Solved

How can I use Microsoft Certificate Authority Services to create a Microsoft Office/VBA Code Signing Digital Certificate

Posted on 2007-12-04
12
6,936 Views
Last Modified: 2013-11-27
Microsoft Office/VBA Code Signing Digital Certificates

I have a Windows Server 2003 with certificate authority services up and running, and I have generated some SSL web certificates successfully.

Now, I would like to generate a code signing digital certificate for a Microsoft Office/VBA Macro. Im guessing that since we are still talking about public/private keys system I would have to generate a certificate signing request (CSR) which I know how to do from IIS, but how can I generate a CSR from Excel/VBA?

What are the steps that I need to follow once I create the CSR?

0
Comment
Question by:camilorgp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 20406576
0
 

Author Comment

by:camilorgp
ID: 20407043
tsmvp,
These links talk about SelfCert, not what I need. As I pointed out in my question I need guidance in order to create the code signing certificate using Microsoft Certificate Authority Services.
But thanks anyway.

Anybody know anything about Microsoft CA?
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 20424101
0
Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

 
LVL 23

Expert Comment

by:TheCleaner
ID: 20424115
Oops...forgot to say that a MS CA won't be much good since nobody outside of your company will trust the certificate chain...that's why MS recommends using a self-signed cert.
0
 

Author Comment

by:camilorgp
ID: 20424192
Hey Cleaner, Thanks for your posting.
I believe I need to explain my situation a little bit more, maybe I'm wrong so in that way you will help me figure that out.

The certificate will be trusted because we have created certificates for other purposes and the users are only inside of the company, this isn't for anybody that is not an employee. We have used MS CA to create SSL certificates for websites used only by our employees, like our OWA service.

This time around our dev department created some macros, again for internal consumption (employees only) but since we have set the macro security setting in all our PCs to High whenever they open the macros a warning pops up. So, we think that we can generate a certificate to sign this macros with MS CA, and since all of our employees already trust our internal CA, well it will work.

The question is, can we create such a certificate to sign these macros using Microsoft Certificate Authority Services?
And if it is possible, how?

Cleaner, please tell me I'm I right that this can be done, or I'm just wrong about my assumption?

0
 
LVL 23

Accepted Solution

by:
TheCleaner earned 500 total points
ID: 20424788
Oh, sure you can definitely use your internal CA if it is just internal users that already trust your Enterprise CA.

By default you would use a user based cert for this, the problem being that by default as well it will mean that someone can simply change the digital signature if they have write access to the file containing the macro.  So your best bet is to save the file with the macro as a template.

Request a digital certificate from a Windows Server 2003 Certificate Authority
Open the Microsoft Certificate Services Web page (request this information from your system administrator).
Click the Request a certificate link, and then click the advanced certificate request link.
Click the Create and submit a request to this CA link.
On the Advanced Certificate Request page, enter the requested information, making sure to specify the Key Usage value as Signature or Both.
Click Submit, and then click Install this certificate. If the certificate for the issuing certificate authority is not already in your Trusted Root Certification Authorities folder, click Yes when you are prompted to add the certificate authority to this folder.

So as an example:

Open IE and got to http://serverCA/Certsrv  (where serverCA is your CA)
Then follow the steps above
 
0
 

Author Comment

by:camilorgp
ID: 20428885
I'm currently on the step: "On the Advanced Certificate Request page, enter the requested information, making sure to specify the Key Usage value as Signature or Both"

On that page I have lots of options, so I will tell you what I think I should choose and then you tell me if I'm right or not.

Certificate Template:
Code Signing

Key Options:
Create new key set
CSP: Microsoft Enhanced Cryptographic Provider v1.0
Key Usage: Signature
Key Size: 1024
Automatic Key Container Name

Additional Optinos:
Request Format: CMC
Hash Algorithm: SHA-1

0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 20429090
That will work just fine.
0
 

Author Comment

by:camilorgp
ID: 20429265
Ok, I just created the code signing certificate, I can see it from the Certification Authority Snap-in.
Now how do I use it to sign the macros?
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 20429547
The code snippet should get you there...


From Excel, click Macro on the Tools menu, and then click Visual Basic Editor.
 
From Excel's Visual Basic Editor, click Digital Signature on the Tools menu.
 
In the Digital Signature dialog box (Figure 2), click the Choose button. 
 
 
Figure 2. The Digital Signature dialog box in Excel
 
 
 
 
 
Select the certificate you just created, as shown in Figure 3. 
 
 
Figure 3. The Select Certificate dialog box
 
 
 
 
 
Press OK twice.
 
From Excel's Visual Basic Editor, on the File menu select Save MSFT.xls.
 
Exit the Visual Basic Editor and Excel.

Open in new window

0
 

Author Comment

by:camilorgp
ID: 20430756
Thank you Cleaner, it works like a charm.
Of course the 500 points are yours.

I know this last question wasn't part of the original question but maybe you know the answer, if you don't just post a simple "I don't know" and the points are yours anyway.

How can I extend the expiration date of a certificate?
Is there a place in the Certificate Authority admin snap in where I can set the default amount of time that a new certificate should be valid for? (for instance 5 years).

0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 20434496
Oh sure...easy one there...

http://support.microsoft.com/kb/254632
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Database maintenance 36 100
Error Sorting a calculated table field control 2 22
Item not found in this collection 5 31
SQL Server Compression Decision 5 39
You need to know the location of the Office templates folder, so that when you create new templates, they are saved to that location, and thus are available for selection when creating new documents.  The steps to find the Templates folder path are …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
What’s inside an Access Desktop Database. Will look at the basic interface, Navigation Pane (Database Container), Tables, Queries, Forms, Report, Macro’s, and VBA code.

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question