Digitally Signed Certificates and Macro Security

[MrKowz]

Colleagues,

I am running into an issue surrounding a self-signed digital cert and macro security for a client of mine. I have a series of workbooks programmed that the client would like to have set up so the end user does not have to "enable" macros manually. No problem right? Created a certificate, signed all documents, had the client put my certificate into the "Trusted Publishers" on their domain, and push out group policy to set everyone's security level to "Disable all macros except digitally signed macros". This worked fantastic back with Excel 2003, but in Excel 2010 it still prompts the user. I have confirmed that my certificate is, in fact, showing up under the trusted publishers list and that the files I am testing with are signed with the same certificate. The only ways I've found to prevent the user from being prompted is to Enable all macros (client can't have this), and trusting an entire directory/subfolders (not desirable, but a last-ditch effort).

Excel tells me the certificate is invalid, which I understand.... I did not pay (and want to avoid) the $150 to purchase a 1-year Code-Signing certificate. Anyone know if there is anything I can do to get this working again?

Thanks in advance!

~Keith Mayfield

 

[Joe4]

I have used them extensively in the past, but do not have Excel 2010 yet (still using 2007).
However, all the Google searches I have done seem to suggest that it should still work in 2010 (see: How to Create a Self-Signed Digital Certificate in Microsoft Office 2010).

The first thing I would check is make sure the self-cert you created is not expired (they expire after x number of years, meaning you will need to create a new one, and re-sign your projects that you still want to use).

The only other thing I can think of is maybe projects signed with a Self Cert created in an earlier version of Excel will not work in 2010, and maybe you need to create a new Self-Cert and sign with that. I don't know, that's just a shot in the dark.

Let me know if you figure this out! I am very interested, as we will be upgrading ourselves at some point in the near future.

 

[MrKowz]

That's the crazy thing, I just created the self-cert a month ago, and it doesn't expire until 2020. All of the work has been done in a single version of Excel. I've actually done all of the developing on the client's terminal server (including creating this self-cert)!

I'm still going to be researching, so I'll definitely follow up if I find anything, or hopefully someone else here can help narrow down the cause.

Thanks!

 

[shg]

I'm curious as well.

I didn't know you could do that at all -- I thought a locally-generated certificate was good only on the machine on which it was created, behavior by design because there was no way to validate the certificate through a code-signing authority. I always thought of it as a convenient (safer) alternative to having trusted directories.

 

[Joe4]

Yes, the Self-Cert asks the other users if they trust the signature (after the usual "Warning"). If they say yes and install the Self-Cert, then they won't get those warnings and any project sign with that Self-Cert will open on the computer, with those Macros enabled.

It worked quite well and was very handy. Nowadays, out IT staff likes to set-up Trusted Locations instead on our users computers. Probably not as safe a signed projects, buy they don't expire.

 

[sstiebinger]

Does the customer have the CA role installed in their AD forest?
The easiest thing to do would be to request a code signing cert from their AD CA Server.

It sounds to me like the cert you are using is not being stored in a proper, trusted certificate store.

 

[shg]

Yes, the Self-Cert asks the other users if they trust the signature (after the usual "Warning"). If they say yes and install the Self-Cert, then they won't get those warnings and any project sign with that Self-Cert will open on the computer, with those Macros enabled.

I knew you could do that for a given workbook, I didn't know that you have the option of always trusting that signature as you do for verifiable certificates.

 

[Joe4]

I knew you could do that for a given workbook, I didn't know that you have the option of always trusting that signature as you do for verifiable certificates.

Yep, that's the beauty of it! And it is free, too!

 

[MrKowz]

Does the customer have the CA role installed in their AD forest?
The easiest thing to do would be to request a code signing cert from their AD CA Server.

It sounds to me like the cert you are using is not being stored in a proper, trusted certificate store.

To my knowledge, it is being stored in the proper location, as it is showing up in the "Trusted Publishers" dialogue in Excel. I'll look into seeing if their AD CA server can create a new code signing cert. Wouldn't be much of a problem to re-sign all the workbooks.

Thanks for the advice!