This article is a general overview of digital certificates
and how they relate to digitally signed Office macros, signed programs, and
ActiveX controls. This article answers the following questions:
- What is a digital certificate?
- What is a signature? Why do we need them?
- What happens with each security level?
- How can I get a signature?
What Is a Digital Certificate?
Digital signatures and certificates of authenticity can be
applied to executable programs, ActiveX controls, or Office Visual Basic for
Applications macros. These signatures provide you with the assurance that what
you are about to use comes from a realiable source and that it has not been
tampered with. Digital certificates help to eliminate macro viruses from being
introduced into your Office documents, your computer, and your local network.
A digital certificate is an ID that is carried with a file. To
validate a signature, a certifying authority validates information about the
software developers and then issues them digital certificates. The digital
certificate contains information about the person to whom the certificate was
issued, as well as information about the certifying authority that issued it.
When a digital certificate is used to sign programs, ActiveX controls, and
documents, this ID is stored with the signed item in a secure and verifiable
form so that it can be displayed to a user to establish a trust relationship.
What Is a Signature? Why Do We Need Them?
Office has introduced digital signatures to help users
distinguish legitimate code from undesirable and potentially damaging code. If
you open an Office document and see a macro security warning with digital
signature information, you can feel reasonably confident that the person (or
corporation) signing the macros also created them. You can choose to trust all
macros signed by this person by clicking to select the Trust all macros
from this source
check box. From then on, Office will enable the
macros without showing a security warning for any future documents containing
macros signed by this trusted source.
A digital signature is the
public certificate plus the value of the signed data encrypted by a private
key. The value is a number generated by a cryptographic algorithm for any data
that you want to sign. This algorithm makes it nearly impossible to change the
data without changing the resulting value. So, by encrypting the value instead
of the data, a digital signature allows the end user to verify the data was not
What Happens with Each Security Level?
To take advantage of the benefits of digital signatures for
macros, Office introduces security levels. To set the security level, on the Tools
menu, point to Macro
and click Security
. These security levels are outlined in the following table.
Low Turns off all macro security
warnings in Office programs.
Medium User prompted to enable or disable
the macros on a file-by-file basis.
High Only allows signed and trusted
code to run.
When opening a file with macros under medium
security, a security warning offers the user a choice between enabling or
disabling macros. The Office 2000 Medium Security Warning dialog box has
digital signature information, if it is available for the file being opened.
This security level allows existing Office 97 solutions, which are not yet
signed, to be enabled. Once a user chooses to trust all macros from a source,
Office on medium security will automatically enable signed macros from that
Under high security, Office silently disables
unsigned macros. This helps avoid accidental enabling of potentially dangerous
macros. To help fight the larger number of Microsoft Word macro viruses spread
through documents, Word 2000 is set to high security level by default. Under
high security, a security warning is shown for digitally signed macros that
have not been previously added to the Trusted Sources list. This allows you the
opportunity to inspect the digital certificate, and if you choose to trust all
macros from the source, click Enable Macros
. The Enable Macros button is unavailable until you click to
select the Always trust macros from this source
Low security is useful if you have installed the latest version of a
virus scanner and the most current virus signature files for that program and
you feel confident this virus scanner will detect all viruses. NOTE
: Microsoft recommends using antivirus software that is certified
by ICSA, Inc. ICSA is completely independent and shares vital security
information with security product manufacturers, developers, security experts,
academia, and corporations. For more information, see the following ICSA
Certified Anti-Virus Pr
oducts Web site: http://www.icsalabs.com/technology-program/anti-virus
For additional information about security levels, click the
article numbers below to view the articles in the Microsoft Knowledge Base:
XL2000: "The Macros in This Project Are Disabled" Error Running Macro
WD2000: Error Message: The Macros in the Project Are Disabled
How Can I Obtain a Signature?
To obtain a digitial signature, first, you must obtain a digital
certificate. One option is to get a fully certified certificate from a
certificate authority. Both individuals and commercial entities can obtain a
commercially authenticated certificate for their code. To learn about the
application process and requirements, see Introduction to Code Signing at the
Microsoft Authenticode Web site. A list of Certificate Authorities is provided
at the following Microsoft Web site:
A Certificate Authority can issue you a digital certificate for
code signing for a fee. The Certificate Authority will do an in-depth
identification check before issuing a digital certificate for signing code. Be
sure to get a digital certificate that can sign code with Microsoft
Authenticode (Verisign calls this Class 2 or 3; Thawte calls this Developer
Certificates), rather than one that can only sign e-mail. If you try to use a
digital certificate that is not authorized to sign code, Office will warn that
the digital certificate is not trustworthy.
You can create your own
certificate for personal use or testing purposes with the SelfCert.exe tool
provided in Office. This unauthenticated certificate will allow you to sign
your own macros, and to trust this digital certificate so that all macros you
sign will not generate a security warning. This type of certificate is not
validated by a Certifying Authority, therefore, other users will see a warning
not to trust it.
If you see the following security warning
This publisher has not been authenticated and therefore could be imitated. Do not trust these credentials.
and this is not your certificate, you should assume this
certificate was forged.
A malicious virus might be digitally signed
by a digital certificate by the name of "Microsoft Corp." However, the security
warning will warn you that this is not
an authenticated certificate, and therefore the certificate
cannot be from Microsoft.
To Install the SelfCert Tool
If you do not see a program icon for Digital Signature for VBA
Projects in your Office folder, to install the tool, follow these steps:
- Quit all Office programs. Click Start, point to Settings, and then click Control Panel.
- In Control Panel, double-click Add/Remove Programs.
- On the Install/Uninstall tab, click to select Office 2000 product, where Office 2000 product is the
version of Office you are using.
If you are using a stand-alone
version of one of the Office programs, click to select the appropriate product
in the list. Click Add/Remove.
- In the Setup dialog box, click Add or Remove Features.
- In the Microsoft Office 2000: Update Features dialog box, click the plus sign (+) to expand the features list
next to Office Tools. If the sign is already a minus sign (-), the features list is
- Click the symbol next to Digital Signature for VBA projects, and then click Run from My Computer in the list that appears. Click Update Now.
To Create a Test Certificate
To create a test certificate for use with your Visual Basic for
Applications projects in Office, follow these steps:
- Click Start, point to Programs, and then click Windows Explorer.
- In Windows Explorer, navigate to the
path\Microsoft Office\Office folder, where
path is the drive and folder location where you
- Find the SelfCert.exe program, and then double-click it to start it.
- After SelfCert starts, type your name in the Your name box, and then click OK.
This generates a digital certificate for the name you typed.