Digital Certificates and Trusted
Home Up Past Meetings Notes Tips Directory Links of Interest Site Map FAQs

Digital Certificates and Trusted Sources for running  Excel Macros under High Macro Security

Microsoft Root Certificate Program Members  - A list from Microsoft of 3rd party Certificate Authorities.

MakeCert.exe info:  (**** excellent post)
SOLUTION:
Searching around on the internet lead me to Christian d'Heureuse's
article on creating exportable Certificates
(http://www.source-code.biz/snippets/vbasic/3.htm).  This article
basically describes how to create a certificate using makecert.exe
instead of selfcert.exe.  I think the more important part to this is
that it allows you to create a PKCS #12 certificate, which allows
backups and private key exporting.
 
How to create a self-signed certificate that can be used to sign MS-Office VBA projects (Excel-Word macros) on multiple computers
(another good file on MakeCert.   Lacks instructions for how to import into other computers or network libraries).
 
How to use selfcert in a network environment:
http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=194  (***** excellent post)
 
A shorter method works on our home network.  
Create a selfcert.   Digitally sign the VBA projects.  Save the workbook.
On another computer, set Macro Security to High.   Open the signed workbook.
You get a Dialog: Security Warning:
contains macros by:   (Name on selfcert Certificate)
"This publisher has not been authenticated and therefore could be imitated.
Do not trust these credentials."
At home, I am able to check the "Always trust macros from this publisher".   (Maybe because I have administrator or Power User access.) 
Then I click Enable Macros.  My workbook opens.   The next time I open the workbook I do not get the Security Warning dialog and the macros work.

I signed a workbook with a selfcert from my computer, then emailed the workbook to a client at another corporation who tried to open the workbook  .  That client was unable to check the box "Always trust macros...".   However, by following the extra steps outlined in the linked referenced LPMArticle, that client was able to successfully install the certification, which then enabled the check box "Always trust macros".   That client was listed as an administrator on that computer, so there is reason to doubt this technique works for every user. 
 
Nevertheless, it proves under some circumstances you can open a selfcert.exe signed Excel workbook on a computer on a different domain than the signing computer. - Stephen Rasey
 
From the Excel Help: Troubleshoot security and protection:
I can't add a macro developer to the list of trusted sources.
The list of trusted sources might be locked    Your system administrator might have locked your list of trusted sources so that you cannot add new macro developers to it.
The certificate for the source may not be authenticated.    You can only add certificates to your list of trusted sources if they have been authenticated. Note that certificates created with the Selfcert.exe tool are considered to be unauthenticated and can only be added to the list of trusted sources on the computer on which they were created.
[This is not True.   I was able to open a selfcert signed workbook on a second computer under the same userid and domain.  I have administer privilege on both computers.   It might take administrative privileges, but you can open a workbook on a computer on a different domain.]
 
How to use selfcert.exe
Implement digital signatures with macros for identity authentication  (Vanover July 2004)

[selfcert.exe] is not by default installation, you need add it manually.
(add/remove program ->Office ->Change Installation -> Digital
Sig. for VBA ) something like that.   [Nick - 8/27/2004]

Tom Ogilvy 21-Jul-2004 excel.programming   "How certify my xls file"   A list of related links to Microsoft documents.

Developer's Corner Digitally Signing Office VBA Projects - The Naked PC Newsletter (#3.23)  - a good step by step.

Microsoft Pages:
Macro Security Levels in Office 2003  (MS Office Online)   Mostly says that selfcert cannot be used in distribution.
Microsoft Office Developer Forum - Microsoft Office Digital Certificates   (Office 2000)
MS Office 2000 Macro Security  - very long paper from MS Technet.
 
What's the difference between using MAKECERT and purchasing a key from CA such as Verisign   (from MCSE message board)
Having a certificate issued by a commercial trusted CA enables your applications to have some transparency (in terms of trust checking) and tells your customers that you care enough to at a minimum go through the subject verification process (credit check, employment history etc.) that CAs use.  - Michel Gallant   MVP Security

[how to import the key into the CA ROOT Store]
If you have a local .cer (binary or b64) file, double click it and select the "Install Certificate .." button. Select "Place all certificates in the following store" checkbox and select the "Trusted Root Certification Authorities" store (i.e. the ROOT  store)
You will get a warning box telling you that this is an important security decision. So THINK about what it means to do this!
Cheers, - Mitch Gallant, MVP Security
 
 
Google Search Newsgroup: Digital Signature for WORD macros  30-Oct-2003 -
Google Search Newsgroups: Digital Signature for WORD macros msg#10
I think buying a Verisign VBA certificate is well worth $400 per year to avoid all the trouble you are facing. How much has all your troubles cost so far? How much will the maintainencce cost be in the future with creating your own certificate? How much time will you spend before all computers has your root certificate installed? Each time someone get a new computer, or get a new hard disk, your root certificate has to be installed on that machine again. If you calculate on the total costs to use your own issued certificates I think buying a Verisign certifiace will be well worth the money.  After all, using digital certificates are all about security and there are no shortcuts.  -Lars-Eric Gisslén  (microsoft.public.word.vba.general  03-Nov-2003)
 
Creating Certifications for Macros
Self-certs are for use on one computer only.  See Help on Certificates.
If you make it a "trusted certificate" through MMC and export the *.cer file
to the other computer, you will be able to use it.
Gord Dibben Excel MVP   [.excel.programming 8/26/2004]

How To use MMC: http://searchsupport.verisign.com/content/kb/vs4224.html
Microsoft main topic: Code Signing Office XP Visual Basic for Applications Macro Projects

 
 

For questions or comments concerning content on this website: Stephen Rasey
Design of this site by Cheryl D. Wise
Copyright © 2000-2004 by WiserWays. All rights reserved.
Revised: 2005-07-10 01:09 .