This page contains links to all the main root certificates of the Russian Federation and provides instructions for installing them.

What are "Russian Root Certificates" TLS?

TLS is a protocol for protecting against reading and modification of data when connecting to websites using the HTTPS protocol. (When https uses port 443, as opposed to http 80). For protection, the connection from the server side is signed with a site certificate and encrypted. On the client side, the certificate is verified and the connection is decrypted. If the certificate is not trusted, the browser displays an error message about checking the security of the connection, and if it is trusted, an icon appears in the address bar indicating that the connection is secure. Certificates of Russian sites, in theory, should be encrypted using Russian certificates. This is how technological sovereignty is realized - Russian websites should not depend on foreign certification authorities that issue TLS certificates.

To create a PKI system for website certificates that is independent from the Western world, two root certificates have been created:
*Russian Trusted Root CA*
Russian Trusted Sub CA**

They can be downloaded from the page https://gosuslugi.ru/crt.

How to install Russian certificates on Linux?

1. for the wget, curl and apt utilities, they need to be installed into the operating system
2. To view websites you need to install them in browsers Mozilla FireFox and Chrome / Chromium

When installing certificates in the OS, where is the CA configuration file located?

Certificate configuration files for the operating system (for curl and wget utilities):

/usr/lib/ssl/openssl.cnf
/etc/ca-certificates.conf

How to install root certificates (CA) in the operating system?

To install certificates on Linux OS you need:
0) download CA root certificate files with the CRT extension.
1) copy root certificate files *.crt to a child folder
/usr/share/ca-certificates, например, /usr/share/ca-certificates/russian_trusted и добавить строки в файл конфигурации /etc/ca-certificates.conf.
2) execute the command sudo dpkg-reconfigure ca-certificates and confirm adding new certificates.
3) verification.

0) downloading certificates from the State Services page https://gosuslugi.ru/crt[/mark] - files in the section "Alternative method - installing a root certificate" - Certificates for Linux.

Click to enlarge:

1) copying certificates

sudo mkdir /usr/share/ca-certificates/russian_trusted

sudo cp ~/Загрузки/russian_trusted*.crt /usr/share/ca-certificates/russian_trusted

cd /usr/share/ca-certificates/russian_trusted

ls -l

There should be 2 files. If 4, I delete extra copies:
sudo rm "russian_trusted_root_ca_pem(1).crt"
sudo rm "russian_trusted_sub_ca_pem(1).crt"

2) installing root certificates in Linux:

2.1) edit the file /etc/ca-certificates.conf- add our 2 certificates

The path to certificates is relative. Previously we created a folder /usr/share/ca-certificates/russian_trusted, then the path in the configuration file will be russian_trusted/certificate_name

sudo nano /etc/ca-certificates.conf

Add the lines:

russian_trusted/russian_trusted_root_ca_pem.crt
russian_trusted/russian_trusted_sub_ca_pem.crt

Save and exit: Ctrl+O and Ctrl+X.

2.2) Execute

sudo dpkg-reconfigure ca-certificates

Clicked OK.

"Trust new certificates from certification authorities?"

Yes

"This package installs certificate authority (CA) certificates..."
Clicked OK.

In the window with a list of certificates, I scrolled all the way down and found our 2 certificates - they are highlighted with asterisks.
Clicked OK.
The program completed the addition of Russian certificates to the system.

3) Check:
Let's check the opening of the Rosreestr website using the https protocol from the command line.

cd ~
wget https://rosreestr.ru

How to install root certificates (CA) in web browsers

1) Installing a CA certificate in Mozilla Firefox

Firefox → go to "Settings" → in the search enter "Certificate" → select "View certificates..."

Pressed the button "Import...".
Selected a file from "Downloads" russian_trusted_root_ca_pem.crt and clicked the Open button in Explorer.

Trust when identifying websites..

Repeated the import for the second file russian_trusted_sub_ca_pem.crt(I also clicked the Open button)
*Import...*
Open**

Closed the form "OK.

1) Installing CA certificate in Chromium

In Chromium, installation is done in the same way:Settings- keyword search "Certificate"

In the Security section, scroll the window down to the section "Configure certificates"

Selected a bookmark in the window "Certification Authorities".

Clicked Import
I checked the box against
"Trust this certificate to identify sites.

If the certificate has not been installed previously, it will be added to the browser.

Check - go to the site https://rosreestr.ru or https://rosreestr.gov.ru/.

Useful information

Where else can root certificates be located in Linux?

FireFox adds its certificates to the folder during installation:
/usr/share/ca-certificates/mozilla

When installing the firefox package, the /etc/ca-certificates.conf file is modified.
In which#= symbol for commenting, ! - disable the line.

How to view the contents of a certificate in Linux?

1)Graphical User Interface: by double-clicking on the file in Explorer, or by running the utility gcr-viewer.

gcr-viewer /usr/local/share/ca-certificates/russian_trusted/russian_trusted_sub_ca_pem.crt

3)Command line:(in the folder where the certificate is located, for example,

• using the openssl x509 command:

  Reading a single certificate from the certificate.pem file using the command openssl x509, with the CN field filter - certificate name:

  sudo openssl x509 -in certificate.pem -noout -subject | grep -iF "CN="

  Source

  Read one certificate using the utility keytool

  keytool -printcert -file certificate.pem

For example, on Green Linux the command will print certificate information to the console:

keytool -printcert -file /usr/local/share/ca-certificates/russian_trusted/russian_trusted_root_ca_pem.crt | less

Loop reading of all certificates from certificate bundle file ca-certificates.crt

while openssl x509 -noout -text; do :; done < /etc/ssl/certs/ca-certificates.crt

Reading CN certificate names (from Common Name) in a loop:

while openssl x509 -noout -text; do :; done < /etc/ssl/certs/ca-certificates.crt | grep "CN =" 

For example:
Subject: C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

Reading recipient names (OU) of certificates from a file containing multiple certificates named GlobalSign

while openssl x509 -noout -text; do :; done < /etc/ssl/certs/ca-certificates.crt | grep "CN =" | grep -iF globalsign

Help:

man openssl-x509

Creating a backup copy of the root CA certificates set file (this is not necessary, since the file is created every time dpkg-reconfigure ca-certificates is executed):

sudo cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak

How to Remove Root Certificate from Linux

Need to fix the file /etc/ca-certificates.conf

sudo cp /etc/ca-certificates.conf /etc/ca-certificates.conf.bak
sudo nano /etc/ca-certificates.conf

For example, if we want to disable all certificates, we put exclamation marks (!) at the beginning of all lines.

To mass disable root certificates, you can use the sed command line utility:

sudo sed -i 's/^mozilla/!mozilla/g' /etc/ca-certificates.conf

To bulk enable Mozilla root certificates:

sudo sed -i 's/^!mozilla/mozilla/g' /etc/ca-certificates.conf

Then do:

sudo dpkg-reconfigure ca-certificates

How to remove root certificate in Linux from Mozilla FireFox or Chromium browser

Settings - search by word "Certificate"- then “Root certificates” - select and delete.

How to reinstall the Linux OS measles certificate package with default settings?

sudo apt install --reinstall ca-certificates

This command will remove from the folder /etc/ssl/certs/ foreign certificates and restore symbolic links and the default certificate database.

How to create a new profile for experiments in Mozilla FireFox?

filefox -P

In each FireFox profile, you can configure your own set of site certificates. For example, if there is no Russian certificate in the profile named "temp", there will be an error

But in another instance of FireFox with a different profile in which certificates are installed, there is no error.

The official portal of TLS certificates for Russian sites

All installation and configuration information:

https://www.gosuslugi.ru/crt[/mark]

Which Russian websites have switched to Russian root certificates (CA)

Bank "Sber" (ex. "Sberbank") warns clients about the transition to Russian certificates:
*https://www.sberbank.com/ru/certificates

VTB Bank invites clients to switch to Russian certificates:
*https://www.vtb.ru/product/otvety/certificates/

The Rosreestr website displays a warning when opening the home web page.

The largest RuNet websites that have switched to Russian cryptography:

1. Sberbank www.sberbank.ru - Russian Trusted Sub CA certificate
2. Treasury of the Russian Federation www.roskazna.ru - Russian Trusted Sub CA certificate
3. Rosreestr rosreestr.gov.ru/ - Russian Trusted Sub CA certificate

Government services www.gosuslugi.ru at the beginning of 2024 use the Globalsign certificate.

What are the main certificates used by Russian Federation websites?

Root certificates recommended for installation by the State Services website (gosuslugi.ru/crt)

| No. | Certificate name | CER File | Valid until |

|---|---|---|
| 1| 1. |russian_trusted_root_ca.cer| 02/27/2032 |
| 2| 2. |russian_trusted_sub_ca.cer| 03/06/2027 |

Root certificates recommended for installation website federal Treasury (instructions)

| No. | Certificate name | CER File | Valid until |

|---|---|---|
| 3| 3. |Certificate of the Ministry of Telecom and Mass Communications of Russia (Head Certification Center) key ID: 8b 98 3b 89 18 51 e8 ef 9c 02 78 b8 ea c8 d4 20 b2 55 c9 5d |e-trust| 07/17/2027 |
| 4, |Certificate of the Ministry of Telecom and Mass Communications of Russia (Head Certification Center) GOST R 34.10-2012 guts_2012.cer| 07/01/2036 |

| 5, |Certificate of the Ministry of Telecom and Mass Communications of Russia (Head Certification Center) 2022 Kornevoy-certifikat-GUTS-2022.CER| 01/08/2040 |

Description:
1) Russian Trusted Root CA - the main certificate of the Russian Federation, from which the Russian Trusted Sub CA was generated. Used in the chain of trust of most sites.
2) Russian Trusted Sub CA - issuing a certificate with which the sites are “signed”: Sberbank, Roskazna and Rosreestr. Most common on websites on the Russian Internet. The official portal does not list certificates other than these two. Apparently, they are enough to work with the websites of State Services and banks.
3) Certificate of the Ministry of Telecom and Mass Communications of Russia (Head Certification Authority) with ID 8b 98 3b 89 18 51 e8 ef 9c 02 78 b8 ea c8 d4 20 b2 55 c9 5d - Trusted root certification authority. The main root certificate for any certification authorities (certification authorities - CA), Certificates of other CAs are intermediate.
4) _Guts2012 - certificate of the Main Certification Center of the Ministry of Telecom and Mass Communications of Russia. Used by Roskazna websites and the SUFD (budget financing) WEB application.
5) _Guts2022 - certificate of the Main Certification Center of the Ministry of Telecom and Mass Communications of Russia. Used by the Roskazna website WEB application SUFD (budget financing). Information about guts certificates is available on the Roskazna website in PDF,

How to install root certificates (CA) on Windows?

On Windows- “click” the mouse on the downloaded certificates as written in the article on the website www.gosuslugi.ru/crt.

Or use a CMD file that will install all certificates from the current directory:

@echo off
for /d %%G in (\*.cer) DO call :s_subroutine %%G
goto :EOF
:s_subroutine
CertMgr.exe /c /add %1 /s root
echo:
goto :EOF

See description of CertMgr launch keys on the Microsoft website.

The certmgr.exe file is part of the Windows SDK, which is available on the Microsoft website. Links to the Universal Windows Installer SDK for Windows 7, 8.1, 10, 11 are provided in the next article.

How to download all website certificates via HTTPS?

Uploading certificates from the website rosreestr.ru to a file:

echo -n | openssl s_client -showcerts -connect rosreestr.ru:443 2>/dev/null  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > rosreestr_bundle.crt

View certificate headers from a file:

while openssl x509 -noout -text; do :; done < ~/rosreestr_bundle.crt | grep "CN =" 

The same for the State Services website:

echo -n | openssl s_client -showcerts -connect gosuslugi.ru:443 2>/dev/null  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > gu_bundle.crt

while openssl x509 -noout -text; do:; done < ~/gu_bundle.crt | grep "CN="

Does a padlock in the connection string guarantee the authenticity of the site?

It should be noted that certificates only protect the SSL/TLS connection. The presence of the “lock” icon does not guarantee the authenticity of the site (it is determined by DNS and name registrars - for example, nic.ru or reg.ru, other registrars). I recommend that you always look at the certificate that is under the “lock” and carefully check the domain name in the certificate, comparing it with the domain that is visible in the address bar. To avoid man-in-the-middle (MitM) attacks. But Kaspersky Anti-Virus in Windows, when enabled, replaces the site certificate on port 443 - because it decrypts the traffic, verifies it, and then encrypts it with its certificate. This behavior of Kaspersky Antivirus is normal.

Addition from 01/17/2024: installation of Yandex browser for working with Russian websites

Instead of installing root certificates in the FireFox and Mozilla browsers, you can install the Yandex web browser, which has all the necessary certificates.

1) Create a file for the Yandex browser repository in the /etc/apt/sources.list.d folder:

cd /etc/apt/sources.list.d
sudo nano yandex-browser.list

To the repository list file yandex-browser.list: added the following line:

deb [arch=amd64] https://repo.yandex.ru/yandex-browser/deb stable main

Saved by Ctrl+O, Ctrl+X.

2) Import the Yandex browser repository signature

curl -fsSL https://repo.yandex.ru/yandex-browser/YANDEX-BROWSER-KEY.GPG | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/yandex-browser.gpg > /dev/null

Check:

file /etc/apt/trusted.gpg.d/yandex-browser.gpg

Answer: /etc/apt/trusted.gpg.d/yandex-browser.gpg: OpenPGP Public Key Version 4, Created Tue May 16 16:15:58 2023, RSA (Encrypt or Sign, 4096 bits); User ID; Signature; OpenPGP Certificate
3) Checking free space:

df -h

About 1 GB of free space is required (300 MB for cache, 200 MB for downloading and 300 MB for software installation and 200 MB for profile).

Update apt cache and install package yandex-browser-stable:

sudo apt-get update
sudo apt install yandex-browser-stable

Yandex Browser will appear in the Start menu - Internet - Yandex Browser.

Source for installing Yandex Browser:https://browser.yandex.ru/help/about/install.html#browser-install.

Related publications

Working with Flatpak or APT through a proxy server

Fixing Linux Mint boot problem with integrated Intel graphics card

Stop and disable TimeShift to save disk space

Troubleshooting L2TP/IPsec connection errors "Could not add IPsec connection" and "no acceptable traffic selectors found"

Hard disk partitioning for installing Linux Mint on an old PC with BIOS in GPT mode