How to create a certificate signing request with GOST encryption for Minzifra?
Hello! I have a task of creating a certificate signing request for the Ministry of Digital Development of the Russian Federation (Minzifra) through Gosuslugi for a website certificate.
Task Context:
- Last year the process was simpler, and requests could be generated using RSA encryption
- This year, it seems everything has changed, and now GOST encryption is required
Problem:
I’m trying to figure out how to implement this:
- Previously, I successfully used standard OpenSSL
- Now, as I understand it, I need to use RedOS, which has gost-engine installed by default
- However, I’m unable to get this to work
- I’ve read online that I might need to build my own version for GOST encryption
Question:
Could someone please advise who has experience with this issue, how to properly create a certificate signing request with GOST encryption for Minzifra?
Creating a Certificate Signing Request with GOST Encryption for the Ministry of Digital Development through Gosuslugi
To create a certificate signing request with GOST encryption for the Ministry of Digital Development through Gosuslugi, you need to use RedOS with the built-in gost-engine, create a request in .csr format and sign it with a .sig file, then submit the application on the Gosuslugi portal. The process differs from previous RSA usage and requires specific tools and file formats.
Contents
- Preparing to Create the Request
- Creating a Certificate Request in RedOS
- Submitting an Application through Gosuslugi
- Installing the Ministry of Digital Development Root Certificate
- Solving Common Problems
Preparing to Create the Request
Before starting the process of creating a certificate request with GOST encryption, you need to ensure you have all the necessary components and tools.
System Requirements
- Operating System: RedOS or another OS with GOST encryption support
- Portal Access: Registered Gosuslugi account with verified identity
- Technical Tools: gost-engine and corresponding cryptographic libraries
Important: As of 2024, the Ministry of Digital Development has transitioned to mandatory use of GOST encryption for all certificates issued through Gosuslugi. Old certificates with RSA encryption are no longer supported.
Checking for gost-engine
Before creating the request, ensure that gost-engine is installed and working properly. To check, run the command:
openssl engine gost
If the command executes without errors, gost-engine is ready for use.
Creating a Certificate Request in RedOS
The process of creating a certificate request with GOST encryption requires performing several sequential steps.
Step 1: Generate Private Key
First, you need to create a private key in a format compatible with GOST encryption:
openssl genpkey -algorithm gost2012_256 -out private.key
This command will create a private key using GOST R 34.10-2012 with a 256-bit key length.
Step 2: Create Certificate Signing Request (CSR)
Use the generated key to create a request in .csr format:
openssl req -new -key private.key -out certificate.csr -engine gost -config openssl.cnf
When creating the request, you will need to provide the following information:
- Country: RU (Russian Federation)
- State/Province: Your region
- Locality: Your city
- Organization: Name of your organization
- Common Name: Full domain name of the site for which the certificate is being requested
Step 3: Create Signature (.sig file)
To verify the authenticity of the request, you need to create a signature:
openssl dgst -engine gost -sign private.key -out certificate.sig certificate.csr
After these steps, you will have three files:
private.key- private key (keep it secure!)certificate.csr- certificate signing requestcertificate.sig- digital signature of the request
Submitting an Application through Gosuslugi
After preparing all the necessary files, you can proceed to submitting the certificate issuance application through the Gosuslugi portal.
Application Submission Process
- Authorization on the Gosuslugi portal using a qualified electronic signature
- Navigate to “My Certificates” or “TLS Certificates” section
- Select “Request New Certificate” option
- Upload files:
- Certificate signing request (.csr)
- Signature (.sig)
- Provide contact information for communication
- Submit the application for review
Important: According to the UC GIS documentation, “certificates are obtained upon request, where it is necessary to specify the serial number of the requested certificate”. Ensure all provided data meets the requirements.
Application Review Stages
The application review process typically includes the following stages:
- Verification of correctness of submitted data
- Identity verification of the applicant
- Certificate issuance upon positive result
- Notification of the applicant about certificate readiness
Installing the Ministry of Digital Development Root Certificate
To work correctly with Ministry of Digital Development certificates, you need to install root certificates on all used devices and systems.
Obtaining Root Certificates
Root certificates can be downloaded from the official UC GIS portal.
Installation on Different Operating Systems
- Windows: Double-click the certificate file and follow the installer instructions
- Linux (RedOS): Use the command:bash
sudo cp root.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates - macOS: Add the certificate to “Certificates” in “Keychain Access”
Note: As stated in the Federal Treasury instructions, “notified of the need to install the Ministry of Digital Development root certificate to ensure access to resources on the official website”.
Solving Common Problems
When working with GOST certificates, various difficulties may arise. Let’s consider the main problems and their solutions.
Problem: “OpenSSL does not support GOST”
Solution: Ensure you have the full version of OpenSSL with gost-engine support installed. In some cases, manual compilation may be required:
wget https://www.openssl.org/source/openssl-1.1.1.tar.gz
tar -xvzf openssl-1.1.1.tar.gz
cd openssl-1.1.1
./config --prefix=/usr/local/openssl-gost shared
make
sudo make install_sw
Problem: “Error creating request”
Solution: Check the correctness of all fields specified in the request. Ensure that the common name exactly matches the domain name of the site.
Problem: “Certificate not working after installation”
Solution: Check the installation of root certificates and the correctness of the web server configuration. Ensure the correct private key is being used.
Alternative Approaches
If you encounter difficulties with RedOS, consider the following options:
- Using ready-made solutions from SprintHost or other providers
- Contacting technical support of the Ministry of Digital Development for consultation
- Using specialized tools for working with cryptography
Sources
- How to order an SSL certificate through Gosuslugi | SprintHost Knowledge Base
- Obtaining a TLS certificate on the Gosuslugi portal | GKUK KK “CTIO”
- Repository | UC GIS
- Russian SSL (TLS) certificate of the Ministry of Digital Development through “Gosuslugi”
- Installing the root certificate of the “Ministry of Digital Development of Russia” | UC GIS
- How a private individual can order a free SSL certificate for a site on Gosuslugi
- How to order an SSL certificate through Gosuslugi | Reg.ru
- What are Ministry of Digital Development certificates, why install them, and how to do it
- Portal of State Services of the Russian Federation - TLS
- How to install the Ministry of Digital Development root certificate?
Conclusion
- Creating a certificate request with GOST encryption requires the use of specialized tools and OS with GOST support
- The main stages of the process include key generation, creating a request (.csr) and signature (.sig), and submitting an application through Gosuslugi
- Installing Ministry of Digital Development root certificates is a mandatory condition for proper operation
- When problems arise, it is recommended to refer to official documentation and technical support
- The process is constantly being improved, so follow updates on the Gosuslugi portal
To successfully solve your task, it is highly recommended to carefully study all stages of the process and, if necessary, consult with specialists from the Ministry of Digital Development or your technical experts.