[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


How to digitally sign a VBA project

Posted on 2008-06-12
Medium Priority
Last Modified: 2010-11-08
I am trying to add a digital signature to a  VBA project that is to be used by internal users.  I am using the signature to prevent the security warning, without having to lower the security settings.  I setup CA on our Windows 2003 server, imported it on my machine withing IE.  I open a test vba project and attempt to add th digital signature.  At this point the only warning I see is when I look at the details of the certificate from within the VBA project is 'All the intended purposes of this certificate could not be verified.'  At this point I try to save the project and get an error:
'There was a problem with the digital certificate.  VBA project in the file ... could not be signed.  The signature will be disgarded.
Is this a problem with the certificate itself.  Do I need to generate a specific type?  If so, how?
Question by:rkanter
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 81

Accepted Solution

byundt earned 2000 total points
ID: 21774790
Hello rkanter,
I am not familiar with the process of setting yourself up as a certificate authority. But perhaps the procedure below (for a personal digital certificate) may alert you to a missing step.

If you want to purchase a digital certificate from a certificate authority, it involves considerable expense ($400/year on up), and you need to submit documentation of who you are to a third-party firm who then issues the certificate. VeriSign describes their process here: http://www.verisign.com/products-services/security-services/code-signing/digital-ids-code-signing/how-it-works.html

If you don't have very many people using your macros, you may want to look into using an unofficial digital certificate instead. It takes a little effort to implement, but you can't beat the price--free!

The following discussion was originally posted by zorvek, with a few tweaks by me. An unofficial digital certificate can be added to an Excel workbook so that, after a one time interaction with the user where the user either allows or disallows that digitial certificate, the user can then repeatedly open the workbook and run macros without any warnings at all, even if their security setting is high. An extended description of how to create and use digital certificates can be found at http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=194. A brief tutorial is included below.

To create a free unsecure code-signing digital certificate locate and run SelfCert.exe. It is an optional utility installed as part of the Office installation found in the Office installation directory. If not found, open the Add/Remove Programs control panel, run the Office Installer, and install Digital Signature for VBA projects under Office Tools. When run SelfCert asks for a name - enter any meaningful name or description. The text entered is displayed to the user whenever they are asked to accept or decline the digital certificate. For more information see http://support.microsoft.com/default.aspx?scid=kb;en-us;Q217221.

Once the digital certificate has been created on the development system, open the workbook and press ALT+F11 to open the VBE. Select the menu command Tools->Digital Signature. Click Choose and select the desired digital certificate (they are listed by name.) Click OK. Click OK again. The workbook now contains a digital signature. Since the development system already has the digital signature installed, the workbook will now open on that system without any macro warning prompt.

To allow the workbook to run without the macro security warning on another system the digital certificate has to be installed on those systems as well. Microsoft doesn't salute this possibility at all, but if you are willing to go to each machine for a one-time set-up, it is possible to use the personal digital certificate for this purpose. Far from ideal, I know, but avoiding it means purchasing a commercial digital certificate costing $400/year or more.

You'll need to do this next step on each computer. Copy the workbook to a target system and open it. Excel will present the Security Warning dialog. Click Details to show the Digital Signature Details dialog. Click View Certificate to show the Certificate dialog. Click Install Certificate. Click Next twice and then Finish. Click Yes when the prompt is displayed asking if the certificate should be installed. Click OK on the completion dialog. Click OK twice more to close the widows. Click Enable Macros on the Security Warning to open the workbook. In the future any workbook with that digital certificate installed will open without a macro security warning.

If you have the ability to install settings on user's computers using group policy, then it is not necessary to go to each computer.
1) Create a local certificate using selfcert.exe as described above
2) Open AD users and Computers Edit the group policy that applies to the group you want to trust the macro
3) Expand >computer configuration > security settings > public key policy > Enterprise Trust
4) Right click new > certificate trust list
5) Check "code signing"
Finally you will see the cert you made earlier.

Since it is relatively easy for someone to forge an unsecure digital certificate and place it in a malicious workbook, this method of avoiding macro security warnings may not be an acceptable solution. In the event that a decision is made to abandon this technique the installed digital certificates can be easily removed by opening the Internet Options dialog from either Internet Explorer or from the control panels and navigating to the Content tab. Click on Certificates. Find the certificates to be deleted (they should be in either the Trusted Root Certification Authorities or Other People section,) selecting them, and click the Remove command button. Click Done when finished.

If true security is required then a secure digital certificate can be purchased from any of the many Certificate Authorities. See Microsoft's list of Certificate Authorities at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/rootcertprog.asp.

For more information on macro security settings in Office, see http://office.microsoft.com/en-us/assistance/HA011362661033.aspx.



Author Comment

ID: 21779344
First thanks for all the info.  We have about 200 users.  I was really hoping to create our own CA.  I'll review the information and see if it helps.
Thanks again for all the details.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to use a set of graphical playing cards to create a Draw Poker game in Excel or VB6.
If you need to forecast numbers -- typically for finance -- the Windows and Mac versions of Excel 2016 have a basket of tools to get the job done.
The viewer will learn how to create a normally distributed random variable in Excel, use a normal distribution to simulate the return on an investment over a period of years, Create a Monte Carlo simulation using a normal random variable, and calcul…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question