PHP

How to sign a request to ESIA using a certificate from CryptoPro?

Hello.
I'm trying to generate a request for an authorization code.
Maybe someone can suggest what I'm doing wrong.

The customer, using CryptoPro CSP, uploaded the ES certificate file to me in .pfx format.
I threw it into ubuntu and loaded it with the command

certmgr -install -store uMy -file "<file_name>.pfx" -pfx -silent -keep_exportable -pin <password>

The string to be signed (`$params['scope'].$params['timestamp'].$params['client_id'].$params['state']`) was written to the file /tmp/message and signed the file here is a team

cryptcp -signf -der -dir /tmp -strict -cert --hashAlg 1.2.643.7.1.1.2.2 -detached -thumbprint <thumbprint> /tmp/message';

As a result, I got the file tmp/message.sgn

I read this file and encode it in base64 url ​​safe

$signature = file_get_contents("tmp/message.sgn");

$encoded = base64_encode($signature);
$encoded = str_replace(array('+','/','='),array('-','_',''),$encoded);
$encoded = str_replace(PHP_EOL, "", $encoded);

I substitute the received string as the client_secret get parameter in the request.

As a result, I get the error
ESIA-007005 "The client system does not have the right to request an access token using this method"

The error text hints to us that we need to somehow request more rights, however, on several forums I saw messages that it was possible to overcome this error by correcting the mechanism signature generation