Microsoft Office 2000/Visual Basic Programmer's Guide |
To digitally sign VBA projects in your solution, you must first obtain a digital certificate for software publishing. There are three ways of getting a digital certificate:
Note Depending on how digital signing is administered in an organization, you may not be allowed to create your own digital certificate or sign your own documents. Typically in this scenario only solutions signed with approved certificates will be allowed to run. In this case, you need to submit your solution to an administrator to have it signed before it can be distributed.
When the security level is set to High in your Office 2000 application, only signed macros from trusted sources can be run; the macros in all other documents are disabled. If you want to use the High security setting for macros you write yourself, you either need to obtain a certificate from a certification authority as described later in this section, or create a digital certificate for your own use. For information about setting the security level for your Office 2000 applications, see "Setting the Security Level" later in this chapter.
To create a digital certificate for your own use, you run the Create Digital Certificate utility (Selfcert.exe) and enter information about yourself that will be stored in the certificate. Because a digital certificate created in this fashion isn't issued by a formal certification authority, a digital certificate created this way is called a self-signed certificate and VBA projects signed by using such a certificate are referred to as self-signed projects. Depending on how Office 2000 digital-signature features are being used in your organization, you may be prevented from using such a certificate, or other users may not be able to trust macros in self-signed projects.
Before you can create a self-signed certificate, you must install the Create Digital Certificate utility (Selfcert.exe), which isn't installed if you select Typical during the Office 2000 installation.
To install the Create Digital Certificate utility
Selfcert.exe will be installed in the same folder as the Office 2000 applications, which by default is the C:\Program Files\Microsoft Office\Office folder.
To create a self-signed digital certificate
Selfcert.exe will create and install a self-signed certificate that you can use to sign VBA projects on the current computer. To create a self-signed certificate to use on another computer, run Selfcert.exe again on that computer.
Important In most cases, a self-signed certificate created with Selfcert.exe should be used only for personal use or for testing purposes. To use Microsoft Office macro-virus protection features in the most secure fashion possible, you and your organization should sign VBA projects only with certificates issued by a certification authority. If you sign a VBA project by using a self-signed certificate, if security is set to Medium or High, the first time you open the document containing the signed VBA project, the Security Warning dialog box is displayed, indicating that the certificate used to sign the VBA project hasn't been issued by a certification authority and shouldn't be trusted. Obviously, you can safely trust a VBA project you have signed yourself by using a self-signed certificate, and if you do so the Security Warning dialog box won't be displayed the next time you open the document. However, as a general security policy an organization should either lock the trusted sources list to prevent users from trusting any certificates other than those provided by administrators or should strongly discourage users from trusting VBA projects signed with self-signed certificates.
Depending on how Office 2000 digital-signature features are being used in your organization, you may be able to obtain a digital certificate from your organization's internal certification authority. Your organization's publication process may not allow you to sign documents containing macros yourself. In this case, an administrator would sign a document that contains macros for you by using an approved certificate. For more information about your organization's policy, contact your network administrator or IT department.
To obtain a digital certificate from a commercial certification authority, you or your organization must submit an application.
Depending on your status as a developer, you should apply for either a Class 2 or Class 3 digital certificate for software publishers:
When you receive your digital certificate, you will be given instructions on how to install it on the computer you use to sign your Office solutions.
If you have Microsoft Internet Explorer 5 installed, you can back up or transfer your digital certificate to another computer. To do this, you use the Certificate Manager to export or import your certificate.
To use the Certificate Manager to export or import a digital certificate
Note In order to use a personal digital certificate to sign VBA projects, your digital certificate must include a private key. When exporting a personal digital certificate, be sure to choose to include its private key.
Once you have your digital certificate installed, you can sign the VBA projects associated with Word, Excel, and PowerPoint documents, templates, and add-ins. For Outlook, you can sign the VBA project that is associated with the installation of Outlook on a particular computer, or if user profiles are in use, for a particular user on that computer. You should do this only after your solution has been tested and is ready for deployment, because any time code in a signed VBA project is modified in any way, its digital signature is removed. However, modifying the contents of the document other than the VBA code won't invalidate the signature on a VBA project contained within the document. This is because only the VBA project is signed, not the entire document. If you want to prevent users of your solution from accidentally modifying your VBA code and invalidating your signature, lock the VBA project before signing it. For information about how to lock a VBA project, see "Locking Your Solution's VBA Project" earlier in this chapter.
Note Locking your VBA project doesn't prevent another user from replacing the digital signature with another signature. This is allowed so that a system administrator or end user can replace a current signature with an approved signature or re-sign a document after a previous signature expires.
Similarly, if you produce an add-in that adds code to a document's VBA project, your code should determine if the project is digitally signed and notify the user of the consequences of modifying a signed project before continuing. For more information, see "Using Code and Objects in a Signed VBA Project from Automation" later in this chapter.
Important You can't sign VBA projects in Excel workbooks that contain Excel 4.0 macro sheets (XLM). If you try to sign a workbook that contains XLM macros, an error message is displayed. You must remove all XLM macros before you can sign the workbook.
To digitally sign a VBA project
Note If a VBA project has been signed previously, clicking Choose and selecting a new digital certificate replaces the previous signature. To remove a signature from a previously signed project, click Remove.