Signing a VBA Project
To digitally sign VBA projects in your solution, you must first obtain a digital certificate for software publishing. There are three ways of getting a digital certificate:
* Create a digital certificate for your own use. Such a certificate would only be used to sign macros for your own use or for sharing within a small workgroup.
* Obtain a digital certificate from your organization’s internal certification authority. Some organizations and corporations may choose to have a security administrator or group act as its own certification authority and produce or distribute digital certificates by using tools such as Microsoft Certificate Server. Microsoft Certificate Server can function as a stand-alone certificate authority or as part of an existing certificate authority hierarchy.
* Obtain a digital certificate from a commercial certification authority such as VeriSign, Inc.
Note Depending on how digital signing is administered in an organization, you may not be allowed to create your own digital certificate or sign your own documents. Typically in this scenario only solutions signed with approved certificates will be allowed to run. In this case, you need to submit your solution to an administrator to have it signed before it can be distributed.
Creating Your Own Digital Certificate
When the security level is set to High in your Office 2000 application, only signed macros from trusted sources can be run; the macros in all other documents are disabled. If you want to use the High security setting for macros you write yourself, you either need to obtain a certificate from a certification authority as described later in this section, or create a digital certificate for your own use. For information about setting the security level for your Office 2000 applications, see “Setting the Security Level” later in this chapter.
To create a digital certificate for your own use, you run the Create Digital Certificate utility (Selfcert.exe) and enter information about yourself that will be stored in the certificate. Because a digital certificate created in this fashion isn’t issued by a formal certification authority, a digital certificate created this way is called a self-signed certificate and VBA projects signed by using such a certificate are referred to as self-signed projects. Depending on how Office 2000 digital-signature features are being used in your organization, you may be prevented from using such a certificate, or other users may not be able to trust macros in self-signed projects.
Before you can create a self-signed certificate, you must install the Create Digital Certificate utility (Selfcert.exe), which isn’t installed if you select Typical during the Office 2000 installation.
To install the Create Digital Certificate utility
1. In the Control Panel, double-click Add/Remove Programs.
2. On the Install/Uninstall tab, click Microsoft Office 2000. and then click Add/Remove .
3. In the Microsoft Office 2000 Maintenance Mode dialog box, click the Add or Remove Features button.
4. Expand Office Tools and set Digital Signature for VBA Projects to Run from My Computer .
5. Click Update Now .
Selfcert.exe will be installed in the same folder as the Office 2000 applications, which by default is the C:\Program Files\Microsoft Office\Office folder.
To create a self-signed digital certificate
1. Run Selfcert.exe from My Computer or Windows Explorer.
2. In the Your name box, type your name and any other identifying information you want associated with this certificate, and then click OK .
Selfcert.exe will create and install a self-signed certificate that you can use to sign VBA projects on the current computer. To create a self-signed certificate to use on another computer, run Selfcert.exe again on that computer.
Important . In most cases, a self-signed certificate created with Selfcert.exe should be used only for personal use or for testing purposes. To use Microsoft Office macro-virus protection features in the most secure fashion possible, you and your organization should sign VBA projects only with certificates issued by a certification authority. If you sign a VBA project by using a self-signed certificate, if security is set to Medium or High, the first time you open the document containing the signed VBA project, the Security Warning dialog box is displayed, indicating that the certificate used to sign the VBA project hasn’t been issued by a certification authority and shouldn’t be trusted. Obviously, you can safely trust a VBA project you have signed yourself by using a self-signed certificate, and if you do so the Security Warning dialog box won’t be displayed the next time you open the document. However, as a general security policy an organization should either lock the trusted sources list to prevent users from trusting any certificates other than those provided by administrators or should strongly discourage users from trusting VBA projects signed with self-signed certificates.
Requesting a Digital Signature from Your Organization
Depending on how Office 2000 digital-signature features are being used in your organization, you may be able to obtain a digital certificate from your organization’s internal certification authority. Your organization’s publication process may not allow you to sign documents containing macros yourself. In this case, an administrator would sign a document that contains macros for you by using an approved certificate. For more information about your organization’s policy, contact your network administrator or IT department.
Obtaining a Digital Signature from a Commercial Certification Authority
To obtain a digital certificate from a
commercial certification authority, you or your organization must submit an application.
Depending on your status as a developer, you should apply for either a Class 2 or Class 3 digital certificate for software publishers:
- A Class 2 digital certificate is designed for people who publish software as individuals. This class of digital certificate provides assurance as to the identity of the individual publisher.
- A Class 3 digital certificate is designed for companies and other organizations that publish software. This class of digital certificate provides greater assurance about the identity of the publishing organization. Class 3 digital certificates are designed to represent the level of assurance provided today by retail channels for software. An applicant for a Class 3 digital certificate must also meet a minimum financial stability level based on ratings from Dun & Bradstreet Financial Services.
When you receive your digital certificate, you will be given instructions on how to install it on the computer you use to sign your Office solutions.
Backing Up or Transferring a Digital Certificate to Another Computer
If you have Microsoft Internet Explorer 5 installed, you can back up or transfer your digital certificate to another computer. To do this, you use the Certificate Manager to export or import your certificate.
To use the Certificate Manager to export or import a digital certificate
1. Right-click the Internet Explorer icon on your desktop, and then click Properties on the shortcut menu.
2. On the Content tab, click Certificates. This displays the Certificate Manager dialog box, which lists all the certificates installed on your computer. Your personal certificates are listed on the Personal tab.
3. Do one of the following:
- To export a certificate, select the certificate in the list, and then click Export. This starts the Certificate Manager Export Wizard. Follow the instructions in the wizard’s dialog boxes to save your certificate to a file.
Note: In order to use a personal digital certificate to sign VBA projects, your digital certificate must include a private key. When exporting a personal digital certificate, be sure to choose to include its private key.
- To import a certificate, click Import. This starts the Certificate Manager Import Wizard. Follow the instructions in the wizard’s dialog boxes to install a certificate that has been saved to a file.
Signing Your VBA Project
Once you have your digital certificate installed, you can sign the VBA projects associated with Word, Excel, and PowerPoint documents, templates, and add-ins. For Outlook, you can sign the VBA project that is associated with the installation of Outlook on a particular computer, or if user profiles are in use, for a particular user on that computer. You should do this only after your solution has been tested and is ready for deployment, because any time code in a signed VBA project is modified in any way, its digital signature is removed. However, modifying the contents of the document other than the VBA code won’t invalidate the signature on a VBA project contained within the document. This is because only the VBA project is signed, not the entire document. If you want to prevent users of your solution from accidentally modifying your VBA code and invalidating your signature, lock the VBA project before signing it. For information about how to lock a VBA project, see “Locking Your Solution’s VBA Project” earlier in this chapter.
Note : Locking your VBA project doesn’t prevent another user from replacing the digital signature with another signature. This is allowed so that a system administrator or end user can replace a current signature with an approved signature or re-sign a document after a previous signature expires.
Similarly, if you produce an add-in that adds code to a document’s VBA project, your code should determine if the project is digitally signed and notify the user of the consequences of modifying a signed project before continuing. For more information, see “Using Code and Objects in a Signed VBA Project from Automation” later in this chapter.
Important : You can’t sign VBA projects in Excel workbooks that contain Excel 4.0 macro sheets (XLM). If you try to sign a workbook that contains XLM macros, an error message is displayed. You must remove all XLM macros before you can sign the workbook.
To digitally sign a VBA project
1. Open the document or template that contains the VBA project you want to sign. For Outlook, open Outlook on the computer that contains the VBA project you want to sign. If user profiles are in use, log on as the user whose Outlook VBA project you want to sign.
2. Open the Visual Basic Editor.
3. In the Project Explorer, select the project you want to sign.
4. On the Tools menu, click Digital Signatures .
5. Do one of the following:
- If you haven’t previously selected a digital certificate, or want to use another one, click Choose. select the certificate, and click OK twice.
- Click OK to use the current certificate.
Note : If a VBA project has been signed previously, clicking Choose and selecting a new digital certificate replaces the previous signature. To remove a signature from a previously signed project, click Remove .