How do I create a certificate signing request with GOST encryption for the Ministry of Digital Development?
Hello! I have a task of creating a certificate signing request for the Ministry of Digital Development through the Gosuslugi portal for a website. Last year the process was simpler and used RSA encryption, but this year the requirements have changed and now it’s necessary to use GOST encryption.
I’m trying to achieve this using:
- Standard OpenSSL (which worked before but no longer supports GOST)
- Red OS with pre-installed gost-engine (attempts were unsuccessful)
I’ve found information online about the need to build from source for GOST encryption.
Has anyone encountered a similar task? Please share your experience in solving the problem of creating a CSR with GOST encryption for the Ministry of Digital Development.
Creating a Certificate Signing Request with GOST Encryption for MinCifra through Gosuslugi
To create a certificate signing request with GOST encryption for MinCifra through Gosuslugi, you need to use specialized tools that support Russian cryptographic standards. The main difficulty is that standard OpenSSL doesn’t fully support GOST algorithms, so specialized solutions are required.
Table of Contents
- Requirements for MinCifra Certificates
- Tools for Creating CSR with GOST
- Step-by-Step Instructions for Creating a Request
- Common Problems and Solutions
- Verifying the Request
Requirements for MinCifra Certificates
To obtain a certificate through Gosuslugi, the following requirements must be met:
- Certificate Type: SSL/TLS certificate with support for GOST R 34.10-2012 and GOST R 34.11-2012
- Key Pair: 256-bit key on the GOST R 34.10-2012 elliptic curve (curve named “id-GostR3410-2001-CryptoPro-A-Param” or “id-GostR3410-2012-256-A-Param”)
- Signature Algorithm: ECDSA with GOST R 34.10-2012
- Extensions: Must include extensions for server authentication and use in web services
It’s important to note that since 2024, MinCifra has tightened requirements for cryptographic algorithms, abandoning RSA in favor of domestic standards.
Tools for Creating CSR with GOST
1. GostEngine for OpenSSL
GostEngine is an extension for OpenSSL that adds support for Russian cryptographic algorithms:
# Install GostEngine
sudo apt-get install libgost-engine
2. CryptoPro CSP
Professional solution from CryptoPro:
# Example using CryptoPro CSP
certmgr -inst -cont "My" -newkey -len 256 -alg GOST_2012_256
3. LibreSSL with GOST support
Some LibreSSL builds include GOST support:
# Check GOST support in LibreSSL
openssl list -digest-commands | grep gost
openssl list -public-key-algorithms | grep gost
4. Specialized utilities
- gost12: Utility for working with GOST certificates
- crypto-pro: Command-line utility from CryptoPro
- certutil: Part of NSS toolkit with GOST support
Step-by-Step Instructions for Creating a Request
Step 1: Prepare the environment
For Red OS with gost-engine:
# Check installed gost-engine
openssl engine gost
# If not installed, compile from source
git clone https://github.com/gost-engine/engine.git
cd engine
./config
make
sudo make install
Step 2: Create the key pair
Using GostEngine:
# Create GOST private key
openssl genpkey -algorithm gost2012_256 -out private_key.pem
# Create CSR (Certificate Signing Request)
openssl req -new -key private_key.pem -out request.csr -config openssl.cnf
Step 3: Configure the configuration file
Create a file named openssl.cnf with the following content:
[req]
default_bits = 256
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = RU
ST = Moscow
L = Moscow
O = Your Organization
OU = IT Department
CN = your-domain.ru
[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
Step 4: Alternative method with CryptoPro
If using CryptoPro CSP:
# Create key
certmgr -create -cont "My" -newkey -len 256 -alg GOST_2012_256 -pwd "your_password"
# Create CSR
certmgr -create -cont "My" -new -dn "CN=your-domain.ru,C=RU,ST=Moscow,L=Moscow,O=Your Organization" -r -cont "My" -store uTrusted -pwd "your_password" -out request.csr
Step 5: Upload the request to Gosuslugi
- Log in to your Gosuslugi personal account
- Go to “Services” → “MinCifra” → “Certification”
- Select “Get Certificate”
- Upload the created
request.csrfile - Fill in the remaining required fields
- Sign the request with an electronic signature
Common Problems and Solutions
Problem 1: “OpenSSL doesn’t support GOST”
Solution: Install GostEngine or use CryptoPro CSP:
# For Ubuntu/Debian
sudo apt-get install libgost-engine
# For CentOS/RHEL
sudo yum install openssl-gost
Problem 2: “Incorrect key format”
Solution: Ensure you’re using the correct algorithm:
# Check key format
openssl pkey -in private_key.pem -text -noout
# The algorithm gost2012_256 should be visible
Problem 3: “Request rejection in Gosuslugi”
Solution: Check for required extensions:
# Verify CSR
openssl req -in request.csr -text -noout -verify
Problem 4: “GOST version conflict”
Solution: Explicitly specify the GOST version in the configuration:
# Add to openssl.cnf
openssl_conf = default_conf
[default_conf]
openssl_conf = openssl_conf_section
[openssl_conf_section]
engines = engine_section
[engine_section]
gost = gost_section
[gost_section]
engine_id = gost
default_algorithms = ALL
Verifying the Request
After creating the request, you need to verify it meets the requirements:
# Check CSR structure
openssl req -in request.csr -text -noout
# Check signature algorithm
openssl req -in request.csr -noout -text | grep "Signature Algorithm"
# Should show: gost2012_256WithGostR3411_2012_256
# Check extensions
openssl req -in request.csr -noout -text | grep "X509v3 Extended Key Usage"
# Should show: Server Authentication
For successful verification, the output should show:
- Signature Algorithm:
gost2012_256WithGostR3411_2012_256 - Extension:
TLS Web Server Authentication - Organization and domain data are correct
Sources
- Official MinCifra documentation on certificate requirements
- GostEngine usage guide
- CryptoPro CSP documentation
- FSTEC Russia requirements for information protection tools
- Recommendations for cryptography use in government information systems
Conclusion
Creating a GOST certificate request for MinCifra requires the use of specialized cryptographic tools. The main conclusions are:
- Use specialized tools: Standard OpenSSL doesn’t fully support GOST, so GostEngine or CryptoPro CSP is necessary
- Monitor GOST versions: Requirements are constantly updated, ensure you’re using GOST R 34.10-2012
- Verify requests before submission: Use openssl to validate structure and algorithms
- Keep private keys secure: Never share private keys with third parties
- Update software: Regularly update cryptographic libraries to meet current requirements
If you encounter difficulties, it’s recommended to contact MinCifra technical support or use services from accredited certification centers.