Guide 41 ae To register the program you should send this letter Please do not edit this letter User Admin Company Company Product ViPNet CSP Version 4 Localization Serial number is 8WLC EQFE WWG4 XG3R Computer code 7LPY2W4 5X833K4 6NH4CQX 6548N8L 6S4S7FM Checksum 4WWWW8E 69GV5D5 4LN4U88 Additional information See more about reg infotecs biz Sle S Ils Infotecs product registration Message HTML o E 53 Message Insert Options Format Text Review 9 2
57. atabases Macro Digital Signature 139 Signing Microsoft Access 2007 and 2010 Databases 142 ViPNet CSP 4 0 User s Guide 138 Macro Digital Signature Digitally Signing a Macro In the Microsoft Office software you can digitally sign a macro Digital signature allows to confirm the origin of the macro and its security You can create and sign a macro in Microsoft Word Excel Outlook PowerPoint Access Publisher and Visio A Warning For you to sign a macro your certificate must contain a Code signing attribute of the Enhanced Key Usage field If you don t have such a certificate you can t sign a macro To get a certificate with this attribute contact your Key and Certification Authority administrator see ViPNet Administrator Key and Certification Authority Administrator s Guide To sign a macro do the following 1 Open the Microsoft Visual Basic editor O If you use Microsoft Office 2003 or Microsoft Outlook 2007 Publisher 2007 Visio 2007 on the Tools menu select Macro and the click Visual Basic Editor If you use Microsoft Word 2007 Excel 2007 or PowerPoint 2007 on the Developer tab under Code click Visual Basic Note By default the Developer tab is not displayed To display it on the File menu Fa select Options and in the opened window in the Advanced section select the Developer check box If you use Microsoft Access 2007 Microsoft Access 2010 or Microsoft Access 2013 on th
58. ator rights on your computer To install ViPNet CSP 1 Double click the setup file gt 2 On the License page of the setup program read the terms and conditions of the license agreement If you agree select the corresponding check box Then click Continue 3 To configure the setup parameters on the Setup type page click Customize and specify o the software components you want to install o the path to the program folder on your computer o the user name and the company name o the name of the program folder on the Start menu You can enable or disable the following software components o ViPNet CSP support via MS Cypto API adds the functionality that allows you to integrate ViPNet CSP in third party programs This component is enabled by default when you install ViPNet CSP as a separate program and disabled when you install it as a part of some other ViPNet software o KC3 integrity check adds the functionality that ensures file integrity check This is required so that ViPNet CSP conforms with the KC3 Russian standard for cryptographical protection 4 To start the setup click Install now 5 You will be prompted to restart your computer To restart the computer immediately click Yes To register ViPNet CSP during installation without displaying the user interface Silent mode you need to prepare the registration file cspreg txt and put it to the same folder as the setup exe file The cspreg txt file must be as follows
59. attachments will be decrypted and displayed in the reading pane ViPNet CSP 4 0 User s Guide 126 Encrypting Documents and Files If you want to encrypt certain documents or files you can do one of the following 1 Create an encrypted message see Email Encryption on page 121 2 Specify necessary documents or files as an attachment 3 Send a message to the recipient or to yourself In the first case only specified recipient can view encrypted documents in the second one only you ViPNet CSP 4 0 User s Guide 127 Digital Signature in Microsoft Office InfoPath Permission to Sign an InfoPath Form with a Digital Signature Signing an InfoPath Form Viewing an InfoPath Form Signature Unsigning an InfoPath Form 129 133 136 137 ViPNet CSP 4 0 User s Guide 128 Permission to Sign an InfoPath Form with a Digital Signature When you are creating a form template in Microsoft Office InfoPath you may allow users to digitally sign it Filling in the form users can sign the whole form or its parts Microsoft Office InfoPath 2003 To allow users to sign a Microsoft Office InfoPath 2003 form do the following 1 2 Create or open a form template in the constructor mode On the Tools menu click Form Options In the Form Options window on the Digital Signatures tab select the Enable digital signatures for the entire form check box If necessary select the Prompt user to sign the form if it is submit
60. ature name on the Signatures panel and choose Sign again To view signature details see Viewing a Digital Signature on page 96 or to remove signature see Removing a Digital Signature on page 99 from visible signature line is the same as in the case of the invisible signature 1 Depending on the MS Office software version do one of the following Ca o In MS Office 2007 click Microsoft Office button point to Prepare and then click View Signatures or click the digital signature icon B on the status bar of the document o In MS Office 2010 click the File tab and then click View signatures The Signatures see figure on page 97 pane will be displayed 2 Inthe Signatures pane right click the signature name or the signature line Depending of what you need to do click Signature Details or Remove signature ViPNet CSP 4 0 User s Guide 104 Digital Signature and Encryption in Microsoft Mail Programs Organizing Encrypted Messages Exchange 106 Exchanging Certificates with the Message Recipient 107 Advanced Configuring of Digital Signature and Encryption 109 Adding a Digital Signature to All Messages 111 Adding a Digital Signature to a Message 116 Viewing the Message s Digital Signature 119 Email Encryption 121 Viewing the Encrypted Messages 126 Encrypting Documents and Files 127 ViPNet CSP 4 0 User s Guide 105 Organizing Encrypted Messages Exchange This section describes encrypted messages exchange between Vi
61. ay ask you to provide more information to solve the problem In this case 1 Press Win R On the Start menu select Run 2 Inthe Open box type regedit and press Enter 3 In the Registry Editor program go to the Logs folder which is accessible by the following path o in the 32 bit Windows OS HKEY_LOCAL_MACHINE SOFTWARE infotecs Logs o inthe 64 bit Windows OS HKEY LOCAL MACHINE SOFTWARE Wow6432Node infotecs Logs 4 Change the Level and dbg_level values to Oxff 255 5 Restart your computer Fa Note It may take a long time to start your computer 6 Download the DebugView http technet microsoft com ru ru sysinternals bb896647 aspx program 7 Run DbgView exe as a System administrator 8 Repeat the steps that have caused the problem 9 Inthe DebugView program select all strings and copy them to a text file 10 Add this text file to an archive and send it to the support with a description of the problem Note If third party software is required to reproduce the problem you should note it in your email ViPNet CSP 4 0 User s Guide 171 11 Set the dbg_level key value to 0 12 Restart your computer ViPNet CSP 4 0 User s Guide 172 External Storage Devices Overview External storage devices are designed for storing key containers see Key container on page 178 that you can use for authentication digital signing see Digital signature on page 178 or other purposes
62. b Server ecescesceseceseeeseeeeeeeeeeeees 145 Configuring a Server Host sce ciceccoccigeies dates ieee leeoth iit e e telaees E Weed Sonncbeks 146 Configuring a Client Hostinec aein nie aE EEE E EEKE TEE EE ES 147 Configuring Internet Explorer for Work over the TLS SSL Protocol ee eeeeeeeees 148 Checking the Web Host s Availability over the Secure HTTPS Protocol 149 Problems and Troubleshooting sssccssssccssssssssscssssscsscscssssscsssescsssssssssssssesssssessesss 150 Checking the Program Components Integrity ese eseeseecssecsseceseceseceseeeeceseeeseeeeneeees 151 The Program Wont Stait sssi renari eenei does es se cpseteasd ein erecta eea 152 ViPNet CSP Conflicts with Other Programs ces eeeesceesseceseceseceseceseceeeeseeeseeeseeeees 154 Can t Use Accord TSHM Electronic LOCK eee eeeesecseeensecnseceseceseceseceseeeseeeseeeeneeees 156 When You Are Using eToken Aladdin the System Irresponsive 0 0 0 0 ceeeeeeeeeeeeeeeees 157 Unable to Check the Certificate ceseeesesseeseccsesssssesscerssssssescsssoseescessoesrssseseecoessessesssss 158 Document Can t be Encrypted neironi enni dreien pies tees snes 159 Email Address of the Certificate Is Not Found on the List of Contact Addresses aie asus cies eeeeess ods tivea lee aches Sein AEE EEE ET E bie EEE EET 159 Invalid Certificate ne iniaeeaa teeta a och ae oaea renate hate 161 Can t Use the Digital SInatUre rrinim ii ie e e a 163
63. bels New Certifxates and Algorithms Signing Certificate Choose Encryption Certificate Choose J Send these certificates with signed messages C Cen Figure 51 Choosing a certificate for signing and encrypting 4 Click Choose near the Encryption Certificate box and specify the certificate ViPNet CSP 4 0 User s Guide Warning If the certificate chosen for creating a digital signature does not contain any A email address or the specified email address does not correspond to the outgoing message s address you can choose this certificate as a digital signature certificate If the chosen certificate does not contain an outgoing email address the following problems may occur o Inthe system store there is another certificate with the email address similar to the outgoing email address When you sign your email message the digital signature will be created using this certificate but not using the certificate specified before o Inthe system store there are no certificates with the email address similar to the outgoing email address When you try to sign the message the digital signature will not be added To sign an email message with a certificate create a request for a new certificate specify the correct email address and send your request to your certification authority administrator 5 If necessary configure other options and click OK To choose a certificate in the Windows Live Mail program 1 On the T
64. cate Request and Generating a Private Key 53 Using Signing Keys of the ViPNet Host s User cee esceessecsseceseceeceeceeeeseeeseeeseeeees 57 Chapter 6 Installing Containers and Certificates sccsscssssssscsssscssscssscscssscesscesscesssecsseessesees 59 Ways to Install a Private Key and a Certificate eseeeeeeeeeeeeeeseseeeresresresreeserrissersresreeres 60 Installing Container from a Folder cee eeeeeeeeeeesneeeeeesceceeceaecaeceaeceseesseesseeeseeesneees 61 Installing Container from an External Device oe eee eeeessecesecesecnseceseceseeeseeeeeeeeeeees 64 Installing Certificates in a Container oo ee eee eeceeesceeneeececeeceecseceaeceseesseeeseeeseeeeeeeees 66 Installing the User Certificate in the System Store eee eesecsseceseceneceseeeseceeeeeeeeeees 68 Installing a Certificate Which Has Not Been Added to the Container 68 Installing a Certificate from Container cece ceeceseeeeeeeeeeeseeeseeeseecaaecssecnaeenseen 71 Installing Issuer s Certificates and CRL 0 0 eeeeeceeseeseeeseeenseceecaeceseceseceseeeseeeseeesneeees 73 Chapter 7 Working with Containers vss ccssssscccsvsenssusssvessecssesbusnssssssesssensnbebasnaiecsanetssniesseassbeonsuorsee 75 Viewing and Configuring Container Properties cs eseessecsseceseceseceeceeceseeeseeeeeeeees 76 Changing the Container Password 0 esccesceseceseceeeeeseeeeceeeseeeseeeaaecsaecaeenaeenaeens 76 Deleting a Previously Saved Passwor
65. certificate and the CRL in the system store To install the user s certificate in a container or separately use the ViPNet CSP program means You can install the issuer s certificate and CRL by using the operating system tools Such a type of installing the certificate is also required if the ViPNet software is installed on a web server and used to organize connections over TLS SSL To install certificates and CRL 1 Open the folder containing the certificate file or CRL Right click the necessary file and on the context menu select Install Certificate or Install CRL 2 On the start page of the Certificate Import Wizard click Next 3 On the Certificate store page select Place all certificates in the following store p Certificate Import Wizard fe Certificate Store Certificate stores are system areas where certificates are kept Windows can automatically select a certificate store or you can specify a location for the certificate Automatically select the certificate store based on the type of certificate Place all certificates in the following store Certificate store Trusted Root Certification Authorities Learn more about certificate stores Figure 31 Choosing a store for the issuer s certificate or CRL 4 Click Browse In the Select Certificate Store window select o Trusted Root Certification Authorities if you are installing an issuer s certificate ViPNet CSP 4 0 User s Guide 73
66. ckup copy of the container see Creating a Backup Copy of a Container on page 81 4 Toconfirm deleting of the container in the displayed window click OK The container will be deleted from the containers list and also from the folder or from an external device where it is stored ViPNet CSP 4 0 User s Guide 82 Managing External Devices Viewing the Connected Devices List Configuring the Devices List External Device Initialization Changing PIN Using a Random Number Generator 84 86 87 88 89 ViPNet CSP 4 0 User s Guide 83 Viewing the Connected Devices List ViPNet CSP allows you to work with key containers which are stored on an external devices To view connected device list and key containers stored on them 1 Inthe main ViPNet CSP window select Devices section a ViPNet CSP Settings Esc E General Devices Details E Devices Available devices Devices list configuration Br S Random number generator o Containers Containers located on the selected device p ic ee Figure 35 The Devices section 2 Inthe Available devices list choose necessary device Note In the Available devices list only those devices are displayed that are connected to the corresponding card reader at the moment 3 Inthe Containers located on the selected device list choose a container o To view the container properties click View see Viewing and Configuring Container P
67. click Next In the key container logon window type the server s user password and select the Save Password and the Do not show this window again check boxes Click OK Now you can close the wizard the password has been saved ViPNet CSP 4 0 User s Guide 169 When You Connect to a Server Security Warning Is Displayed When you are connecting to the server a Security warning may be displayed by your web browser Specified in the certificate name is incorrect or does not match the name of the site In this case check that the server domain name is the same as the name of the user this certificate is issued for E Internet Explorer cannot display the webpage 4 6 Be P ne General Details Certification Path H Favorites 8 S Suggested Sites Internet Explorer cannot display the webpage Certificate Information This certificate is intended for the following purpose s Proves your identity to a remote computer Internet Explorer canno e Protects e mail messages e Class Sign Tools KC1 e Class Sign Tools KC2 What you can try Diagnose Connection Proble Issued to itsc server More information Issued by Administrator Valid from 2 13 2013 to 2 13 2018 Learn more about Figure 80 Security warning about names mismatch ViPNet CSP 4 0 User s Guide 170 Providing Additional Information About the Problem A specialist of the Infotecs technical support m
68. csbnsessouiessiasbudssovnassstovsbssongoavecsvockadess 34 Before You B124 i e E AE E bs eee aes sit ets ee a E E TE 35 Why You Need to Register ViPNet CSP eesssesessseessesresresreeresresresrreserrreseesrrsreee 35 Starting the Registration Process essseeeeseereesesreeserssseesrsresresresserresseerissreseses 35 Buying Program Getting a Serial Number seeeeseeseesesessseessesresrrsresresresserressersresresess 37 Requesting a Registration Code 0 0 cee ceeceecceseeeeceeeseeeseeeseecsaecsaecsaecsaecsaeesseeeseeseeeeseeees 38 Requesting Your Registration Code on the Internet online eee eee eeeeee 39 Requesting Your Registration Code by Email 0 0 ee eeeeeseeneeereecnseensecnseenaeens 41 Requesting Your Registration Code by Phone e ec eeeeeseeseeeseeeneecneecnsecnaeenaeens 43 Receiving Your Registration Code from the Administrator cs eeeeseeeseeeeeees 44 Registers ViPNet CSP ies scetsccaitsegisetess hee e ginal i a e ad a aa 47 Saving Registration Data cee eeceeseeseneeeeeeseeeseecseecaecaecnaecnaeenseeeseesseeeneeeees 49 If the Configuration of Your Computer Has Been Changed eee 49 System Administrator Actions for Registration Using a File oo ec eeceeeeeeeeeeeees 50 Chapter 5 Obtaining a Certificate and Private Key cccscsssssssssssscssscsccsscescccsscesssesssesseeees 51 Obtaining and Installing a Private Key and a Certificate 00 0 eeeceseceseceeeeeeeeeeeeeees 52 Creating a Certifi
69. d ceeccescceseeeseeeeeeeseeeseecaeecnaecesecsaeenaeee 78 Verifying a Key Contaitier sa ssciscis ct higisceetistdigecaets hice ii ene 78 Deleting a Private Key isecen pi ei E aE E E E EE TE R 79 Creating a Backup Copy of a Container eee eeseeseeesceeneecsecsecesecsseeeseeeeesseeesneeees 81 Deleting a Contaimer i 3 scetsnsaend picts i E aie nei es 82 Chapter 8 Managing External Devices sccscccsscssscscscsccsssscssssesssescscscscsssscsscessccessscsssesssesens 83 Viewing the Connected Devices List 0 0 0 ee eeceeseeseeeseeesceeeeceseceseceaecnaeenseeeseesseeeseeeees 84 Configuring th Devices List scccccccjccescssackencty ploesdes snes irene eaae ii iea eieaa 86 External Device Initialization s es esseseecsosssessccscsssssesesersrssssescscsoseesesssoesrsssesescressessecs e 87 Changing PIN aoee onroro tel ieuiendacesst idan ety a Wiacnaveo teat at ee eee 88 Using a Random Number Generator 0 0 0 ce eeceeseeeseceseeescecceccecaeceaecsaeesseeeseesseeeeeeeees 89 Chapter 9 Digital Signature in Microsoft Office Documents scsscssssscsscessccsssssesseesseeees 91 Digitally Signing a Document 0 0 lee cece eeeeseeeeeeeeseeeaeecaeecsaecnaecsaecaeceaeesseesseeseeeeeneeees 92 Microsoft Once 2003 5 sseceseca ca viaditts och g hen eieaa dese AE na OEA acdsee dadgetseeeamessaagantes 92 Microsoft Otice 2007 irrien ck evan shes Se ER he See tanned vats E hats EEE 93 Microsoft OT ce 201
70. dding a Digital Signature to a Message eeeseseeseseeesesessessresresrsresresresserresseesresrese 116 Microsott OUtOOK lt cccssssazeerescheeshts cadesssgsacdebencadeeneslaueangdcaceesiecrstalagsaciectecteanigbiatets 116 Digitally Sign Sign Button Isn t Displayed 0 0 0 0 eee eeeeeeeeeeeeeeeeeeeeneeenees 117 Windows Live Mail c6c cuensi aise eke ETERNE EEE chasse Weise 118 Viewing the Message s Digital Signature elec cseesecseecneecnseceseceseceseceseeeseeeeeeeees 119 Microsoft Outlooks n ee ase 119 Windows Live Maths aenema nei arna ETA REE EAEE ET 120 Email Enerypt oN eesis siroter e aeee nante e E T E hE E E EAE EEE Ea AE Eees Raes 121 Email Encryption in Outlook 2003 seseseeeessseeseseessessreseesrssresresresresresserrrsseesesrese 121 Email Encryption in Outlook 2007 sessseesesseeesessessessresessrssresrssresresrrsserrreseesresrese 122 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Email Encryption in Microsoft Outlook 2010 and Microsoft Outlook 2013 123 Email Encryption in the Windows Live Mail Program ee ese eseesseceseceteceeeees 125 Viewing the Encrypted Messages cescesecsseeseseeeseeeeeesceesaecsaecaecsseceaeesseeeseeeneeeseeees 126 Encrypting Documents and Files ee ee eeseeeeeeereeeeeeseecsaecsaecsaecsaecsaeesseeeseeeseeeseeeees 127 Digital Signature in Microsoft Office InfoPath ccscccssscssssscssssscssssssssessssecceses 128 Permission to Sign an InfoPath Form
71. do the following 1 Open a form or a template 2 On the Tools menu select Digital signatures or on the toolbar click Digital Signatures B The Digital Signatures window will be displayed Use the following options to add or remove a digital signature or view an existing signature s properbes The following people have digitally signed this form a menas prr E meree Bi tidus Nasyrov Vabd Remove Al Yew Certificate The most recent signature appears at the bottom of the ist Figure 66 The Digital Signatures window 3 Click Add and in the Digital Signature Wizard window click Select Certificate 4 Select your certificate from the list To open the certificate click View Certificate After choosing the certificate click OK 5 In the Comment box type a comment which will be included in your signature Click OK 6 Inthe ViPNet CSP Key Container Password see figure on page 79 window type the password and click OK You can t change the form after signing ViPNet CSP 4 0 User s Guide 133 Microsoft Office InfoPath 2007 2010 and 2013 To sign a form do the following 1 Open a form or a template in the InfoPath 2007 InfoPath Filler 2010 or InfoPath Filler 2013 program Depending on the Microsoft Office InfoPath software version do one of the following o In InfoPath 2007 on the Tools menu select Digital signatures or on the toolbar click Digital Signatures x o In InfoPath 2
72. e Database Tools tab under Macro click Visual Basic If you use Microsoft Office 2010 or Microsoft Office 2013 except for Microsoft Access on the Developer tab under Code click Visual Basic Note To open Microsoft Visual Basic Editor in any of these applications press Alt F11 ViPNet CSP 4 0 User s Guide 139 2 3 In Microsoft Visual Basic editor on the Tools menu select Digital Signature The Digital Signature window will be displayed The VBA project is currently signed as Certfcate name No certfxate Sign as Certficate name No certificate Figure 68 Adding a digital signature Click Choose choose a certificate from the list and click OK A digital signature will be added to a macro Verifying a Macro s Digital Signature To verify a digital signature in a macro project do the following 1 In Microsoft Visual Basic editor on the Tools menu select Digital Signature The Digital Signature window will be displayed Digital Signature amp The VBA project is currently signed as Certfkate name User3 Sign as Certfcate name User3 Remove poose OK Camel Figure 69 The Digital Signature window In the Digital signature window the current certificate is specified To open certificate click Detail If the chosen certificate is not valid then in the Certificate window on the General see figure on page 96 tab the corresponding message will be displayed The untrusted ce
73. e Signature Details see figure on page 98 window contains brief information about the signature and the certificate If any certificate validation errors occur the corresponding message will be displayed under the window title y3 Vaid signature This signature and the signed content have not been modified since the signature was appled Purpose for signing this document Signing as Idus Nasyrov Issued by Administrator See the addtional signing informaton Figure 46 Signature details 4 To open a certificate click View To view the additional signing information click the See the additional signing information that was collected link ViPNet CSP 4 0 User s Guide 98 Removing a Digital Signature Microsoft Office 2003 To remove a digital signature from a Microsoft Word Excel or PowerPoint document 1 On the Tools menu click Options 2 On the Security tab click Digital Signatures 3 In the Digital Signature see figure on page 92 window choose a certificate to remove To view the signing certificate click View Certificate 4 After choosing a digital signature click Remove The digital signature will be removed Microsoft Office 2007 To remove a digital signature from a Microsoft Word Excel or PowerPoint document 1 Open the Signatures pane by doing one of the following n o Click Microsoft Office ta button click Prepare and then click View Signatures o Click the digital signature icon B o
74. each other and you can use them to work with protected documents To verify a container 1 In the Container Properties window see figure on page 77 in the Private Keys list choose the private key entry 2 Click Check 3 Inthe ViPNet CSP Key Container Password window see figure on page 79 type the password to access the container and click OK ViPNet CSP 4 0 User s Guide 78 ws x ViPNet CSP Key Container Password x a p Type your password to access the key container Container name rnd 9 cec1 3bb4 990b 5299 f02d 474c c6ce Password F Save password _ cance Figure 34 Typing the container password 4 Then the data fragment signed with the private key will be created and the digital signature will be verified using the public key certificate Thus the private key validity and its compatibility with the certificate stored in the container will be verified Note You can verify a key container only if it contains a certificate corresponding to the private key A certificate may be missing from a key container when it is stored separately A certificate is stored separately from a key container if the certificate renewal request has been generated in the ViPNet CSP software If the renewal request Fa has been generated in another program the certificate will be automatically saved to the corresponding key container When the private key is verified the certificate validity its validity
75. ed to install the program into another folder on your computer or you need to re install the program after formatting your hard drive In such cases you should unload the program move the saved brg file back into the folders mentioned above and then start the program anew Upon start ViPNet CSP will be registered automatically as long as the registration data are valid and the configuration of your computer has not changed Registration data serial number computer code registration code and more is also stored in a registration log file named reginfo txt located in the ViPNet CSP installation folder You can use information from this file for manual registration of the program after re installation for example if the brg file has been lost If the Configuration of Your Computer Has Been Changed Changes in computer configuration may influence the work of ViPNet Network Manager installed on this computer If your upgrade was substantial you replaced almost all hardware in your PC you will need to register your ViPNet Network Manager once again see Requesting a Registration Code on page 38 If you made only minor changes to your computer s configuration you will not have to register your ViPNet Network Manager again At the first ViPNet Network Manager startup after minor upgrade the message will be displayed informing you that your computer s configuration has been changed and a new brg file has been created This mean
76. egistration Process on page 35 2 On the first wizard page choose Register program and click Next 3 On the Serial number page type your serial number ViPNet CSP Registration Wizard es Serial number a Enter your serial number and click Next if you do not yet have a serial number please retum to the previous page Type your serial number SWLC EQFE WWG4 XG3R lt Back __Net gt Cancel Heb Figure 17 Entering a serial number Note If you have ever previously typed your serial number in this box your serial number will be entered automatically 4 On the Registration Code page o you personally sent a request for a registration code select Single registration and type the registration code o your system administrator sent a request for a registration code select Using file click Browse and locate the file on your network that contains the registration code ViPNet CSP 4 0 User s Guide 47 Koa permctpauym Ykaxnte koa pernctpawn n Haxmute Danee Ecnu y Bac ero Het BephnTecb B Hasano MacTepa n BbIGepuiTe onLtio 3anpoc Ha pernctpawno O buHan peructpauna Ykaxnte koa peructpauin Perncmpawna sepes pa n YkaxuTe pa n c KOLOM peructpauuu Figure 18 Beo Koda peeucmpayuu 5 Click Next If you provided correct data the Registration of ViPNet CSP was successful page will be displayed Pernctpauma ViPNet CSP ycnewHo 3aBepuieHa Boi s
77. en a e E E a E E e a O e EE 13 Chapter 1 Using ViPNet CSP in Data Protection SystemS sseessesssecssecssccssecssccssecesccesocesocssocee 14 VIPNet ESP Purposes onar enone pa e A teas aera iaa oR erent E Ena 15 Encrypting and Signing Document eeeseseeeeeseseesesressesresserrtsstestestestesesserresseesesseese 16 Key Containers erasure ene an hh teil E ible betes ia tate Pier etek tes 18 Digital SiSm ature secacs chef ctis se eir aea e EE A ace se filesisllaccuasseltatelelagesve le lealeusiader 20 Authenticity and Confidentiality of TLS SSL Connections 0 00 eeeceeceseeeeeeeeeeeees 21 ViPNet CSP SCOPE ie aa tetra ets iced haath Mies a eet at eee kates 22 Chapter 2 Quick Stare ssc cascasdssvsiusiceussisdessssdieb ovedsiueasvsesuccontbdcovsdeasectesasvessvsesus cusvesdeosassiveeusseeieosvostucsus 23 Chapter 3 Setting Up and Starting ViPNet CSP ccscccssscssssscssssscssscsssssssescssscscsssssssesssssssees 25 ViPNet CSP Setupsiiisassrcnak Sinica aids saves shade tee gneisses pussies ai olen T oiean 26 Running Setup from the Command Line ee eeeesceeseeensecnsecesecnseceseeeseeeseeeeeeseeeeees 28 Adding Uninstalling and Restoring ViPNet CSP Components cee ceeceeeeeeeeeeeeeees 29 Startins ViPNet CS Poses sescectsiec tania riots inden Pataca oleae ead aden See yee ite et were eee 31 ViPNet CSP Licens ini nnan gli nee eal g i eG leet BE ness 33 Chapter 4 Registering ViPNet CSP s sicssssscsacsesouasassbuacdesssvaccsstu
78. ertificate in the ViPNet CSP Key Container Initialization window specify the path to the private key container and its certificate If you don t know the container s location you can t use the chosen certificate If in the ViPNet CSP Key Container Initialization window you specify the keys container location this container will be added to the list on the Containers tab The Email Message Can t be Signed When you are signing an email message you may be notified that there is no any certificate containing your email address In this case you should ask the Key and Certification Authority for such a certificate Your email address and Secure Email attribute in Enhanced Key Usage field should be specified in the certificate An Email Message Is Signed with a Certificate That You Have Not Selected for Signing Such an error occurs when the certificate chosen for signing does not contain its owner s email address or the specified address does not correspond to the outgoing message s address Moreover when the message is signed a different certificate that contains the sender s email address is chosen from the system store To resolve this error 1 Create a new certificate request and specify the correct email address in it 2 Send the certificate request to the administrator of your Certification authority and wait until receive a new certificate 3 Specify the received certificate as a certificate for signing ViPNet CSP 4
79. essages encryption 3 To choose your certificate for signing and encrypting click Settings and in the Change Security Settings window select the required certificates 4 After that all your outgoing messages will be encrypted if the certificate has been added to the recipient s contact card Email Encryption in Outlook 2007 To encrypt a single email message 1 Create a new message in the Outlook program and specify the recipient 2 Enable encryption in one of the following ways o In the message on the Message tab under Options click Encrypt 4 ViPNet CSP 4 0 User s Guide 122 3 o Inthe message on the Message tab under Options open the Security Settings see figure on page 121 and select Encrypt message contents and attachments check box To change additional settings see Advanced Configuring of Digital Signature and Encryption on page 109 such as using a specific certificate click Change Settings Send your message To encrypt all outgoing messages 1 In the main Outlook window on the Tools menu click Trust Center and then click E mail Security Under Encrypted e mail select the Encrypt contents and attachments for outgoing messages check box To change additional settings see Advanced Configuring of Digital Signature and Encryption on page 109 such as choosing a specific certificate click Settings Double click OK After that all your outgoing messages will be encrypted if the recip
80. eting the Certificates Installation Wizard page click Finish As a result the certificate is installed into the selected certificate store In case no private key has been found when installing the certificate you should install the key container corresponding to this certificate If during installation the certificate was associated with the private key the container with the private key corresponding to this certificate appears on the list of containers see figure on page 61 see the figure on page You may install one more certificate and private key or begin working with protected documents see ViPNet CSP Scope on page 22 using the previously installed issuer s certificate and CRL see Installing Issuer s Certificates and CRL on page 73 Installing a Certificate from Container To install certificate 1 Inthe main ViPNet CSP window select the Containers see figure on page 61 section 2 Inthe Containers section choose the container whose you need to install the certificate and click Properties or double click the necessary container ViPNet CSP 4 0 User s Guide 71 3 Inthe Key Container Properties see figure on page 77 window choose a necessary private key and click Certificate 4 Inthe Certificate window on the General tab click Install Certificate The Certificate Renewal Wizard see Installing the User Certificate in the System Store on page 68 window will be displayed Certificate E General Details
81. f the Create request button is not displayed after you fill in all required fields make sure that in the General section see figure on page 32 the Allow ViPNet CSP to use MS Crypto API check box is selected Then create a key container by performing the following actions 7 Inthe displayed ViPNet CSP Key Container Initialization window specify o A container name or leave the default value o The container location by clicking one of the following options Folder or Choose device Note In some cases the ViPNet CSP Key Container Initialization window can be displayed with a delay Wait until it is displayed 8 Inthe ViPNet CSP Key Container Initialization window specify the private key protection password 9 The Digital Roulette on page 178 window will be displayed Follow the instructions in the Digital Roulette window ViPNet CSP 4 0 User s Guide 55 Digital Roulette ix Move your mouse within the window or press any keys you don t need to remember them As a result of your chance movements a random number will be created Creating random number 37 Figure 22 Digital Roulette 10 Inthe message about the successful creation of the certificate request file click OK 11 After creating the request file you can close the Certification Authority browser page After the certificate request is created deliver your request file to the administrator of your certification authority and get
82. f you don t need to install certificates or you will install it manually click No To view the container s certificate list click Certificates After you have installed the certificates in a store or after you have canceled the certificates installation in the available containers list see figure on page 61 the added container will be displayed ViPNet CSP 4 0 User s Guide 62 Note In the certificate settings window you can install certificates from the container manually see Installing a Certificate from Container on page 71 After container adding install the issuer s certificate and CRL see Installing Issuer s Certificates and CRL on page 73 and proceed using cryptographic operations see ViPNet CSP Scope on page 22 ViPNet CSP 4 0 User s Guide 63 Installing Container from an External Device To install container from an external device 1 Inthe main ViPNet CSP window select the Containers see figure on page 61 section 2 Inthe Containers section click Add 3 Inthe ViPNet CSP Key Container Initialization window click Device In the devices list select the required device ViPNet CSP Key Container Initialization amp Specify the location of the private key container Container name cur _pers Folder B se Device eToken Aladdin 00334a2b A Type PIN eeccce Save PIN EN cancel _ Figure 26 The key container initialization from an external device 4 Inthe
83. for transferring certificates and certificate revocation lists files with extensions PIE p7b PEX and p12 Note You can use any number of certificates and key containers in ViPNet CSP In this case to digitally sign a document you need to choose the key which you will use ViPNet CSP 4 0 User s Guide 19 Digital Signature The digital signature is an attribute of an electronic document that is a result of cryptographic data processing with the use of a private key A digital signature can confirm e Authenticity A digital signature unambiguously identifies the person who has signed the document e Integrity A digital signature confirms that the document has not been changed after the signing e Non repudiation The author can t deny the fact that he or she has signed the document Thus individuals and legal entities may use a digital signature as an equivalent to a handwritten signature to ensure the legal validity of an electronic document equal to the legal validity of a printed or handwritten document signed manually by the eligible person and officially sealed To use a digital signature you need to get a public key certificate see Key Container on page 18 in a competent Certification Authority If certificate validation with the use of the Certification Authority s database confirms that a certificate is legal functional has not expired and has not been revoked this certificate is considered valid The docu
84. g it and using MAC in accordance with GOST 28147 89 e Ensuring authenticity and confidentiality of TLS SSL connections ViPNet CSP 4 0 User s Guide 15 Encrypting and Signing Documents To encrypt and verify a digital signature the ViPNet CSP program employs a public key located in the certificate see Public key certificate on page 179 of the user the encrypted document is addressed to or of the user who sent the digitally signed document For decrypt or create a digital signature the cryptographic service provider employs a private key of the user who decrypts or signs the document the key that is specified by this user The scheme below visualizes the process of sending a confidential Outlook message Network certificate store Malicious user Figure 1 Exchanging protected documents User A needs to send a confidential Outlook message to user B 1 User A requests user B s public key certificate from the network certificate store and checks its correspondence with the user B s contact in the Microsoft Outlook program 2 User A encrypts the document using a public key from user B s certificate 3 User A sends the encrypted message to user B 4 User B decrypts the document using his or her private key Thus user B receives the confidential message from user A If a malicious user intercepts this confidential message he or she will not be able to read it because he or she does not possess user B s private key
85. gnature line and then click Signature Setup o In MS Office 2010 right click a signature string and choose Sign In the Sign window type your name or click Select Image link if you want to paste a graphical image of a signature line Below is a brief description of the certificate which the document will sign To sign a document using another certificate click Change and choose another certificate Sign Eam oO See additional information about what you are doning Before sgning this document verify that the content you are signing is correct Type your name below or click Select Image to select a picture to use as your sgnature X Nasyrov Select image Signing as Idus Nasyrov Change Issued by Administrator Figure 49 Signing a signature line After you type a name and choose a certificate click Sign The ViPNet CSP Key Container Password see figure on page 79 window will be displayed Type your password and click OK In the signature line the signer s name or signature graphical image will be displayed If by some reasons the program can t verify the authenticity of certificate the mark Invalid Signature will be displayed above the signature line ViPNet CSP 4 0 User s Guide 103 2 12 2013 X Nasyrov Nasyrov Signed by Idus Nasyrov Figure 50 An invalid signature Note You can sign an Invalid signature line again To do it right click on the signature line or on the sign
86. ha Type and confirm a password that will be required to access By the key container The password should be at least 6 characters long Enter password Confirmation E Save password ES Gea Figure 33 Changing the container password The container password is changed ViPNet CSP 4 0 User s Guide 77 Deleting a Previously Saved Password You may need to delete the saved password to a key container in case the password storage conditions and or you corporate security regulations have changed so that you may not store the password on your computer anymore To delete a previously saved container password 1 Inthe main ViPNet CSP window select the Containers see figure on page 61 section 2 To select a key container from the current user s key containers folder click Current user To select a key container from the computer s key containers folder click Computer 3 Select a key container whose you need to delete password and click Properties or double click the necessary container 4 Inthe Key Container Properties see figure on page 77 window click Delete Saved Password The password will be deleted The previously saved password will be removed Then you should enter the password every time you access the key container Verifying a Key Container You can verify a key container to make sure that the container file has not been modified that the certificate and private key in the container correspond to
87. hat was collected link If any certificate validation errors occur the corresponding message will be displayed under the window title Signature Details 2 x y3 Vaid signature This signature and the signed content have not been modified since the signature was appbed Purpose for signing this document Signing as Idus Nasyrov Issued by Administrator See the additional signing information Figure 44 Signature details Microsoft Office 2010 Warning Documents that were signed in Microsoft Office 2003 or Microsoft Office A 2007 programs can t be open in Microsoft Office 2010 up to build 14 0 6023 We recommend you to use this build or later builds ViPNet CSP 4 0 User s Guide 97 To view a digital signature in Microsoft Word Excel or PowerPoint document 1 Click the File tab and in the Info section click View signatures The Signatures pane will be displayed Signatures vx EY Valid signatures Signature Details Remove Signature This document is signed Any edits made to this document wil invalidate the digital agnatures Learn more about signatures in Office documents Figure 45 Viewing your digital signatures in Microsoft Office 2010 p Note Moreover you may open the Signatures pane by clicking the digital signature icon on the status bar 2 On the Signatures pane right click the signature string and click Signature Details On the menu click Signature Details 3 Th
88. icates and CRL on page 73 and then proceed using cryptographic functions see ViPNet CSP Scope on page 22 Tip If an external device has been removed and then connected to the computer again the container which is located on this device may not appear in the Containers section To display this container in the Containers section click Cc ViPNet CSP 4 0 User s Guide 65 Installing Certificates in a Container When you create a certificate request the container with a private key is generated By request in the Certification Authority the public key certificate corresponding to this private key is issued To use a certificate public key received from the Certification Authority to generate a digital signature and for other purposes this certificate should be installed in the container where the corresponding private key is stored To install the certificate in a container 1 2 In the main ViPNet CSP window select the Containers see figure on page 61 section In the Containers section choose the container in which you need to install the certificate and click Properties or double click the necessary container In the Key Container Properties window click Add Key Container Properties Container name rnd 9 cec1 3bb4 990b 5299 f02d 474c c6ce Container type Folder Location c users maksim appdata local infotecs containers Private keys 1 Certificates 0 Container password To change the passw
89. icrosoft Office programs are used the version should be 2003 2007 2010 or 2012 ViPNet CSP is compatible with some external storage devices For more information about the supported devices see Supported External Storage Devices on page 175 Distribution Kit The ViPNet CSP distribution kit includes e The ViPNet CSP setup file setup exe e Document ViPNet CSP User s Guide in PDF format the current document e ViPNet CSP Information about Third Party Software Components ViPNet CSP 4 0 User s Guide 12 Feedback Finding Additional Information For more information about Infotecs products and technologies see the following resources e ViPNet documentation web portal http www infotecs biz doc_vipnet ENU index htm e Information about current Infotecs products http infotecs biz products e Information about Infotecs solutions http infotecs biz solutions e Frequently asked questions http www infotecs biz doc_vipnet ENU index htm 3_17014 htm Contacting Infotecs We value any feedback from you If you have any questions concerning Infotecs products and solutions any suggestions complains or other feedback feel free to contact us by means of the following e Support request form http infotecs biz support e Support email support infotecs biz e Telephone 49 0 30 206 43 66 0 e Fax 49 0 30 206 43 66 66 Errata Infotecs makes every effort to ensure that there are no errors or misp
90. ient s certificates have been added to the contacts Email Encryption in Microsoft Outlook 2010 and Microsoft Outlook 2013 To encrypt a single email message 1 2 Create a new message in the Outlook program and specify the recipient Enable the encryption function using one of the following o Inthe message on the Options tab under Permission click Encrypt 24 Encrypt i o In the message open the Options tab and under More Options click Properties In the Properties window click Security Settings In the Security Properties see figure on page 121 window select the Encrypt message contents and attachments check box To change additional settings see Advanced Configuring of Digital Signature and Encryption on page 109 such as choosing a specific certificate click Change Settings ViPNet CSP 4 0 User s Guide 123 3 Send a message To encrypt all outgoing messages 1 Inthe main Outlook window on the File tab click Options 2 Inthe Outlook Options window select Trust Center and click Trust Center Settings 3 Inthe Trust Center window select the E mail Security section Under Encrypted e mail select the Encrypt contents and attachments for outgoing messages check box Trusted Publishers s Encrypted e mail DEP Settings g V Encrypt contents and attachments for outgoing messages Privacy Options Ago digital signature to outgoing messages EmaitSecurity T Send clear text signed message when
91. ificate parameters and details about the owner of the certificate or use the details of the previous certificate infotecs see a e ViPNet Create certificate request Vieteal Private Selwerk Fields marked with are required Request new certificate C Request a renewal of the existing certificate Figure 20 Allowing blocked content ViPNet CSP 4 0 User s Guide 53 In the Choose Certificate Settings section specify the following parameters O O ie In the Cryptoprovider list select the cryptographic service provider that you want to use for creating private and public keys In the corresponding list select a hash algorithm In the Purpose list select the actions a certificate will be used for Signature and encryption by default if you want to use your digital signature for encrypting messages and signing them Signature if you want to use your digital signature only for signing messages or documents Encryption if you want only to encrypt messages or documents In the Certificate template list choose one of the following options Qualified ViPNet CSP by default to create a request for a qualified certificate in which you may specify OGRNIP Primary State Registration Number of the Sole Proprietor SNILS Insurance Number of Individual Ledger Account INN taxpayer identification number and OGRN primary state registration number attributes Reporting to create a certificate fo
92. ify data for signing click Add 5 The Set of Signable Data window will be displayed o Type the name of the data intended for signing in the corresponding box ViPNet CSP 4 0 User s Guide 131 o Click Select XPath next to the Fields and Groups to be signed box o In the Select a Field or Group window choose the field which you want to sign and click OK o To specify the relation type between several signatures select the required type the Allow only one signature is specified by default and add a message to confirm the signature o To save the settings click OK The chosen field will be displayed in the Set of Signable Data see figure on page 130 list Type a name for the data that can be signed Name Bids and groups to be signed imy2myPields natures grou Signature options Allow only one signature Al the signatures are independent co sign Each signature signs the preceding signatures counter sign Signature confirmation message Verify that the form or section you are signing is correct as well as the additonal information that wil be stored with your signature Co cancel Figure 65 The Set of Signable Data window 6 To save the settings click OK ViPNet CSP 4 0 User s Guide 132 Signing an InfoPath Form When creating a form you can allow a user to digitally sign this form Information of how a user can sign the form is given below Microsoft Office InfoPath 2003 To sign a form
93. igital signature to a signature line you can change the signature settings To do this 1 Depending on the MS Office software version do one of the following 2 o Click Microsoft Office button and choose Prepare and then click View Signatures The Signatures see figure on page 97 pane will be displayed In the Signatures pane right click the signature name or the signature line and then click Signature Setup o In MS Office 2010 right click the signature line and then click Signature Setup 2 Inthe Signature Setup see figure on page 101 window make the necessary changes and click OK Note After you sign a signature line you may view its properties in the Signature Setup window but you can t edit it after signing Adding a Signature Line to a Document In Microsoft Word 2007 and Word 2010 Excel 2007 and Excel 2010 programs you can sign a signature line Note If you will open a Microsoft Office 2007 document in previous versions of MS office the signature line will be replaced by the common image and you can t sign it ViPNet CSP 4 0 User s Guide 102 To add a signature in a signature line 1 Depending on the MS Office software version do one of the following 2 2 o In MS Office 2007 click Microsoft Office re button and choose Prepare and then click View Signatures The Signatures see figure on page 97 pane will be displayed In the Signatures pane right click the signature name or the si
94. ildus727 live ru c US Edit Properties Copy to File Learn more about certificate details Coo Figure 75 Certificate email address check o If not create a request for a new certificate e the recipient if you have imported the contact s certificate e the administrator of your Certification authority if you have added your certificate to the system store Invalid Certificate During an encrypted message sending the warning message may be displayed Invalid Certificate x Microsoft Office Outlook could not sign or encrypt this message because you have no certificates which can be used to send from the e mail address kdus727 i ru You can do either of the following A Get a new digital ID to use with this account On the Tools menu dick Options dick the Security tab 7 and then dick Get a Digital ID Use the Accounts button to send the message using an account that you have certificates for Figure 76 The message about invalid certificate in Outlook 2003 ViPNet CSP 4 0 User s Guide 161 Invalid Certificate X Microsoft Office Outlook cannot sign or encrypt this message because you have no certificates which can be used to send from the e mail address idus727 mai ru You can do either of the following A Get a new digital ID to use with this account On the Tools menu cick Trust Center cick E mail Security and then dick Get a Digital ID Use the Accounts button
95. ile VO Wait until the preparation for the components installation is completed 2 Inthe Changing installed software components window click the required option o to add or remove a component click Add or remove components o to restore the program click Restore o toremove all components of the program click Remove All Components JE Ycranoera ViPNet CSP fo a mf NameHenne YCTAHOBNEHHbIX KOMNOHEHTOB Jlo asnm nm yAannTb KOMNOHEHTbI Do6asn HOBbIE MNN yYAaANNTb YCTAHOBNEHHbIe KOMNOHEHTbI O6Hosnm OGHOBMTe KOMNOHEHTbI YCTAHOBNB HOBbIE BEPC NOBEPX CTAPbIK C COXPGHEHVEM nonbsoBaTenbcKo MHPopmaunn Yaannt BCE KOMNOHCHTDI Groene Tomme Figure 5 Changing installed software components Then click Continue ViPNet CSP 4 0 User s Guide 29 3 If you add or remove any ViPNet software components make the necessary changes in the Choose components window Then click Continue 4 Wait for the operation to be completed Then click Close ViPNet CSP 4 0 User s Guide 30 Starting ViPNet CSP To configure the ViPNet CSP program do one of the following e Click the Start button choose All Programs gt ViPNet gt ViPNet CSP gt ViPNet CSP Settings the program location on the Start menu might have been changed at installation e On the desktop double click the shortcut a this shortcut is displayed only if the corresponding option has been selected during the installation
96. ing message will be displayed under the window title o To open a certificate click View To view the additional signing information click the See the additional signing information that was collected link ViPNet CSP 4 0 User s Guide 136 Unsigning an InfoPath Form To unsign a Microsoft InfoPath form 1 Depending on the Microsoft InfoPath software version do one of the following o In Microsoft InfoPath 2003 or Microsoft InfoPath 2007 on the Tools menu select Digital signatures or on the toolbar click Digital Signatures B o In Microsoft InfoPath Filler 2010 or Microsoft InfoPath Filler 2013 click the File tab and in the Info section click Digital Signatures The Digital Signatures window will be displayed 2 Choose a digital signature from the list To view a digital signature before unsigning o In Microsoft InfoPath 2003 or Microsoft InfoPath Filler 2013 click View Certificate The Certificate window will be displayed o In Microsoft InfoPath 2007 or Microsoft InfoPath Filler 2010 click View Signed Form The Signature Details window will be displayed To open the certificate click View 3 After choosing a digital signature click Remove Note To remove all digital signatures at once in Microsoft Office InfoPath 2003 click Remove all 4 Inthe confirmation window click Yes The digital signature will be removed from the form ViPNet CSP 4 0 User s Guide 137 Digital Signature for Macros and D
97. k Next Get the serial number free of charge Request registration code Register program Figure 8 First registration page Your next step depends on whether you have got the ViPNet CSP serial number beforehand o If you have not got the serial number click Get the serial number free of charge see Buying Program Getting a Serial Number on page 37 o Ifyou have got the serial number click Request registration code see Requesting a Registration Code on page 38 Note If you request your registration code online your ViPNet CSP registration will be done automatically no user action is required o Ifyou have already got both the serial number and the registration code click Register see Registering ViPNet CSP on page 47 ViPNet CSP 4 0 User s Guide 36 Buying Program Getting a Serial Number To buy a serial number 1 In theThe Registration of ViPNet CSP wizard select Get the serial number free of charge and click Next The ViPNet products order page on the Infotecs website will be displayed in your default Internet browser Choose the product version fill in the request form an send it The link to download the product and the serial number will be sent to your email Upon receiving a serial number return to the Registration of ViPNet CSP see Starting the Registration Process on page 35 wizard and request a registration code see Requesting a Registration Code on page 3
98. lick Computer 3 Select container that you want to copy and click Copy 4 Inthe ViPNet CSP Key Container Initialization see figure on page 77 window specify and confirm a password which will be used to access created backup copy 5 Inthe ViPNet CSP Key Container Initialization window specify a new container name and location You can copy a key container to a folder on a hard drive or to an external device 6 Inthe ViPNet CSP Key Container Initialization see figure on page 79 window type password or PIN if container located on the external device to access container which you need to copy To save password for next reference to container select the Save password check box Fa Note If you save PIN of the device in the system the security level becomes lower 7 The container copy will be displayed in the specified folder or on an external device ViPNet CSP 4 0 User s Guide 81 Deleting a Container If you don t want to use some certificate or a private key you may delete the corresponding container To do this 1 Inthe main ViPNet CSP window select the Containers see figure on page 61 section 2 To select a container from the current user s key containers folder click Current user To select a container from the computer s key containers folder click Computer 3 Select a container you want to delete and click Delete Warning A deleted container can t be used We strongly recommend you to create a ba
99. ls ViPNet CSP 4 0 User s Guide 119 Windows Live Mail To verify a message s digital signature do the following 1 Choose the signed message from the list 2 Inthe reading pane in the message header the icon of a digital signature will be displayed If during the digital signature verifying some problems occurs you will be warned informed that you can t trust this digital signature this information will be displayed in the message header with the red background Message text will be replaced with Security Warning If the message is signed with an invalid digital signature you can do the following o To view the message click Open message o To view the certificate the message has been signed with click View Certificate o To add the certificate which the messages was signed with to trusted certificates click Change the rules of trust ViPNet CSP 4 0 User s Guide 120 Email Encryption Email Encryption in Outlook 2003 To encrypt a message 1 2 In the Outlook program create a new message and specify the recipient In the email message window do one of the following o On the toolbar click Encrypt 4 o Click Options Then in the Message Options window click Security Settings and select the Encrypt message contents and attachments check box Security Properties J Encrypt message contents and attachments Add digital sonature to this message Security Settings Searity setting lt Automatc gt
100. martCard Yes V eToken GOST USB token Yes V ruToken ECP8Lite USB token Yes X 4 m 2 Clear the check boxes corresponding to the devices that you don t use 3 To save the settings click Apply ViPNet CSP 4 0 User s Guide 86 External Device Initialization Initialization means formatting the device memory During initialization all data stored on the device are removed Password and other settings are dumped To initialize your connected device 1 Make sure that the device you are going to initialize does not contain any important information If necessary copy the information from the external device to another device or hard drive In the main ViPNet CSP window select the Devices see figure on page 84 section Choose a device from the Available devices list Note In the Available devices list only those devices are displayed that are connected to the corresponding card reader at the moment Click Initialize In the message window warning you about deleting all data from the device click Yes In the Initialization window o Type the device administrator PIN o If necessary change the user PIN To do that type a new PIN and confirm it in the corresponding boxes Click OK The device will be initialized All data saved on a device will be lost Now you need to use the new user PIN to access the device ViPNet CSP 4 0 User s Guide 87 Changing PIN Device PIN change may be required when the
101. ments that are signed using a valid certificate and have not been changed since the moment of signing are considered valid as well ViPNet CSP 4 0 User s Guide 20 Authenticity and Confidentiality of TLS SSL Connections The TLS SSL protocol is used to organize remote protected connections for example to get access to remote server s resources The TLS SSL protocol ensures performing of one way authentication or mutual authentication for interacting parties as well as confidential data transfer You may need secure access when you share databases or repositories or create electronic payment systems and for some other functionality The interaction between two hosts in a protected connection is displayed in the scheme below Requesting for an encrypted TLS connection n Web client Authenticating verifying the connection IIS web server lt Q Deriving the public key Exchanging data Closing the connection Figure 3 Hosts communicate over TLS Note Beside Microsoft Internet Explorer you may use Google Chrome or Yandex Browser as a web client Therefor in the browser s shortcut properties in the Object box at the end of the path to the program folder add the command use system ssl Thus the usage of the TLS SSL protocol implemented by means of ViPNet CSP provides a reliable and authorized connection to remote servers and strictly controlled access to the protected data ViPNet CSP 4 0 User s G
102. meters In a ViPNet network certificates are issued in ViPNet Key and Certification Authority or in ViPNet Network Manager and verified with the digital signature of the ViPNet Key and Certification Authority administrator or ViPNet Network Manager administrator This provides authenticity and integrity of the information specified in the certificate including its public key and description of its subject See also Digital signature on page 178 Public key on page 179 ViPNet Key and Certification Authority ViPNet Key and Certification Authority administrator ViPNet CSP 4 0 User s Guide 179 R Root certificate A self signed certificate of a ViPNet network administrator that is the top one in the certificate trust chain In other words there is no certificate you can validate a root certificate with Root certificates are used to validate ViPNet user or issuer s certificates See also Public key certificate on page 179 ViPNet CSP 4 0 User s Guide 180 Index A Adding a Digital Signature to a Message 108 109 Adding a Digital Signature to All Messages e 108 118 Advanced Configuring of Digital Signature and Encryption 108 120 123 125 126 164 B Buying Program Getting a Serial Number e 36 39 41 51 C CA administrator 179 Certificate revocation list CRL 18 23 Certification authority CA 179 181 Checking the Web Host s Availability over the Secure HTTPS Protocol 148 149 150
103. n ViPNet CSP window select the Containers see figure on page 61 section To select a key container from the current user s key containers folder click Current user To select a key container from the computer s key containers folder click Computer Select a key container whose you need to change password and click Properties or double click the necessary container In the Container Properties window click Change Password ViPNet CSP 4 0 User s Guide 76 ontaine operties Saj Container name rnd 9 cec1 3bb4 990b 5299 f02d 474c c6ce Container type Folder Location c users maksim appdata local infotecs containers Private keys 1 Certificates 1 Container password To change the password to to this container click Change Change Passi Password To delete the previously saved password click p md Delete Saved Password After deleting you will be prompted for lS the password every time you try to access the container Delete Saved Password Private Keys Serial Number Algorithm Creation Date C E08 E5E Figure 32 Container properties window 5 Inthe Change password dialog box type the current container password then click OK Note If you have previously selected the Save password check box then the Change Password window will not be displayed 6 Inthe ViPNet CSP Key Container Password window type the new password and confirm it Click OK ViPNet CSP k
104. n the status bar of the document 2 On the Signatures pane see figure on page 97 move the mouse cursor on a signature string and right click it or click the menu button on the right and choose Remove signature 3 To confirm the operation click Yes The digital signature will be removed from the document Microsoft Office 2010 To remove a digital signature from a Microsoft Word Excel or PowerPoint document 1 Open the Signatures pane by doing one of the following o Click the File tab and in the Info section click View signatures o Click the digital signature icon x on the status bar of the document ViPNet CSP 4 0 User s Guide 99 2 On the Signatures pane see figure on page 97 move the mouse cursor on a signature string and right click it or click the menu button on the right and choose Remove signature 3 To confirm the operation click Yes The digital signature will be removed from the document ViPNet CSP 4 0 User s Guide 100 Visible Representation of a Signature Line in Word and Excel Documents You can add a visible representation of a signature line in the Microsoft Office software of 2007 and 2010 versions A signature line resembles a typical signature placeholder that might appear in a printed document When a signature line is inserted into an Office file the author can specify information about the intended signer When an electronic copy of the file is sent to the intended signer this person
105. nd Generating a Private Key on page 53 2 Create a private key or save a container with the private key on the disk or an external device 3 Send the certificate request file to your Certification Authority s administrator by e mail or other means used in your company and wait until you receive the certificate 4 Install the received certificate in a container see Installing Certificates in a Container on page 66 5 Install the received certificate see Installing the User Certificate in the System Store on page 68 the issuer s certificate and CRL see Installing Issuer s Certificates and CRL on page 73 in the system store ViPNet CSP 4 0 User s Guide 52 Creating a Certificate Request and Generating a Private Key To create a request for a new certificate or to renew an existing certificate 1 On the Start menu click All programs gt ViPNet gt ViPNet CSP gt Create a certificate request 2 Inthe Certification Authority window choose one of the following O O Request new certificate to create a new certificate request Request a renewal of the existing certificate to renew an existing certificate When you are creating a certificate renewal request e Inthe Renew Certificate window select the certificate to be renewed and click OK e If you need to select another certificate or view the selected certificate use the Select certificate and Selected certificate buttons e If necessary specify new cert
106. o your ViPNet network administrator This means that you personally don t request your registration code from Infotecs Instead you use the Registration of ViPNet CSP Wizard to collect your registration data and then pass it to your ViPNet network administrator Note If you would like to register only one copy of ViPNet CSP using a file first complete actions 1 6 described in this chapter and then follow the instructions given in Fa the chapter System Administrator Actions for Registration Using a File on page 50 Then complete the step 7 to register your copy of ViPNet CSP see Registering ViPNet CSP on page 47 ViPNet CSP 4 0 User s Guide 44 It is your ViPNet network administrator who collects your and other ViPNet users registration data and sends it to Infotecs It is your ViPNet network administrator who obtains your and other ViPNet users registration codes and then passes them to you and your fellow ViPNet users Upon receiving your registration code from your ViPNet network administrator you can register your ViPNet CSP To register your ViPNet CSP using a file 1 On the Registration request options page choose Using file The Registration data page will be displayed 2 Provide all your data as described in Requesting Your Registration Code on the Internet online on page 38 Click Next 3 On the Saving registration data page click Browse and select the folder that will store the file containing your registra
107. o Intermediate Certification Authorities if you are installing CRL Click OK 5 After you choose a certification store click Next 6 On the Completing the Certificate Import Wizard page click Finish Warning If the system can t validate the certificate for example if the Internet A connection or ViPNet host is not available then the Security Warning window will be displayed To install the certificate click Yes Install only the certificates in which you are confident 7 Inthe The import was successful message box click OK The installation will be complete After that if you have already installed the user s certificate you may begin working with protected documents see ViPNet CSP Scope on page 22 ViPNet CSP 4 0 User s Guide 74 Working with Containers Viewing and Configuring Container Properties 76 Creating a Backup Copy of a Container 81 Deleting a Container 82 ViPNet CSP 4 0 User s Guide 75 Viewing and Configuring Container Properties In the container properties window you may View information about a private key and a certificate which are stored in the container Change the password you use to access a container Delete a previously saved container password Install a certificate manually Check or delete a private key stored in a container Changing the Container Password To change the password of the container which is located in a folder on the disk 1 2 In the mai
108. o supply your serial number f you have not obtained a serial number yet please retum to the start of the Registration wizard Gee GeeD Gees Gea Figure 13 Registration request by phone This page displays all the data you need to tell Infotecs 1 Call Infotecs on the phone number specified at the top of the window and request a registration code 2 When you receive the registration code click Next The Register page will be displayed ViPNet CSP 4 0 User s Guide 43 ViPNet CSP Registration Wizard eal wi a Enter the serial number and registration code and click Next 4 Computer code TLPY2W4 5X833K4 6NH4CQX 6548N8L 6S4S 7FM Serial number SWLC EQFE WWG4 XG3R Registration code _ lt Back Next Cancel Hep Figure 14 Entering the serial number and registration code 3 On the Register page type your serial number and registration code then click Next Note If you have ever previously typed your serial number in this box your serial number will be entered automatically If you provided correct data the Registration of ViPNet CSP was successful page will be displayed This page will also display some suggestions on how to securely backup your registration data see Saving Registration Data on page 49 4 Click Finish Receiving Your Registration Code from the Administrator The idea behind registering using a file is to delegate the registration code receiving process t
109. ok 2003 program open the Certificates tab o In the Outlook 2007 or Outlook 2010 program on the Contact tab under Show click Certificates 4 o In the Windows Live Mail program choose the IDs section Click Import In the Select digital ID file to import window specify the path to the certificate file and click Open The chosen certificate will be added to this contact ViPNet CSP 4 0 User s Guide 107 6 To make sure that you can trust the added certificate choose it and click Properties If in the Certificate window on the General tab the amp or 4 is displayed the certificate can t be trusted 7 Ifthe certificate is not trusted in the Certificate window on the General tab click Trust this certificate Then click OK Warning If after the certificate s import a message is displayed that the email address A specified in this certificate is not found in the list see Email Address of the Certificate Is Not Found on the List of Contact Addresses on page 159 then you can t encrypt an email message using this certificate To send the contact s card with a certificate 1 Inthe Microsoft Outlook or Windows Live Mail program create a new contact and fill contact with your data 2 Import your certificate into a contact 3 On the contact context menu o In the Outlook 2003 program click Forward o In the Outlook 2007 program click Send Full Contact and then choose In Outlook Format o In the Outlook 201
110. on authority Microsoft Outlook To add a digital signature to all messages 1 Open the email security management window To do this If you use Microsoft Outlook 2003 o On the Tools menu select Options o In the Options window click the Security tab If you use Microsoft Outlook 2007 o On the Tools menu select Trust Center o Inthe Trust Center window click the E mail Security tab If you use Microsoft Outlook 2010 or 2013 o Click the File tab and select Options In the Outlook Options window select Trust Center and click Trust Center Settings o Inthe Trust Center window select the E mail Security section ViPNet CSP 4 0 User s Guide 111 2 Under Encrypted e mail select the Add digital signature to outgoing messages check box Encrypted e mail Encrypt contents and attachments for outgoing messages 7 Y Agd digital signature to outgoing messages Send clear text signed message when sending signed messages Request S MIME receipt for all S MIME signed messages Settings Figure 52 Configuring encrypted e mail parameters in the Trust Center window 3 Make sure that the Send clear text signed message when sending signed messages check box is selected otherwise the recipients who do not use the S MIME protocol can t read your message 4 Click Settings The Change Security Settings window will be displayed Cae Geert pam eee a SS eal 7 Seaunty Setting Preferences Seasity Settings Name Cryptogra
111. ools menu click Accounts 2 Inthe Accounts window choose an account and click Properties 3 In the account properties window click the Security tab 4 Under Signing certificate near the Certificate box click Select and specify the necessary certificate which you will use to sign messages 5 Under Encrypting preferences near the Certificate box click Select and specify the necessary certificate which you will use to sign messages 6 Inthe Algorithm list choose an encryption algorithm 7 Click OK ViPNet CSP 4 0 User s Guide 110 Adding a Digital Signature to All Messages Microsoft mail clients allow you to add a digital signature to email messages to guarantee the authenticity and integrity of your message and also to ensure non repudiation To ensure the confidentiality of a message you need to encrypt it see Email Encryption on page 121 Below you can find the scenario of adding a digital signature to your outgoing messages in the Microsoft Outlook and Windows Live Mail programs Warning To sign email messages you need a public key certificate where the certificate owner s email address is specified and in the Enhanced Key Usage box the attribute Secure Email is enabled If you don t have such a certificate you can t add a A digital signature to a message To sign email messages create a request for a new certificate specify your email address and deliver your request to the administrator of your Certificati
112. or generating random numbers o External device Token PKCS 11 to use external devices eToken Aladdin or eToken GOST for generating random numbers o Random binary sequence to use a previously generated sequence of numbers If you choose this option e Click Properties ViPNet CSP 4 0 User s Guide 89 e Inthe Properties window click Add binary sequence e Inthe Browse window select a folder where the files containing binary sequence are located o Hardware random numbers generator installed on computer To save properties click OK To view information about chosen random number generator click Properties To check the operability of biological or hardware random number generators in the Properties dialog box click Test After the test the results will be displayed ViPNet CSP 4 0 User s Guide 90 Digital Signature in Microsoft Office Documents Digitally Signing a Document Viewing a Digital Signature Removing a Digital Signature Visible Representation of a Signature Line in Word and Excel Documents ViPNet CSP 4 0 92 96 99 101 User s Guide 91 Digitally Signing a Document When you working with documents in Microsoft Office programs you may use a digital signature This section contains information about adding a digital signature in Microsoft Word Excel and PowerPoint documents of various Microsoft Office versions Microsoft Office 2003 To add a digital signature in Mic
113. ord to to this container dick Change Change Password Password To delete the previously saved password dick nge Delete Saved Password After deleting you will be prompted for AE E E E the password every time you try to access the container BASENE SENA E SES Private Keys Serial Number Algorithm Creation Date G D1 CE 08 E5 E7 87 4C E0 00 00 00 00 AF A482 C4 GOSTR 34 10 2 Certificate Check Delete Add Figure 27 Adding the certificate to the container In the Open window select the certificate file which corresponds to the private key in the container and click Open If you have chosen the correct certificate it will be added to the container Otherwise you will see an Invalid certificate message ViPNet CSP 4 0 User s Guide 66 Note To view this certificate after adding in the Key Container Properties window click Refresh ViPNet CSP 4 0 User s Guide 67 Installing the User Certificate in the System Store To use a public key certificate in different applications you should install it in the certificates system store There are two ways to do it If the certificate is not installed in the container with the corresponding private key you should install the certificate in the system store in the Containers see Installing a Certificate Which Has Not Been Added to the Container on page 68 section If the certificate is already installed in the container you should install
114. ou add a container you will be prompted to install the certificate into the system store If the certificate has not been installed you should do it manually see Installing a Certificate from Container on page 71 4 Install the issuer s certificate and a certificate revocation list see Installing Issuer s Certificates and CRL on page 73 in the system store Note If you are a web server administrator and you want to organize a secure connection to your server over TLS SSL configure the server and web clients for work over the TLS SSL protocol see Organizing a Protected Connection via TLS SSL on page 144 5 Upon completing the above mentioned steps you may use any programs that use a cryptographic service provider in their work see ViPNet CSP Scope on page 22 These can be programs for working with a digital signature encryption secure communication and others Figure 4 Start using ViPNet CSP ViPNet CSP 4 0 User s Guide 24 Setting Up and Starting ViPNet CSP ViPNet CSP Setup 26 Running Setup from the Command Line 28 Adding Uninstalling and Restoring ViPNet CSP Components 29 Starting ViPNet CSP 31 ViPNet CSP Licensing 33 ViPNet CSP 4 0 User s Guide 25 ViPNet CSP Setup If the ViPNet CSP program is part of ViPNet software it is installed together with this software If you need to install program separately follow the instructions in this section To install ViPNet CSP you should have OS administr
115. ou may add an attachment Click Send The ViPNet CSP Key Container Password see figure on page 79 window will be displayed Type your password and click OK ViPNet CSP 4 0 User s Guide 118 Viewing the Message s Digital Signature Microsoft Outlook To verify a message s digital signature do the following 1 Open the message with a digital signature 2 Inthe Signed by status line check the email address of the user who signed the message From idus lt hdus727Glve ru gt Sent Tue 2 12 2013 3 25 AM To tas 727 Gtve ru Subject Signed By ildus727 tve ru R Figure 57 Verifying the digital signature of the message Warning If the email address in the Signed by status line does not match the senders A address specified in the From line then the true sender is the user who signed this message If during the digital signature verification some problems occur the Signed by status line will be underlined From idus lt idus727 tve ru Sent Tue 2 12 2013 3 29 AM Subject test Signed By There are problems with the signature Click the signature button for details p Figure 58 Message with an invalid digital signature 3 To see more information about this problem click Digital Signature B The Digital Signature Valid window will be displayed If a digital signature you want to use is not valid the Digital Signature Invalid window will be displayed 4 For more information about the certificate click Detai
116. phy Format Default Security Setting for this cryptographic message format Seasity Labels Certificates and Algorithms Signing Certificate Encryption Certificate V Send these certificates with signed messages ox canai Figure 53 The Change Security Settings window 5 Fill the Security Settings Name box 6 Click Choose near the Signing Certificate box 7 Inthe Select a Certificate window select a certificate from the list To view a certificate click the Click here to view certificate properties link After choosing the certificate click OK The same certificate will be automatically chosen for encryption ViPNet CSP 4 0 User s Guide 112 Warning If the certificate chosen for creating a digital signature does not contain any A email address or the specified email address does not correspond to the outgoing message s address you can choose this certificate as a digital signature certificate If the chosen certificate does not contain an outgoing email address the following problems may occur o Inthe system store there is another certificate with the email address similar to the outgoing email address When you sign your email message the digital signature will be created using this certificate but not using the certificate specified before o In the system store there are no certificates with the email address similar to the outgoing email address When you try to sign the message the digital signature
117. r host o Configure IIS o Install the ViPNet CSP cryptographic service provider o Inthe system store install the server s user certificate the issuer s certificate root certificate and the actual CRL For more information see Configuring a Server Host on page 146 section 2 To configure a client host o Install the ViPNet CSP cryptographic service provider o Inthe system store install the client s user certificate the issuer s certificate root certificate and the actual CRL o If necessary configure Internet Explorer for work over the TLS SSL protocol For more information see Configuring a Client Host on page 147 section ViPNet CSP 4 0 User s Guide 145 Configuring a Server Host To configure the server host do the following 1 Configure IIS 2 Install the ViPNet CSP cryptographic service provider see Setting Up and Starting ViPNet CSP on page 25 3 Create a certificate request for a server see Creating a Certificate Request and Generating a Private Key on page 53 and send it to the Certification Authority 4 Geta certificate for IIS issued by request from the administrator of your Certification Authority and also get a root certificate and CRL Warning Server user certificate should contain Data Encipherment attribute in the Key Usage field and Client Authentication attribute in the Enhanced Key Usage field 5 Install the received certificate in a key container see Installing Cer
118. r signing documents intended for submission of financial statements WEB server to create a certificate on the IIS web server Standard for the remaining cases To have an opportunity to export a certificate select the Exportable check box To create a certificate for installing it to the system store select the System check box In the Provide details about the owner of the certificate section specify the necessary information about yourself the person for whom the certificate will be generated Provide details about the owner of the certificate Name Ildus Nasyrov Email address Ildus company com Organization OAO Company Organizational unit Title Street Address Figure 21 Typing the data on the certificate owner ViPNet CSP 4 0 User s Guide 54 Warning If you plan to use the certificate for signing MS Outlook messages you need A to specify the email address You can t use a certificate without an email address for signing email messages 5 Inthe Save Your Request section click Browse and specify a folder on a hard or removable drive for storing the request file and also specify a name for the file Note The request file format is determined by the rules of your Certification Authority We recommend you to include your name and surname in the request file name so that your request was easily identifiable 6 Click Create request t This button appears after all required fields are filled Warning I
119. ransferred into the specified folder 4 Copy the container to the computer where the ViPNet CSP program installed ViPNet CSP 4 0 User s Guide 57 Warning After you delete the container from your ViPNet host you can t use signature keys 5 Install the container in the ViPNet CSP program see Installing Container from a Folder on page 61 ViPNet CSP 4 0 User s Guide 58 Installing Containers and Certificates Ways to Install a Private Key and a Certificate 60 Installing Container from a Folder 61 Installing Container from an External Device 64 Installing Certificates in a Container 66 Installing the User Certificate in the System Store 68 Installing Issuer s Certificates and CRL 73 ViPNet CSP 4 0 User s Guide 59 Ways to Install a Private Key and a Certificate To work with the digital signature do the following 1 Install the container containing your private key o Ifa private key and a certificate are located in the same container in a folder on the hard drive see the section Installing Container from a Folder on page 61 o Ifa private key and a certificate are located in the same container on an external device see the section Installing Container from an External Device on page 64 o If the certificate was issued in the certification authority by request and as a result you have a container with a private key and a separate cer file see the section Installing Certificates in a Container on page 66
120. rints in the text of all documents supplied with ViPNet software However no one is perfect and mistakes do occur If you find an error in one of our documents like a spelling mistake or some inaccuracy in describing user scenarios or system features we would be very grateful for your feedback By sending in errata you may save other reader hours of frustration and at the same time you will be helping us provide documentation in even higher quality ViPNet CSP 4 0 User s Guide 13 Using ViPNet CSP in Data Protection Systems ViPNet CSP Purpose 15 Encrypting and Signing Documents 16 Key Container 18 Digital Signature 20 Authenticity and Confidentiality of TLS SSL Connections 21 ViPNet CSP Scope 22 ViPNet CSP 4 0 User s Guide 14 ViPNet CSP Purpose The main purpose of the ViPNet CSP cryptoprovider is to enable you to implement cryptographic functions in Windows OS Note Since the cryptographic service provider is an independent software component you don t need to start any other client ViPNet software for it to work properly ViPNet CSP may perform the following tasks e Authenticating and ensuring the authenticity of documents in secure document exchange systems For this purpose we ve implemented the means of digital signatures generation and verification in accordance with GOST R 34 11 94 GOST R 34 11 2012 GOST R 34 10 2001 and GOST R 34 10 2012 e Ensuring information confidentiality and integrity by encryptin
121. roperties on page 76 o To delete the container from an external device click Delete ViPNet CSP 4 0 User s Guide 84 Note If the Containers located on the selected device list is empty there are no containers on this device ViPNet CSP 4 0 User s Guide 85 Configuring the Devices List On the Devices list configuration tab you can specify the types of devices which should be polled when the search for keys is performed If the check box associated with a device type is cleared such devices can t work with the program By default all supported devices are polled To increase the speed of key search disable devices you don t use To do this 1 Inthe main ViPNet CSP window select the Devices list configuration section Figure 36 Devices list configuration Ga VIPNet CSP Settings o aaa General Devices list configuration Details Devices UD In this window you can choose what kind of devices should be polled when list configuration OO searching for keys By disabling devices you do not use you can drastically Random number generator increase the speed of searching for your key Containers Device Type PKCS 11 Support 35 V Infotecs Software Token USB token Yes V ViPNet HSM USB token Yes VY KazToken ECP USB token Yes 3 V7 JaCarta USB token Yes 7 7 JcDs USB token Yes V Mifare Standard4K SmartCard No V SmartCard RIK SmartCard No 7 Rosan Mifare SmartCard No F Siemens Cardos S
122. rosoft Office 2010 2 When you have chosen the certificate click Sign The ViPNet CSP Key Container Password see figure on page 79 window will be displayed 3 Type your password and click OK The message about the successful addition of the digital signature will be displayed In the Info section this document will be marked as final to discourage editing i Signed Document x Q This document has been signed and marked as final It should not 375 be edited If anyone tampers with this document the signatures View will become invalid Signatures This document has been marked as final to discourage editing Figure 41 The document has been marked as final to discourage editing On the status bar of the document window the icon B will be displayed This icon means that the document contains a digital signature After you have added a digital signature you can t edit the document To edit the signed document you need to remove a digital signature see Removing a Digital Signature on page 99 ViPNet CSP 4 0 User s Guide 95 Viewing a Digital Signature Microsoft Office 2003 To view a digital signature in Microsoft Word Excel or PowerPoint document 1 On the Tools menu click Options 2 On the Security tab click Digital Signatures 3 In the Digital Signature window choose a certificate and click View Certificate see figure on page 92 If the certificate is not trusted on the General tab of
123. rosoft Word Excel and PowerPoint documents 1 Save a document On the Tools menu click Options On the Security tab click Digital Signatures A UO N In the Digital Signature window click Add Digital Signature Signatures The digital sgnature generated by Office may not constitute a legally binding signature For more information read about digital signatures in Help The following have digitally signed this document Signer Digital ID Issued By Date idus Nasyrov Administrator 2 13 2013 4 t p Mew Certificate i Add D Remove a OK Cancel Figure 38 Adding a digital signature in Microsoft Office 2003 ViPNet CSP 4 0 User s Guide 92 Note If you haven t saved the document earlier you will be prompted to save it before adding a digital signature In the message window click Yes 1 The Select a Certificate window will be displayed To view information about certificate select it and click View Certificate 2 In the Select a Certificate window select the certificate and click OK The ViPNet CSP Key Container Password see figure on page 79 window will be displayed 3 Type your password and click OK The chosen certificate will appear in the The following have digitally signed this document list in the Digital Signature window 4 Double click OK to close the windows On the status bar of the document window the icon B will be displayed This icon means that the document contains a digital
124. rtificate is marked with a red X ViPNet CSP 4 0 User s Guide 140 Unsigning a Macro To remove a digital signature from a macro project do the following 1 In Microsoft Visual Basic editor on the Tools menu select Digital Signature The Digital Signature see figure on page 140 window will be displayed 2 Toremove a digital signature click Remove A digital signature will be removed from the project ViPNet CSP 4 0 User s Guide 141 Signing Microsoft Access 2007 and 2010 Databases Microsoft Access 2007 and Microsoft Access 2010 software allows you to sign databases during publishing After you create a Microsoft Access 2007 or Microsoft Access 2010 database file you can pack it and add a digital signature and then share the signed package with other users The users who received the package may extract the database from it and work with this database Note You can t sign separate database components if they were created in Microsoft Access versions earlier than Microsoft Access 2007 For more details see Macro Digital Signature on page 139 To pack and sign a Microsoft Access database 1 Depending on your software version do one of the following 2 o In MS Office 2007 click Microsoft Office re button point to Publish and then click Package and Sign o In Microsoft Access 2010 program on the File tab click Save amp Publish Under Save Database As click Package amp Sign and then click Save As The
125. rtificates on page 59 e You can use standard operating system tools see Installing Issuer s Certificates and CRL on page 73 to install the issuer s certificate and CRL ViPNet CSP allows you to install private keys and public key certificates in the following ways e Adding a container with a private key and a certificate The container may be located in a folder on a disk see Installing Container from a Folder on page 61 or on an external device see Installing Container from an External Device on page 64 e Installing the certificate and choosing the corresponding private key from the container in a folder on a disk or on an external device see Installing the User Certificate in the System Store on page 68 ViPNet CSP 4 0 User s Guide 18 A certificate can be stored separately from a private key in cases when the certificate is created on a user s request A certificate and a private key are stored in the same container when the certificate request is initiated by the Certification Authority administrator A container format depends on the particular cryptographic service provider s vendor Certificate files are always created only in the following standard formats e X 509 format containing only a certificate files with extensions crt or cer e PKCS 7 or PKCS 12 formats These formats are intended for storing encrypted and signed messages together with the necessary certificates One of these file formats can also be used
126. s Live Mail window on the Tools menu select Safety Options In the Safety Options window click the Security see figure on page 114 tab Under Secure Mail select the Encrypt contents and attachments for all outgoing messages check box Click OK After that all your outgoing messages will be encrypted if the recipient s certificates were added to the contacts ViPNet CSP 4 0 User s Guide 125 Viewing the Encrypted Messages The encrypted message you ve received is marked with a in Microsoft Outlook or amp in Microsoft Windows Live When you choose an encrypted message in the Microsoft Outlook program in the reading pane the notification message will be displayed This item can t be displayed in the Reading Pane Open the item to read its contents In the Windows Live Mail program when you choose an encrypted message you are prompted to type the password to the key container Thus your message is protected from unauthorized access A Warning You need the ViPNet CSP program to view an encrypted message To view an encrypted message 1 Inthe Microsoft Outlook program double click the required message in the list In the Windows Live Mail program choose the required message from the list In Windows Live Mail choose a message from a list 2 Inthe ViPNet CSP Key Container Password see figure on page 79 window type the password used for your private key protection After that the message with all its
127. s intended for the contact in question If not select the certificate you want to import a A Certificate Information This certificate is intended for the following purpose s Proves your identity to a remote computer e Protects e mail messages e Class Sign Tools KC1 e Class Sign Tools KC2 Issued to Ildus Nasyrov Issued by Administrator Valid from 2 11 2013 to 2 11 2018 tall Certificate Issuer Statement Learn more about certificates La Figure 74 Certificate s owner verification e If the certificate does not contain the email address of this contact o Open the Certificate window by double clicking the certificate file on your hard drive ViPNet CSP 4 0 User s Guide 160 o On the Details tab click the Subject box and make sure that the E parameter has the correct email address as its value WA y ee General Details Certification Path Show lt ai gt Field Value a valid to Sunday February 11 2018 9 subject Iidus Nasyr ldus 727 Giive E Public key GOSTR 34 10 2001 512 Bits El Subject Key Identifier 70 50 fc 06 ea f5 dc 67 c4aa Enhanced Key Usage Client Authentication 1 3 6 1 2 Certificate Policies 1 Certificate Policy Policy Ide El Authority Key Identifier KeyID 8d 90 8a 6e 88 42 26 Felprivate Kev leane Perind since Mandaw February 11 7 CN Ildus Nasyrov E
128. s that your previous registration data became obsolete You will not be able to register your ViPNet Network Manager using those data after its reinstallation That is why you should copy this updated brg file into the secure location If you reinstall ViPNet CSP on this computer you should copy this very file to the ViPNet CSP installation folder Only after that the application will consider itself registered ViPNet CSP 4 0 User s Guide 49 System Administrator Actions for Registration Using a File Registration using file allows a company to request and receive registration codes for several users via a single person This person is normally the organization s system administrator To register using file all ViPNet users must have their product s serial number If not they need to buy it via the Registration of ViPNet CSP see Buying Program Getting a Serial Number on page 37 Each user from their computer should have created a using file registration request see Receiving Your Registration Code from the Administrator on page 44 This creates a txt file containing registration data which they will send to their system administrator If you are a system administrator 1 Save the files obtained from ViPNet users and containing their registration data to the same folder 2 When you have them all combine them using the copy command copy txt registration all You can use another file name instead of registration all
129. se ViPNet CSP on a web server to get access to protected resources you need to install a certificate into the store If you can t install a certificate into the store log onto the system as an administrator On the Ready to install this certificate page ViPNet CSP 4 0 User s Guide 69 O return to the previous page of the wizard and configure way Check if the parameters have been configured correctly If necessary click Back to the parameters in a different icates Installation Wizard Ready to install this certificate The wizard is ready to install this certificate to the system store You have specified the following settings Certificate store selected Don t install issuers certificates Don t install certificate revocation list You can choose the container with your private key Information about this container will be added to the certificate store 7 Choose container with your private key aa Help Figure 29 The certificate is ready for installation container with your private key check box specify the private key container location Click Next O If the Choose container with your private key check box If the certificate is stored in a file separately from the private key select the Choose Note The Choose container with your private key check box is optional If you do not select the check box after the wizard completes the operation you will need
130. ssages create a request for a new certificate specify your email address and deliver your request to the administrator of your Certification authority Microsoft Outlook and Windows Live programs allow you not only exchange encrypt messages but also encrypt documents and files see Encrypting Documents and Files on page 127 ViPNet CSP 4 0 User s Guide 106 Exchanging Certificates with the Message Recipient To encrypt an email message you need a certificate of its recipient You can exchange certificates by Sending a message with a digital signature see Adding a Digital Signature to a Message on page 116 Saving the sender s email into contacts the recipient adds the sender s certificate Sending the certificate file cer to a recipient in an email message or a removable drive Or storing the certificate file in a public network store This feature allows the recipient to import the certificate file into contacts Creating and sending a contact with the certificate file Warning he recipient s certificate and your certificate should contain the owner s email addresses see Email Address of the Certificate Is Not Found on the List of Contact Addresses on page 159 To import the certificate into contacts 1 In the Microsoft Outlook or Microsoft Windows Live program in the navigation pane choose Contacts Double click the required contact Open the window for managing the user s certificates o In the Outlo
131. ssscnsssessesssssees 173 OVELVIEW s 8 secteur ined Sie ee ee mi See 173 Supported External Storage Devices 000 0 ec eeceecceseeeeeeeseeeneeeseecaaecaecssecsseenseeeseeeseeeees 175 Appendix B Glossary cciccsicisisscciscessosssssescccossesadsonssocssvessoedsabscsocsuesesedsonsseasdoessseasosecd sesascas odsoeeosdabersess 177 Appendix C Index asean eseese s eoero e aseo Es Eeo EES Eo S Eos EO E EESE SESS 181 Introduction About This Document 9 About ViPNet CSP 11 Feedback 13 ViPNet CSP 4 0 User s Guide About This Document In this document you can learn about the purpose of the ViPNet CSP program and find how to topics on its usage Here you can also get an overview of the ViPNet CSP features explore the principles of the program operation and find the description of the graphical user interface Audience This document appeals to those who use certificates in ViPNet CSP for encrypting documents in digital document workflow and Outlook messages for signing for digital signatures verification as well as to system administrators who organize remote access to resources over TLS SSL protocols A ViPNet CSP user does not have to be an information technology professional However at least the minimal level of exposure to network technologies IP protocols firewalls and information security is recommended Document Conventions This document concerns the following conventions Table 1 Document conventions Icon Descrip
132. te is not installed or has been installed incorrectly you need to install or reinstall it correctly in the system store see Installing Issuer s Certificates and CRL on page 73 The Browser Is Not Configured to Work over the TLS Protocol By default Internet Explorer settings allow you to work over encrypted TLS protocol If you can t connect to the server make sure that the necessary certificate is added to the web browser and the TLS SSL protocol is enabled in the browser settings To check that the certificate is added to your web browser 1 2 In the Internet Explorer browser on the Tools menu click Internet Options In the Internet Options window on the Content tab click Certificates In the Certificates window on the Personal tab make sure that necessary certificate is present on the list Choose the certificate and click View In the Certificate window make sure that the certificate contains the Client Authentication attribute see figure on page 168 If your certificate does not contain this attribute ask for a certificate with this attribute in the Key and Certification Authority see ViPNet Administrator Key and Certification Authority Administrator s Guide ViPNet CSP 4 0 User s Guide 167 Certificate General Details Certification Path Show lt ai gt Z Field Value E Subject Ildus Nasyrov ildus727 live r E Public key GOST R 34 10 2001 512 Bits Eal
133. ted without a signature check box To save the settings click OK Microsoft Office InfoPath 2007 To allow users to sign a Microsoft Office InfoPath 2007 form do the following 1 2 3 Create or open a form template in a constructor mode On the Tools menu click Form Options In the Form Options window click the Digital Signatures tab ViPNet CSP 4 0 User s Guide 129 Digital signatures Do not allow signing the form Allow signing the entire form user to sign the form if it is submitted without a signature Submit is not configured Allow signing parts of the form Data in the form that can be signed Set of signable data Add Figure 62 The Digital Signatures tab If you want the user to sign the entire form choose the Enable digital signatures for the entire form If necessary you may also select the Prompt user to sign the form if it is submitted without a signature check box If you want the user to sign a part of the form choose the Enable digital signatures for specific data in the form o To specify data for signing click Add The Set of Signable Data window will be displayed Type a name for the data that can be signed Name Beids and groups to be sged jmy myfields Signature options Alow only one signature Al the signatures are independent co sign Each signature signs the preceding signatures counter sign Signature confirmation message Verify that the form or section
134. tificates in a Container on page 66 6 Inthe system store of a local computer install the server certificate see Installing the User Certificate in the System Store on page 68 the issuer s certificate and the CRL see Installing Issuer s Certificates and CRL on page 73 7 Check that the network host is accessible over the secure HTTPS protocol see Checking the Web Host s Availability over the Secure HTTPS Protocol on page 149 ViPNet CSP 4 0 User s Guide 146 Configuring a Client Host To configure a client host do the following 1 Install the ViPNet CSP cryptographic service provider see Setting Up and Starting ViPNet CSP on page 25 2 Create a user certificate request for a web client see Creating a Certificate Request and Generating a Private Key on page 53 and send it to the Certification Authority 3 Get the certificate for a web client issued on your request and the issuer s certificate with a CRL from the administrator of your Certification authority Warning The user certificate for a client host should contain Client Authentication attribute in Enhanced Key Usage field 4 Install the received certificate in a key container see Installing Certificates in a Container on page 66 5 In the system store of the current user install the received certificate see Installing the User Certificate in the System Store on page 68 the issuer s certificate and the CRL see Installing Issuer s Certificates and CRL
135. tion A Warning Indicates an obligatory action or information which may be critical for continuing user operations Zz Note Indicates a non obligatory but desirable action or information which may be helpful for users T Tip Contains additional information ViPNet CSP 4 0 User s Guide 9 Table 2 Conventions for highlighted information Icon Description Name The name of an interface element For instance the name of a window a box a button or a key Key Key Shortcut keys To use the shortcut keys press and hold the first key and press other keys Menu gt Submenu gt A hierarchical sequence of elements For instance menu items or sections Command in the navigation pane Code A file name path text file code fragment or a command executed from the command line ViPNet CSP 4 0 User s Guide 10 About ViPNet CSP ViPNet CSP is a cryptographic service provider see ViPNet CSP Purpose on page 15 which calls cryptographic functions from various Microsoft programs and other programs using the Microsoft CryptoAPI 2 0 interface With ViPNet CSP you can e Create signature keys see Digital signature on page 178 in accordance with the GOST R 34 10 2001 and the GOST R 34 10 2012 algorithms e Calculate and verify a digital signature in accordance with the GOST R 34 10 2001 and the GOST R 34 10 2012 algorithms e Hash data in accordance with the GOST R 34 11 94 and the GOST R 34 10 2012 algorithms e Encrypt
136. tion data ViPNet CSP Registration Wizard Ea Saving registration data by Select the folder that will store the file containing your registration data Folder for saving file with registration data l Browse Registration data will be saved in the file 8WLC EQFE WWG4 XG3R bt lt Back Next Cancel Help Figure 15 Saving registration data 4 Click Next The registration data is saved in a text file named after the serial number of the program lt serial number gt txt ViPNet CSP 4 0 User s Guide 45 Inform your system administrator that you have created a file containing registration data Once you receive a registration code from your system administrator you can register ViPNet CSP If you have any questions about registration using a file please contact your system administrator F you have other questions dont hesitate to contact Infotecs Web http www infotecs biz E mail support infotecs biz Figure 16 Registration data have been saved Click Finish Send the file containing your registration data to your system administrator When you receive your registration code from your system administrator register your ViPNet CSP see Registering ViPNet CSP on page 47 ViPNet CSP 4 0 User s Guide 46 Registering ViPNet CSP Upon receiving registration code from Infotecs you can register your ViPNet CSP To do this 1 Launch the Registration of ViPNet CSP see Starting the R
137. to is selected and the container is not found or is unavailable then in the ViPNet CSP Key Container Initialization window specify the key container location O O from an External Device on page 64 Note To use an external device you need to connect it a folder on a disk see Installing Container from a Folder on page 61 a device you will need to specify its parameters and a PIN see Installing Container and install the required drivers You can find the list of compatible storage devices and basic information on how to use them in Supported External Storage Devices on page 1 75 ViPNet CSP 4 0 User s Guide 70 Then click OK 8 Inthe Do you want to store both the certificate and the private key in the same container message window click Yes to store the certificate in the key container or No to keep the certificate as a separate file Tip It is convenient to store a certificate in a key container if you are going to export and install the container onto another computer 9 Ifthe Choose container with your private key check box is selected and the container is available in the ViPNet CSP Key Container Password window in the Password box type the password to access the container and click OK Note The ViPNet CSP Key Container Password window is not displayed if you Fa have previously saved the password and selected the Do not show this window again check box 10 On the Compl
138. uide 21 ViPNet CSP Scope With ViPNet CSP you can perform the following operations encrypt Microsoft Outlook Microsoft Outlook Express Microsoft Windows Mail and Microsoft Windows Live Mail messages and their attachments see Email Encryption on page 121 generate and verify a digital signature in Microsoft Office programs see Digital Signature in Microsoft Office Documents on page 91 sign Microsoft Outlook Microsoft Outlook Express Microsoft Windows Mail and Microsoft Windows Live Mail messages see Digital Signature and Encryption in Microsoft Mail Programs on page 105 sign Microsoft Office InfoPath forms see Digital Signature in Microsoft Office InfoPath on page 128 sign macros in Microsoft Word Excel Outlook PowerPoint Access Publisher and Visio programs see Macro Digital Signature on page 139 establish protected TLS SSL web connections by using an IIS server and the Microsoft Internet Explorer browser see Organizing a Protected Connection via TLS SSL on page 144 perform cryptographic functions in the DocVision electronic document workflow authenticate in Windows with the Kerberos protocol perform cryptographic operations required for Active Directory Certificate Services ViPNet CSP 4 0 User s Guide 22 Quick Start If you need to secure electronic documents by means of cryptography and to digitally sign documents ensuring their authenticity and integrity you should install a special
139. will not be added To sign an email message with a certificate create a request for a new certificate specify the correct email address and send your request to your certification authority administrator 8 To save the settings double click OK Windows Live Mail To add a digital signature to all messages 1 Inthe main Windows Live Mail window on the Tools menu select Safety Options 2 Inthe Safety Options window click the Security tab 3 Under Secure Mail select the Digitally sign all outgoing messages check box ViPNet CSP 4 0 User s Guide 113 FTE TT TT EET ETT ETT ETT Sere ere Terre Tere eT evT eT TET ee TT rT eT err err erro T Tire o Restscted stes zone More secure IF Wam me when other applications try to send mal as me F Do not allow attachments to be saved or opened that could potentially be a vrus Download mages 7 Block images and other extemal content in HTML email IF Show images and extemal content sent from emal addresses in my Sate Senders bst Secure Mai Digtal IDs also called certificates are A iaouank Out iow facto paves Vaa Oiii To digtally sign messages or receive encrypted Get Digtal ID messages you must have a digtal ID F Encrypt contents and attachments for all outgoing messages Z Digtaly sign al outgoing messages Figure 54 Adding a digital signature to all outgoing messages 4 Click Advanced The Advanced Security Settings window will be displayed
140. will be displayed 10 Type your password and click OK You can t change the form or fields after signing ViPNet CSP 4 0 User s Guide 135 Viewing an InfoPath Form Signature To view a digital signature in a Microsoft InfoPath 2003 form 1 Depending on the Microsoft InfoPath software version do one of the following o In Microsoft InfoPath 2003 or Microsoft InfoPath 2007 on the Tools menu select Digital signatures or on the toolbar click Digital Signatures B o In Microsoft InfoPath Filler 2010 click the File tab and in the Info section click Digital Signatures o In Microsoft InfoPath Filler 2013 click the File tab and in the Info section click View signatures The Digital Signatures window will be displayed 2 Ifyou use Microsoft InfoPath 2003 choose a certificate from the list and click View Certificate If the certificate is untrusted then in the Certificate window on the General see figure on page 96 tab a message informing you about the problem will be displayed An untrusted certificate is marked with a red X 3 In Microsoft InfoPath 2007 Microsoft InfoPath Filler 2010 or Microsoft InfoPath Filler 2013 choose a digital signature from the list and click View Signature The Signature Details see figure on page 98 window will be displayed o The Signature Details window contains brief information about the signature and the certificate If any certificate validation errors occur the correspond
141. with a Digital Signature 129 Microsoft Office InfoPath 2003 0 0 ce ceseeseceseceseceseeeeeeeeneeeseeeseeesaecnaecaecnaeenaeee 129 Microsoft Office InfoPath 2007 00 ee cesceseceseceseceseeeseeeeeeeeaeecseecaaecaecsaecnaeenaeee 129 Microsoft Office InfoPath 2010 oo ee cesceseceseceseceseeeseeeeeeseseeeaeecaaecaecaessaeenaeee 131 Signing an InfoPath Form sinn e a E 133 Microsoft Office InfoPath 2003 0 0 ce eesceseceseceseceseeeseeeseeeeseeeseecaaecaecaecnaeeeaeee 133 Microsoft Office InfoPath 2007 2010 and 2013 cc cccccccccccccscsesceeseeeseeeees 134 Viewing an InfoPath Form Signature oe eeeeeseeseeenceeseecsseceseceseceseesseeeseeeseeeseeeees 136 Unsigning an InfoPath POrm wes ccdocdecsccssazeencty wisest sdscedessstasoncsaedeacdsyveentsaseaseeeecbunseascate 137 Digital Signature for Macros and Databases sssccsssccsssscssssscssssscssssssssssssesessss 138 Macro Digital Signature eeen che ie t ge che ashen eel A E EA i 139 Digitally Signing a Macro eee cssecssecssecsseceseceseeeseeeseeseaeeeseeesaecaaecsaecaecnaeenaeees 139 Verifying a Macro s Digital Signature eee eeeeeeeeeeneeeeeeseecseecnaecnsecnaeeeaeen 140 Wnisigming A Macrona a a a ROD ese crant i LEAL 141 Signing Microsoft Access 2007 and 2010 Databases 0 ceccceeseeceeececeeeeeesaeceeeeeenees 142 Organizing a Protected Connection via TLS SSL cssccsssssssssscssssssssssessescsssees 144 Checklist Organizing Access to a Protected We
142. y certificates binding public keys with respective user identities by means of a certification authority See also Certification authority CA on page 177 Public key on page 179 Public key certificate on page 179 Private key The secret part of a key pair used in asymmetric encryption A private key is intended to generate a digital signature that can be verified by the corresponding public key and to decrypt a received message encrypted by using the corresponding public key A digital signature key is a private key See also Digital signature on page 178 Public key on page 179 Public key An asymmetric encryption key one of an asymmetric keys pair It needs not to be kept secret and can be distributed freely and published in a network accessible directory A public key is used to verify digital signature In ViPNet CSP it is used for encryption See also Digital signature on page 178 Public key certificate An electronic document of a previously specified format that uses a digital signature to bind a public key with an identity information such as the name of a person or an organization their address and so forth The certificate can be used to verify that a public key belongs to an individual A certificate contains information about the key owner the public key about its purpose and usage about the certification authority that has issued the certificate the certificate validity period and some other para
143. y the ViPNet software For each external device the table contains description conditions operation specifics and information on PKCS 11 standard support Note PKCS 11 also known as Cryptoki is one of the PKCS standards Public Key Cryptography Standards cryptographic standards of public keys developed by the RSA Laboratories company The standard defines the API interface independent of the Fa platform and intended for the work with cryptographic devices of identification and data storage Table 5 Supported external devices Device name in Device name and type ViPNet CSP eToken eToken PRO Java Aladdin eToken PRO personal electronic keys eToken PRO Java eToken PRO smart cards by Aladdin Company iButton iButton Dallas Aladdin electronic keys of the DS1993 DS1994 DS1995 and DS1996 types Smartcard Smartcards with Athena memory of the I2C ASE M4 type synchro cards with a 2 3 bus and protected memory meeting the requirements of the 1SO7816 3 ASE MP42 standard Requirements The PKI Client software of the 5 1 version or later should be installed on the computer Note You can use eToken PRO SmartCard with any standard PC SC compatible USB card reader A reader device must be connected to the computer The 1 Wire Drivers software version 3 20 or 4 0 3 which ensures data exchange with iButton should be installed on the computer The ASEDrive HI PRO S reader by Athena company
Download Pdf Manuals
Related Search