How can I use Microsoft Certificate Authority Services to create a Microsoft Office/VBA Code Signing Digital Certificate

Microsoft Office/VBA Code Signing Digital Certificates

I have a Windows Server 2003 with certificate authority services up and running, and I have generated some SSL web certificates successfully.

Now, I would like to generate a code signing digital certificate for a Microsoft Office/VBA Macro. Im guessing that since we are still talking about public/private keys system I would have to generate a certificate signing request (CSR) which I know how to do from IIS, but how can I generate a CSR from Excel/VBA?

What are the steps that I need to follow once I create the CSR?

camilorgpAsked:
Who is Participating?
 
TheCleanerConnect With a Mentor Commented:
Oh, sure you can definitely use your internal CA if it is just internal users that already trust your Enterprise CA.

By default you would use a user based cert for this, the problem being that by default as well it will mean that someone can simply change the digital signature if they have write access to the file containing the macro.  So your best bet is to save the file with the macro as a template.

Request a digital certificate from a Windows Server 2003 Certificate Authority
Open the Microsoft Certificate Services Web page (request this information from your system administrator).
Click the Request a certificate link, and then click the advanced certificate request link.
Click the Create and submit a request to this CA link.
On the Advanced Certificate Request page, enter the requested information, making sure to specify the Key Usage value as Signature or Both.
Click Submit, and then click Install this certificate. If the certificate for the issuing certificate authority is not already in your Trusted Root Certification Authorities folder, click Yes when you are prompted to add the certificate authority to this folder.

So as an example:

Open IE and got to http://serverCA/Certsrv  (where serverCA is your CA)
Then follow the steps above
 
0
 
Cláudio RodriguesFounder and CEOCommented:
0
 
camilorgpAuthor Commented:
tsmvp,
These links talk about SelfCert, not what I need. As I pointed out in my question I need guidance in order to create the code signing certificate using Microsoft Certificate Authority Services.
But thanks anyway.

Anybody know anything about Microsoft CA?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
TheCleanerCommented:
Oops...forgot to say that a MS CA won't be much good since nobody outside of your company will trust the certificate chain...that's why MS recommends using a self-signed cert.
0
 
camilorgpAuthor Commented:
Hey Cleaner, Thanks for your posting.
I believe I need to explain my situation a little bit more, maybe I'm wrong so in that way you will help me figure that out.

The certificate will be trusted because we have created certificates for other purposes and the users are only inside of the company, this isn't for anybody that is not an employee. We have used MS CA to create SSL certificates for websites used only by our employees, like our OWA service.

This time around our dev department created some macros, again for internal consumption (employees only) but since we have set the macro security setting in all our PCs to High whenever they open the macros a warning pops up. So, we think that we can generate a certificate to sign this macros with MS CA, and since all of our employees already trust our internal CA, well it will work.

The question is, can we create such a certificate to sign these macros using Microsoft Certificate Authority Services?
And if it is possible, how?

Cleaner, please tell me I'm I right that this can be done, or I'm just wrong about my assumption?

0
 
camilorgpAuthor Commented:
I'm currently on the step: "On the Advanced Certificate Request page, enter the requested information, making sure to specify the Key Usage value as Signature or Both"

On that page I have lots of options, so I will tell you what I think I should choose and then you tell me if I'm right or not.

Certificate Template:
Code Signing

Key Options:
Create new key set
CSP: Microsoft Enhanced Cryptographic Provider v1.0
Key Usage: Signature
Key Size: 1024
Automatic Key Container Name

Additional Optinos:
Request Format: CMC
Hash Algorithm: SHA-1

0
 
TheCleanerCommented:
That will work just fine.
0
 
camilorgpAuthor Commented:
Ok, I just created the code signing certificate, I can see it from the Certification Authority Snap-in.
Now how do I use it to sign the macros?
0
 
TheCleanerCommented:
The code snippet should get you there...


From Excel, click Macro on the Tools menu, and then click Visual Basic Editor.
 
From Excel's Visual Basic Editor, click Digital Signature on the Tools menu.
 
In the Digital Signature dialog box (Figure 2), click the Choose button. 
 
 
Figure 2. The Digital Signature dialog box in Excel
 
 
 
 
 
Select the certificate you just created, as shown in Figure 3. 
 
 
Figure 3. The Select Certificate dialog box
 
 
 
 
 
Press OK twice.
 
From Excel's Visual Basic Editor, on the File menu select Save MSFT.xls.
 
Exit the Visual Basic Editor and Excel.

Open in new window

0
 
camilorgpAuthor Commented:
Thank you Cleaner, it works like a charm.
Of course the 500 points are yours.

I know this last question wasn't part of the original question but maybe you know the answer, if you don't just post a simple "I don't know" and the points are yours anyway.

How can I extend the expiration date of a certificate?
Is there a place in the Certificate Authority admin snap in where I can set the default amount of time that a new certificate should be valid for? (for instance 5 years).

0
 
TheCleanerCommented:
Oh sure...easy one there...

http://support.microsoft.com/kb/254632
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.