Configuring trust for certificates of the Russian Ministry of Digital Development for working with Bank 131 services

To ensure your system can connect to Bank 131 services over a secure TLS channel, it needs to trust the Russian certificate authorities that issue our certificates.

If the required root certificates are missing from your operating system or application software's trusted certificate store, the certificate chain validation will fail, and the connection cannot be established.

Attention

Install the Russian Trusted CA certificates in advance—this will reduce the risk of disruptions when working with our services and ensure stable integration.

Main steps

1. Get the current certificates from the National Certification Center of the Russian Ministry of Digital Development (Russian Trusted CA).
2. Install the root and intermediate Russian Trusted CA certificates into the trusted certificate store of your operating system or software platform.
3. Verify that the integration is working properly.

Getting the certificates

Current certificates and official instructions are available on the Gosuslugi portal: https://www.gosuslugi.ru/crt.

Install two certificates:

• Russian Trusted Root CA — root certificate
• Russian Trusted Sub CA — intermediate certificate

Installing the certificates

For Windows

1. Download the Russian Trusted CA certificates.
2. Double-click the certificate file to open it.
3. Select Install Certificate.
4. Launch the Certificate Import Wizard.
5. Place the certificate in the Trusted Root Certification Authorities store.
6. Complete the import and confirm the installation.
7. Restart the applications and browsers you are using.

For Linux

For Debian/Ubuntu-based systems, run the following commands:

sudo cp russian_trusted_root_ca.pem /usr/local/share/ca-certificates/russian_trusted_root_ca.crt
sudo cp russian_trusted_sub_ca.pem  /usr/local/share/ca-certificates/russian_trusted_sub_ca.crt
sudo update-ca-certificates

For RHEL/CentOS-based systems:

sudo cp russian_trusted_*.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

After updating the certificate store, restart your application services.

For Java

If your integration runs on Java, you may need to additionally import the certificates into the JVM truststore:

# Create a separate truststore and import both certificates
keytool -importcert -alias russian_trusted_root \
  -file russian_trusted_root_ca.pem \
  -keystore russian_truststore.jks \
  -storepass <password> -noprompt

keytool -importcert -alias russian_trusted_sub \
  -file russian_trusted_sub_ca.pem \
  -keystore russian_truststore.jks \
  -storepass <password> -noprompt

Specify the truststore when launching the application:

java -Djavax.net.ssl.trustStore=/path/to/russian_truststore.jks \
     -Djavax.net.ssl.trustStorePassword=<password> \
     -jar app.jar

Verifying the installation

To verify that the trusted certificate chain is available:

• send a test request to the Bank 131 API
• ensure there are no SSL/TLS errors
• check that the application logs do not contain any entries about an untrusted certificate or certificate chain validation errors

Possible errors when the required root or intermediate certificates are missing from the trusted store:

• certificate verify failed
• unable to get local issuer certificate
• certificate chain validation error
• SSL handshake failed