<div>
Did you follow the &quot;official&quot; steps: 
 
<a href="https://support.microsoft.com/en-us/topic/digitally-sign-your-macro-project-956e9cc8-bbf6-4365-8bfa-98505ecd1c01" rel="ugc">Digitally sign your macro project</a>? 
The &quot;Digitally sign a macro project in Excel, PowerPoint, Publisher, Visio, Outlook, or Word&quot; section. 
 
In this case, please post screenshots (no PII of the cert though).
</div>

<div>
Yes, I followed those official steps exactly.&nbsp;&nbsp;
</div>

<div>
Does your system has Comodo/Sectigo root CA cert installed? 
How did you test your cert? 
In which form was it delivered? Maybe you need to transform it to a different format first. 
 
Try the DigiCert clue: <a href="https://knowledge.digicert.com/solution/SO1451.html" rel="ugc">Select Include all certificates in the certificate path if possible</a>.
</div>

<div>
I agree this problem must be related to how the certificate is installed on my machine. &nbsp;My certificate was physically send by postal mail and is contained on a USB stick. &nbsp;This is my first time using a certificate so I don't understand your questions "Does your system has Comodo/Sectigo root CA cert installed? &nbsp;How did you test your cert? " &nbsp;Can you point me to any suggestions? I tried the DigiCert page you linked above, but the solution they suggest refer to Internet Explorer browser, which I believe is no longer available. &nbsp;Edge has no such menu options. &nbsp; Sorry but I have to be away from my computer for a while.&nbsp; But I will watch for your response.&nbsp; Thanks!
</div>

<div>
Each certificate has a certificate chain, which can be followed up until the root certificate authority. The OS follows up the certificate chain up to the root to check, if the certificate is valid. The most common certificate authorites are already present on your computer, all others can be resolved via your internet connection. It is not necessary (but recommended), that you computer has also the intermediate and root certificates installed, which belong to your code signing certificate. You can open your cert, look from which the cert is issued and then see, you you have exaclty this cert in you intermediate or root certificate store. Comodo/Sentigo ist a certificate authority which is even on the Microsoft reference list for hardware compatibility. So I do not think, that the cert is the problem. Certificates consist of a public key and a private key. If you want to sign projects, you must have the private key on the computer, where you want to sign the project. If this is not the computer, from which you requested the certificate, you may be missing the private key. So you ahve first to install the certificate on the computer, where you created the certificate request. From this computer you have to export the cer t(including private key) and import it on the machine, where you sign projects. You can check it if you open the cert in the cert management console (MMC). If you open your cert there, you see a line "You have a private key ..." as well as you can check the cert chain and all other information.&nbsp; &nbsp; &nbsp; Be aware, that a signed vba project is invalidated as far as you change anything. So I'm a bit wondering about you statement ... &nbsp; "after I sign the project &nbsp;and try to re-save it ".&nbsp;
</div>

<div>
There's a severe lack of online documentation for code-signing certs, and the cert companies don't have great tech support. Frequently, after the initial installation, I have to re-export the cert with the complete path to the root CA to get it to work. I still use pvkimprt.exe ind Internet Explorer. Here are my notes, hopefully you can modify them for whatever utility you are using: To export the keys as a .pfx file using pvkimprt.exe:&nbsp; c:\pvkimprt -pfx cert.spc key.pvk will bring up the export wizard. 1. In the first window tick 'Yes' to export the private key. 2. In the second window untick the option 'Enable strong protection..' and tick the option 'Include all certificates in the certification path if possible', then click next. 3. In the third window specify a private key password (do not forget it). 4. In the fourth window click &nbsp;'browse' and save the file to your desktop, click next and finish. 5. Once done go to your IE properties, click on Tools &gt; internet options &gt; content &gt; certificate &gt; remove, and remove the certificate from the Personal Certificate store. 6. Once completed import the backup file(.pfx) you created above into your IE browser. 7. Go to Tools &gt; internet options &gt; content &gt; certificates &gt; import, import the backup file(.pfx), during the import process mark the private key as exportable. Then reimport the pfx file and you should be able to sign code.
</div>

<div>
John &nbsp;brought another aspect into the play... Yes, before you import a certificate, make sure that there is no old one there... A certificate has a thumprint property, which is a unique hex number to identify the cert. Means, two certs with the same thumbprint are the same. &nbsp; But there can be several certs with the same name, but different thumprints. They are not equal!! &nbsp; So check the thumprint before you delete certificates... Where and how you import or export certificates doesn't really play a role. It has to be in the (correct) cert store and you need to have the private key. But in fact, the import sometimes has it own option how and where to store the cert. A code signing cert has to be in the personal cert store of the user. Be aware about that not all browsers use the microsoft cert store, Firefox has its own store. But should not play a role for office code signing. If you sign the project, make sure you select the correct certificate. Possibly you get more than one cert offered. 
</div>

<div>
Everything is on the same computer. &nbsp;I requested the cert on this computer, installed the cert on this computer, and am trying to sign on this computer. &nbsp;So transferring between computers is not the issue. I really am lost here! &nbsp;This is all new lingo to me, but I'm trying to figure it out. &nbsp;John, I have installed pvkimprt but I don't think I'm using it correctly. &nbsp;In your instructions, c:\pvkimprt -pfx cert.spc key.pvk is not literally what I type, is it? Don't I have to replace cert.spc with the full path to the certificate (have no idea where this lives) and I don't know what key.pvk is. &nbsp;Help? I tried the approach on the DigiCert help page Ste5an mentioned above. &nbsp;When I run IE, I can see my certificate in the personal CA. &nbsp; <a href="https://filedb.experts-exchange.com/incoming/2021/05_w19/1560115/codehelp1.PNG" rel="ugc"><img src="https://filedb.experts-exchange.com/incoming/2021/05_w19/1560115/codehelp1.PNG" class="fr-fic fr-dib"></a> When I try exporting it from the personal store, I get this message that private key cannot be exported.&nbsp;&nbsp;<img src="https://filedb.experts-exchange.com/incoming/2021/05_w19/1560116/codehelp2.PNG" class="fr-fic fr-dib"> So I proceed to the next screen. &nbsp;I choose PKCS and check the box for "Include all certifications in the certification path if possible." &nbsp;By the way, I tried all three formats with no success. <img src="https://filedb.experts-exchange.com/incoming/2021/05_w19/1560117/codehelp3.PNG" class="fr-fic fr-dib">At the end of the Wizard it says the export was successful. &nbsp;Then I go to the "Trusted Root Certificate Authorities" tab, and IMPORT the same file I just exported. &nbsp; I specify that is should place the certificate in the Trusted Root CA store, and it says it was successful, but I don't see my certificate on the list. &nbsp;Shouldn't I see it? &nbsp; <a href="https://filedb.experts-exchange.com/incoming/2021/05_w19/1560118/codehelp4.PNG" rel="ugc"><img src="https://filedb.experts-exchange.com/incoming/2021/05_w19/1560118/codehelp4.PNG" class="fr-fic fr-dib"></a> Sorry to sound so helpless, but I don't understand why this is so hard. &nbsp; Bembi, in response to your point about re-saving, I don't believe re-saving my VBA project after signing is considered a change. &nbsp;If I do not save, the signature is not saved, so there is no point in signing the code. What should I try next? 
</div>

codehelp3.PNG

codehelp4.PNG

codehelp2.PNG

codehelp1.PNG

<div>
Yea, looks complicate, is sometimes complicate, but as always, easy if you know the steps. First make sure that you have the private key. Just double click the code signing cert and see the comment at the end of the information box. There should be written "You have a private key..." or similar. Tipp: You should use a mmc console and add there the snapins for user and computer certificates. There you have a better overview over certs. Just type mmc, open mmc.exe and &nbsp;File - Add Snap in and search for certificate You have to add it twice, once for the computer, once for the user. Make sure the cert is in the Users/Personal folder and nowhere else... 1.) If you have a private key... Fine, go on. Otherwise you can stop as signing is not possible without a private key. Connected intermediate or root certificates should be in the correct folders. The signing process is quite easy, inside you vba project, Extras - Digital signature - Select the Code signing cert and OK. Waht happens now is, that the cert is added and Excel VBA tries to contact a timstamp service to timestamp the VBA Project too... 2.) Usually you get now a warning, that the time stamping failed. Yes, this is possibly the case if you never set it up. Or you use an invalid one, then you can get a lot of other errors. If it is just the warning, you may ignore it. But this has the effect, that the certificate gets invalid, if the cert expired. So, Excel starts complaining. But a code sign certificate can stay valid (until revoked) even if it is expired, if you have added a timestamp. There is no Office Tool, it happens automatically... And here I assume is the error. As trusted time servers can change, it is possible that you have a wrong setting in your registry or you are just missing them. Have a look at... HKEY_CURRENT_USER\Software\Microsoft\VBA\Security Here you should have... "TimeStampURL"=[TimeStampServerURL] "TimeStampRetryCount"=dword:00000003 "TimeStampRetryDelay"=dword:00000003 Check theTimestampURL... The correct value you ususally get from your issuer of the certificate. But at the end, it has to be any valid TimeStamp Server. So you can also use others, if the owner let you. They are offered by the cert authorities, but not all of them offer the service.&nbsp; It can be a root URL or a link to a page or script. If correctly set, you VBA project is not only signed, but also timestamped and the error or warning should disappear. Also the cert is valid for ever (if not revoked). NOTE: These are the settings for Microsft VBA Time Stamping. If you want to sign other objects, like a complete office file, you have to set similar settings inside the Office hive. So each application may have their own setting. If you want to sign EXE or DLL files, you usually use the command line tool "signtool" which is available by Visual Studio or Windows SDK. ANOTHER NOTE: You can export certs with private key, if you are on the device where you requested the cert, and the cert has the tag "Private Key is exportable". Usually this is part of the requesting process (you have to define inthe request, that it should be exportable). Nevertheless the cert authority may not want the key to be exported. Or, they offer several types of certs / downloads, some of them allow exporting, others not. &nbsp; 
</div>

<div>
Your current issues began when you imported the certificate. It's at that time that you would mark the private key as exportable. But since you didn't, you can't re-export it and can't use PFX format. Try deleting the cert and re-importing it, taking care to make the private key exportable this time. ​<a href="https://security.stackexchange.com/questions/233429/when-why-should-the-mark-this-key-as-exportable-option-be-selected-when-import" rel="ugc">When/why should the “mark this key as exportable” option be selected when importing a certificate?</a>​​​
</div>

<div>
Sure, as the key is not exportable from the vendor site... Either is was not set in the request, or your vendor didn't allow it by other reasons. But you may have a look at your vendors website, if you have an offer in different formats. But you have the private key, this is what you need.&nbsp; &nbsp; &nbsp;
</div>

<div>
You should contact Sectigo about an exportable private key. Re time stamping, the Security key does not exist until you create it. Here is <a href="https://sectigo.com/resource-library/time-stamping-server" rel="ugc">Sectigo's page</a> with the url of their time stamp server. Here is a page about setting up time stamping, though you shouldn't use the URL mentioned on it: <a href="https://knowledge.digicert.com/solution/SO7000.html" rel="ugc">Timestamp VBA Projects</a> Time stamping is important, because without it your projects will become unsigned when the cert expires in a year or two. I've had embarassing episodes with customers because of this. 
</div>

<div>
Hello Bryce, As long as you have the private key, the certificate should be fine. If you need to export the cert with key for any reason, you should go back to the sentigo website. As I said, sometimes they offer different formats to download. Not exactly sure why, but be able to export the private key is also a security risk. My ealier code signing certs were exportable as well, the last one not. The registry key for the time stamping is - as I said - optional, at least it is written in the documentation. But you always should be carefully with documentation. There changed a lot between 2018 and 2020. But just for validation, you may try to set them as they should. What works for me (Sentigo) is: (you can copy the text into a textfile and rename it to reg, then doubleclick.) Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\VBA\Security] "TimeStampURL"="http://timestamp.sectigo.com" "TimeStampRetryCount"=dword:00000003 "TimeStampRetryDelay"=dword:00000003 But Digicert "TimeStampURL"="http://timestamp.digicert.com" and GoDaddy "TimeStampURL"="http://tsa.starfieldtech.com" as well Additional notice: - Following the certificate you posted, Versatile is your company, right? Codesigning certs are issued to the company or name of the requester. - Microsoft changed a lot according certificates starting in 2018. This was due to the fact, that thex replaces their own infrastructure from SHA1 to SHA2 (sha256) certificates. So they have to make all OS SHA2 compliant. As newest vertificates are usually Version V3 certificates, which rely also on SHA2. Microsoft realized it by several "service stack" updates beginning in 2018.&nbsp; If your client as well as Office is up to date (fully patched), it not there issue. But make sure you got the service stack updates for your computer. You havn't posted any information about your OS version and MS Office version. This would be helpfull.
</div>

<div>
Oh, let me add another issue... There was a discussion in 2020 about the lifetime of certificates and their validity. Usually the validity is proved against a revocation list provided by the issuer of the cert. This procedure is not only a lot of maintenance, but also a potencial security lack.&nbsp; &nbsp; As they could not find a common agreement, Apple decided to change their browser behaviour what implemented a kind of new standard. This pushed all other instances to change their behaviour too. In the meanwhile, all actual browsers will deny web server certificates which are - issued after Sept 2020 - has a validity longer tha 13 month. This fact should not have an impact on issuing or using certificates, but may have an impact on the client side. Means, if you issue a web server certifate now, and the validity is longer than 13 month, all newer browser will not accept this cert as valid. You get a certificate warning. I'm not aware if this fact also influences code signing certificates. They behave a bit different. But I cannot explicitely exclude it. My code sign cert was issued before Sept 2020. therefore not affected. Nevertheless this issue should not affect the signing process as it.&nbsp;
</div>

<div>
Thanks again for your suggestions. &nbsp;I am using Windows 10, Office 365 Enterprise subscription (i.e., fully patched. ) Versatile Solutions LLC is my company name. &nbsp;My code signing certificate has an expiration of 36 months, so I hope it remains valid beyond a year. I have created in "VBA\Security" time stamp registry entries as explained by John. &nbsp; I have submitted another support ticket to Sectigo asking about private keys. Thanks.&nbsp;
</div>

<div>
Your certificate will stay valid, the question is, if it is trusted. So after the changes, what happens if you sign a project now? Sentico: The reason why they sometimes sound a bit helpless is, that the certificate authority has nothing to do with the private key. Either you create a request on your local machine. Then the private key in generated on your local machine. Or you create a private key by a tool, which is then installed on the local machine. The private key is a private to you. Only you have it and only you should have it. Nobody else and no cert authority will have something to do with it. Therefore it is completely obsolete to ask them about your private key. The only question is, why it is not exportable and if there is an option to download a cert with exportable key.&nbsp; The question is always, how to connect it back to your codesign certificate. Windows does it automatically as long as the request is created by windows, for other tools you have to follow the instructions of the tool. But as far as you see the remark, that you have a private key, everything should be fine. The usually only exception may be, that the permission on the private key are not as they should.&nbsp;
</div>

<div>
<div class="content wysiwyg-content fr-view">
I program in VBA for Microsoft Office (.dotm, .ppam, .xlam) add-ins and global templates. &nbsp;I have purchased an EV code signing certificate from Comodo/Sectigo. &nbsp;I am able to sign an .msi installer, but I also want to sign my VBA macro code inside the Office file types listed above. &nbsp;I am following the instructions provided at <a href="https://support.microsoft.com/en-us/topic/digitally-sign-your-macro-project-956e9cc8-bbf6-4365-8bfa-98505ecd1c01" rel="ugc">https://support.microsoft.com/en-us/topic/digitally-sign-your-macro-project-956e9cc8-bbf6-4365-8bfa-98505ecd1c01</a>&nbsp; &nbsp;However, after I sign the project &nbsp;and try to re-save it I get the following error message: &nbsp;"There was a problem with the Digital Certificate. The VBA Project could not be signed. The signature will be discarded." &nbsp;Sectigo customer support has not been helpful. &nbsp;How can I get this to work?
</div>
</div>


I program in VBA for Microsoft Office (.dotm, .ppam, .xlam) add-ins and global templates.  I have purchased an EV code signing certificate from Comodo/Sectigo.  I am able to sign an .msi installer, but I also want to sign my VBA macro code inside the Office file types listed above.  I am following the instructions provided at
https://support.microsoft.com/en-us/topic/digitally-sign-your-macro-project-956e9cc8-bbf6-4365-8bfa-98505ecd1c01
   However, after I sign the project  and try to re-save it I get the following error message:  "There was a problem with the Digital Certificate. The VBA Project could not be signed. The signature will be discarded."  Sectigo customer support has not been helpful.  How can I get this to work?

Code signing for VBA problems

Visual Basic for Applications (VBA) enables building user-defined functions (UDFs), automating processes and accessing Windows API and other low-level functionality through dynamic-link libraries (DLLs). VBA is closely related to Visual Basic and uses the Visual Basic Runtime Library, but it can normally only run code within a host application rather than as a standalone program. It can, however, be used to control one application from another via OLE Automation. VBA is built into most Microsoft Office applications.