This page contains links to all the main root certificates of the Russian Federation, the instructions for their installation are given.

What are Russian root TLS certificates?

TLS is a protocol for protection against reading and modifying data, when connecting to the web sites on the HTTPS protocol. (With HTTPS, Port 443 is used, unlike HTTP 80). For protection, the connection from the server is signed by the site certificate and encrypted. On the side of the client, the certificate is checked and the connection is deciphered. If the certificate is not entrusted, the browser pops up a message check for the security of the connection, and if the trusted one, in the address bar, shows that the connection is protected. Certificates of Russian sites in theory should be encrypted using Russian certificates. This is how technological sovereignty is implemented - Russian sites should not depend on foreign certifying centers issuing TLS certificates.

To create a PKI system independent of the Western world, two root certificates have been created for websites:
* Russian Trusted Root CA *
Russian Trusted Sub CA **

They can be downloaded from the page https://gosuslugi.ru/crt.

How to install Russian certificates in Linux?

1. For utilities WGET, Curl и apt, they need to install them to the operating system
2. To view the Web sites, you need to install them in browsers Mozilla FireFox и Chrome / Chromium

When installing certificates in the OS, where is the CA configuration file?

Certificate configuration files for the operating system (for utilities Curl and WGET):

/usr/lib/ssl/openssl.cnf
/etc/ca-certificates.conf

How to install root certificates (CA) in the operating system?

To install certificates in the Linux OS you need:
0) Download root certificates CA with CRT extension.
1) copy root certificates *. CRT in a subsidiary
/usr/share/ca-certificates, например, /usr/share/ca-certificates/russian_trusted и добавить строки в файл конфигурации /etc/ca-certificates.conf.
2) execute the command sudo dpkg-reconfigure ca-certificates and confirm the addition of new certificates.
3) check.

0) Skaming certificates from the page of public services https: // gosuslugi.ru/crt[/mark] - files in the "Alternative method - installation of the root certificate" - certificates for Linux.

Click to increase:

1) Copying certificates

sudo mkdir /usr/share/ca-certificates/russian_trUsted
sudo cp ~/Загрузки/russian_trusted*.crt /usr/share/ca-certificates/russian_trUsted
cd /usr/share/ca-certificates/russian_trUsted
ls -l

2 files should lie. If 4, I delete extra copies:
sudo rm "russian_trusted_root_ca_pem(1).crT "
sudo rm "russian_trusted_sub_ca_pem(1).crT "

2) installation of root certificates in Linux:

2.1) Edit the file /etc/ca-certificaTes.conf - Add our 2 certificates

The path to certificates is relative. We previously created a folder /usr/share/ca-certificates/russian_trusted, so the path in the configuration file will be russiantrusted/Name of Settlement

sudo nano /etc/ca-certificaTes.conf

Add the lines:

russian_trusted/russian_trusted_root_ca_pem.crt
russian_trusted/russian_trusted_sub_ca_pem.crt

Save and go out: ctrl+O и Ctrl+x.

2.2) Perform

sudo dpkg-reconfigure ca-certificates

Pressed Ok.

"Trust the new certificates of certifying centers?"

Yes

"This package sets certificates of certifying centers (CA) ..."
Pressed Ok.

In the window with a list of certificates, it spilled it to the end and found our 2 certificates - they are allocated by stars.
Pressed approx.
The program has completed the addition of Russian certificates to the system.

3) Check:
Let's check the opening of the Rosreestr website on the HTTPS protocol from the command line.

cd ~
wget https://rosreestr.ru

How to install root certificates (CA) в веб браузеры

1) Installing CA certificate in Mozilla Firefox

Firefox → перейдите в «Настройки» → в поиске введите «Сертификат» → выберите «Просмотр сертификатов…»

I pressed the button "import ..." .
I selected file from "download" file russian_trusted_root_ca_pem.crT and pressed the open button in the conductor.

Trust when identifying web sites ..

Repeated imports for the second file russian_trusted_sub_ca_pem.crt (also pressed the open button)
* import ... *
Open **

Closed the form "Ok.

1) Installing CA certificate in chromium

In chromium установка производится таким же образом: Настройки - поиск ключевого слова "Сертификат"

In the Security section, scroll down the window down to section "Configure certificates"

In the window I chose the bookmark "Certification Centers" .

Pressed import
In the window I put a check against
"Trust this certificate when identifying sites.

If the certificate has not been installed earlier, it will be added to the browser.

Check - go to the site https: //rosreestr.ru или https: //rosreestr.gov.ru/.

Useful information

Where else can root certificates in Linux lie down

Firefox when installing adds its certificates to the folder:
/usr/share/ca-certificates/mozilla

When installing the firefox package, the /etc/ca-certificates.conf file is modified.
In which # = symbol for commenting, ! - Disables the line.

How to view the contents of the certificate in Linux?

1) Graphic interface of the user: Using a double click on the file in the conductor, or by performing the utility gcr-viewer.

gcr-viewer /usr/local/share/ca-certificates/russian_trusted/russian_trusted_sub_ca_pem.crt

2) command line: (in the folder where there are a certificate, for example,

• Using the Openssl X509 command:

Reading one certificate from the CE filertificate.pem Using the Openssl X509 command, with the CN field filter - certificate name:

sudo openssl x509 -in certificate.pem -noout -subject | grEP -IF "CN =" 

Source

Reading one certificate using the utility keytool

keytool -printcert -file certificate.pem

For example, in Green Linux, the team will display information about the certificate to the console:

keytool -printcert -file /usr/local/share/ca-certificates/russian_trusted/russian_trusted_root_ca_pem.crt | less

Reading in the cycle of all certificates from the certificate set file ca-certificates.crt

while openssl x509 -noout -text; do :; done < /etc/ssl/certs/ca-certificates.crt

Reading Names CN (from Common Name) in the cycle:

while openssl x509 -noout -text; do :; done < /etc/ssl/certs/ca-certificates.crt | grEP "CN =" 

For example:
Subject: C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

Reading the names of recipients (OU) certificates from the file containing several certificates named Globalsign

while openssl x509 -noout -text; do :; done < /etc/ssl/certs/ca-certificates.crt | grep "CN =" | grep -iF globaLsign

Reference:

man openssl-x509

Creating a backup copy of the set of root CA seditions (do it is not necessary, because the file is created every time when performing DPkg-reconfigure ca-certificates):

sudo cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak

How to delete a root certificate from Linux

You need to fix the file /etc/ca-certificates.conf

sudo cp /etc/ca-certificates.conf /etc/ca-certificates.conf.bak
sudo nano /etc/ca-certificaTes.conf

For example, if we want to disable all certificates, put the exclamation signs (!) At the beginning of all lines.

For mass exclusion of root certificates, you can use the SED command line utility:

sudo sed -i 's/^mozilla/!mozilla/g' /etc/ca-certificaTes.conf

For mass inclusion of root certificates of Mozilla:

sudo sed -i 's/^!mozilla/mozilla/g' /etc/ca-certificates.conf

Then execute:

sudo dpkg-reconfigure ca-certificates

How to delete a root certificate in Linux from Mozill browsera FireFox или Chromium

Settings - Search for the word "Certificate" - then "Root Certificates" - choice and deletion.

How to reinstall the Linux OS OS Certificates with the default settings?

sudo apt install --reinstall ca-certificates

This team will remove from the folder /etc/ssl/certs/ extraneous certificates and will restore symbolic links and the database of certificates "by default".

Like in Mozilla Firefox Create a new profile for experiments?

filefox -P

In each profile fireFox можно настроить свой набор сертификатов сайтов. Например, при отсутствии российского сертификата в профиле, названном "temP ", there will be a mistake

And in another copy of Firefox with another profile in which the certificates are installed, there is no error.

Official TLS certificates portal for Russian sites

All information on installation and setting:
https: //www.gosuslugi.ru/crt [/mark]

What web sites of the Russian Federation switched to Russian root certificates (CA)

Bank "Sber" (ex. "Sberbank") warns customers about the transition to Russian certificates:
*https: //www.sberbank.com/ru/certificates

Bank VTB offers customers to switch to Russian certificates:
*https: //www.vtb.ru/product/otvety/certificates/

The Rosreestr website displays a warning when opening a home web page.

The largest web sites of Runet that switched to Russian cryptography:

1. Sberbank www.sberbank.ru - сертификат Russian TrUsted Sub Ca
2. Treasury of the Russian Federation www.roskazna.ru - сертификат Russian TrUsted Sub Ca
3. Rosreestrrosreestr.gov.ru/ - сертификат Russian TrUsted Sub Ca

State services www.gosuslugi.ru на начало 2024 года используют сертификат GlobaLsign.

What main certificates are used by the sites of the Russian Federation?

Root certificates recommended for the installation of public services with the Gosuslugi site.ru/crt)

root certificates recommended for installation site Федерального казначейства (Instructions)

Description:
1) Russian Trusted Root CA - the main RF certificate from which it was generated Russian Trusted Sub CA. It is used in the trust chain of most sites.
2) Russian Trusted Sub CA is a certificate that is “signed” by sites: Sber, Roskazna and Rosreestr. The most common on websites on the Russian Internet. The official portal does not give other certificates, except for these two. Apparently, they are enough to work with the sites of "public services" and banks.
3) CEO of the Ministry of Communications of Russia (head certifying center) With ID 8B 98 3B 89 18 51 EF 9C 02 78 EA C8 D4 20 B2 55 C9 5D - Trust root center of certification. The main root certificate for any certification centers (certification centers - CS), certificates of other CS are intermediate.
4) _Guts2012 - certificate of the head certifying center of the Ministry of Communications of Russia. It is used by the Roskazna's sites and the Web application of the SUFD (budget financing).
5) _Guts2022 - certificate of the head certifying center of the Ministry of Communications of Russia. It is used by the Roskazna's website Web-application of the SUFD (budget financing). Information about GUTS certificates is available on the Roskazna website in PDF,

How to install root certificates (CA) in Windows?

in Windows - "click" the mouse on downloaded certificates as written in the article on the site www.gosuslugi.ru/crt.

Or use a CMD file that will set all certificates from the current catalog:

@echo off
for /d %%G in (\*.cer) DO call :s_subroutine %%G
goto :EOF
:s_subroutine
CertMgr.exe /c /add %1 /s root
echo:
goto :EOF

Cm.Description of launch keys CErtMgr на сайте Microsoft.

CE filertmgr.exe входит в состав Windows SDK, который доступен на сайте MicrOSOFT. Links to the Windows SDK universal installer for Windows 7, 8.1, 10, 11 are given In the next article.

How to download all web site certificates by https?

Download certificates from the siterosreestr.rU in the file:

echo -n | openssl s_client -showcerts -connect rosreestr.ru:443 2>/dev/null  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > rosreestr_bundle.crt

View certificates from the file:

while openssl x509 -noout -text; do :; done < ~/rosreestr_bundle.crt | grEP "CN =" 

The same for the site of public services:

echo -n | openssl s_client -showcerts -connect gosuslugi.ru:443 2>/dev/null  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > gu_bundle.crt

while openssl x509 -noout -text; do :; done < ~/gu_bundle.crt | grep "CN ="

Does the "lock" guarantee in the connection line of the site authenticity?

It should be noted that certificates only protect the SSL/TLS connection. The presence of the "castle" icon does not guarantee the authenticity of the site (it is determined by DNS and the registers of names - for example, Nic.ru или reg.ru, другие регистраторы). Рекомендую всегда смотреть сертификат, находящийся под "замочком" и проверить тщательно имя домена в сертификате, сравнив его с доменом, который виден в адресной строке. Во избежание атак "человек посередине" (MitM). Но "Антивирус Касперского" в Windows во включенном состоянии заменяет сертификат сайта на порту 443 - т.к. он расшифровывает трафик, проверяет его и затем зашифровывает его своим сертификатом. Это поведение Kaspersky AntivirUS is normal.

Addition from 17.01.2024: Installing Yandex Browser to work with Russian websites

Instead of installing root certificates in fi browsersreFox и Mozilla, you can install a web browser Yandex, which has all the necessary certificates.

1) Creation in the folder /etc /apt/sources.list.d file for Browser's repository Yandex:

cd /etc/apt/sources.list.d
sudo nano yandex-browser.List

To the LIST FIELD REPPOSION yandex-browser.list: added the next line:

deb [arch=amd64] https://repo.yandex.ru/yandex-browser/deb stable main

Saved CTrl+O, Ctrl+x.

2) Import signatures of the repository of Yandex Browser

curl -fsSL https://repo.yandex.ru/yandex-browser/YANDEX-BROWSER-KEY.GPG | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/yandex-browser.gpg > /dev/Null

Examination:

file /etc/apt/trusted.gpg.d/yandex-browser.GPG

Answer: /etc/apt/trusted.gpg.d/yandex-browser.gpg: OpenPGP Public Key Version 4, Created Tue May 16 16:15:58 2023, RSA (Encrypt or Sign, 4096 bits); User ID; Signature; OpenPGP Certificate
3) 3) Check free space:

df -h

Free space of about 1 GB is required (300 MB for cache, 200 MB for downloading and 300 MB for installing software and 200 MB for the profile).

Update the apt cache and install the yandex-browser-stable package:

sudo apt-get update
sudo apt install yandex-browser-stable

Yandex Browser will appear in the Start menu - Internet - Yandex Browser.

Source for installing Yandex Browser:https: // browser.yandex.ru/help/about/install.html#browser-instaLL.

Related publications

Removing the Xanmod kernel from a Linux operating system

Устранение отклонений при установке драйвера видеокарты nVidia

Установка клиента Telegram в Linux несколькими способами

Установка сетевых принтеров в Linux - часть 4

Установка сетевых принтеров в Linux - часть 2