Solved

How can I use Microsoft Certificate Authority Services to create a Microsoft Office/VBA Code Signing Digital Certificate

Posted on 2007-12-04
12
6,570 Views
Last Modified: 2013-11-27
Microsoft Office/VBA Code Signing Digital Certificates

I have a Windows Server 2003 with certificate authority services up and running, and I have generated some SSL web certificates successfully.

Now, I would like to generate a code signing digital certificate for a Microsoft Office/VBA Macro. Im guessing that since we are still talking about public/private keys system I would have to generate a certificate signing request (CSR) which I know how to do from IIS, but how can I generate a CSR from Excel/VBA?

What are the steps that I need to follow once I create the CSR?

0
Comment
Question by:camilorgp
  • 6
  • 5
12 Comments
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
Comment Utility
0
 

Author Comment

by:camilorgp
Comment Utility
tsmvp,
These links talk about SelfCert, not what I need. As I pointed out in my question I need guidance in order to create the code signing certificate using Microsoft Certificate Authority Services.
But thanks anyway.

Anybody know anything about Microsoft CA?
0
 
LVL 23

Expert Comment

by:TheCleaner
Comment Utility
0
 
LVL 23

Expert Comment

by:TheCleaner
Comment Utility
Oops...forgot to say that a MS CA won't be much good since nobody outside of your company will trust the certificate chain...that's why MS recommends using a self-signed cert.
0
 

Author Comment

by:camilorgp
Comment Utility
Hey Cleaner, Thanks for your posting.
I believe I need to explain my situation a little bit more, maybe I'm wrong so in that way you will help me figure that out.

The certificate will be trusted because we have created certificates for other purposes and the users are only inside of the company, this isn't for anybody that is not an employee. We have used MS CA to create SSL certificates for websites used only by our employees, like our OWA service.

This time around our dev department created some macros, again for internal consumption (employees only) but since we have set the macro security setting in all our PCs to High whenever they open the macros a warning pops up. So, we think that we can generate a certificate to sign this macros with MS CA, and since all of our employees already trust our internal CA, well it will work.

The question is, can we create such a certificate to sign these macros using Microsoft Certificate Authority Services?
And if it is possible, how?

Cleaner, please tell me I'm I right that this can be done, or I'm just wrong about my assumption?

0
 
LVL 23

Accepted Solution

by:
TheCleaner earned 500 total points
Comment Utility
Oh, sure you can definitely use your internal CA if it is just internal users that already trust your Enterprise CA.

By default you would use a user based cert for this, the problem being that by default as well it will mean that someone can simply change the digital signature if they have write access to the file containing the macro.  So your best bet is to save the file with the macro as a template.

Request a digital certificate from a Windows Server 2003 Certificate Authority
Open the Microsoft Certificate Services Web page (request this information from your system administrator).
Click the Request a certificate link, and then click the advanced certificate request link.
Click the Create and submit a request to this CA link.
On the Advanced Certificate Request page, enter the requested information, making sure to specify the Key Usage value as Signature or Both.
Click Submit, and then click Install this certificate. If the certificate for the issuing certificate authority is not already in your Trusted Root Certification Authorities folder, click Yes when you are prompted to add the certificate authority to this folder.

So as an example:

Open IE and got to http://serverCA/Certsrv  (where serverCA is your CA)
Then follow the steps above
 
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:camilorgp
Comment Utility
I'm currently on the step: "On the Advanced Certificate Request page, enter the requested information, making sure to specify the Key Usage value as Signature or Both"

On that page I have lots of options, so I will tell you what I think I should choose and then you tell me if I'm right or not.

Certificate Template:
Code Signing

Key Options:
Create new key set
CSP: Microsoft Enhanced Cryptographic Provider v1.0
Key Usage: Signature
Key Size: 1024
Automatic Key Container Name

Additional Optinos:
Request Format: CMC
Hash Algorithm: SHA-1

0
 
LVL 23

Expert Comment

by:TheCleaner
Comment Utility
That will work just fine.
0
 

Author Comment

by:camilorgp
Comment Utility
Ok, I just created the code signing certificate, I can see it from the Certification Authority Snap-in.
Now how do I use it to sign the macros?
0
 
LVL 23

Expert Comment

by:TheCleaner
Comment Utility
The code snippet should get you there...


From Excel, click Macro on the Tools menu, and then click Visual Basic Editor.
 

From Excel's Visual Basic Editor, click Digital Signature on the Tools menu.
 

In the Digital Signature dialog box (Figure 2), click the Choose button. 
 
 

Figure 2. The Digital Signature dialog box in Excel
 
 
 
 

 

Select the certificate you just created, as shown in Figure 3. 
 
 

Figure 3. The Select Certificate dialog box
 
 
 
 

 

Press OK twice.
 

From Excel's Visual Basic Editor, on the File menu select Save MSFT.xls.
 

Exit the Visual Basic Editor and Excel.

Open in new window

0
 

Author Comment

by:camilorgp
Comment Utility
Thank you Cleaner, it works like a charm.
Of course the 500 points are yours.

I know this last question wasn't part of the original question but maybe you know the answer, if you don't just post a simple "I don't know" and the points are yours anyway.

How can I extend the expiration date of a certificate?
Is there a place in the Certificate Authority admin snap in where I can set the default amount of time that a new certificate should be valid for? (for instance 5 years).

0
 
LVL 23

Expert Comment

by:TheCleaner
Comment Utility
Oh sure...easy one there...

http://support.microsoft.com/kb/254632
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Experts-Exchange is a great place to come for help with solutions for your database issues, and many problems are resolved within minutes of being posted.  Others take a little more time and effort and often providing a sample database is very helpf…
Using Microsoft Access, learn some simple rules for how to construct tables in a relational database. Split up all multi-value fields into single values: Split up fields that belong to other things into separate tables: Make sure that all record…
In Microsoft Access, when working with VBA, learn some techniques for writing readable and easily maintained code.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now