Using SelfCert to Create Digital Certificates in a Network Environment

Posted on by David Horowitz

Using SelfCert to Create Digital Certificates in a Network Environment

by David Horowitz

In this article, I’ll discuss how to use SelfCert.exe to generate your own digital certificates (or signatures) to sign your in-house VBA template projects. Then I’ll explain how to install these templates on other machines which are set to High (or Medium) Macro Security. I’ll also provide links to useful Microsoft Knowledge Base articles. These instructions have been tested on Word 2002 (XP) and probably work similarly with Word 2000.

Scenario

You’re an in-house IT person, or perhaps a small developer. Your company (or client) needs to have Macro Security set to High (or at least Medium) to provide some sense of protection against macro viruses. You want to deploy some templates in Word with custom macros. Because of the macro security feature, you need to have your code signed with a digital certificate. You don’t want to purchase a digital certificate from a certificate authority just so you can deploy some templates with macros. You know you can use SelfCert.exe to generate your own certificate. It works fine on your development machine, but you’ve been having trouble deploying the templates onto other machines on the network. This article describes how to do it.

A few clarifications are in order. For one, even if you have an email antivirus system installed, leaving Macro Security set to High, or at least Medium, is a good idea. With it set to Medium, every time your user attempts to load a template which hasn’t been verified, she will get a dialog box asking if she wants to Enable Macros. Inconvenient, to say the least. If Macro Security is set to High, if you haven’t verified the certificate, your user won’t even be allowed to enable the macros.

One problem with certificates generated with SelfCert is they can be forged. However, the forger would need to have specific knowledge about your in-house certificate. This would mean they would either have to have a big grudge against your company or client, or be someone in-house with a degree of technical sophistication. Under many circumstances, this is not a real risk. However, under these circumstances, you may wish to consider purchasing a verified code-signing digital signature from a Certificate Authority (CA). See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/rootcertprog.asp for Microsoft’s list of Certificate Authorities.

Let’s Do It

The basic procedure is:

  • Create your template with custom macros or code
  • Locate or install SelfCert.exe on your development machine.
  • Generate your own digital certificate using SelfCert.exe.
  • Sign your template with this new digital certificate
  • Copy the template to its desired location
  • Install the certificate on each machine

Let’s now look at each step in detail.

Create your Template with Custom Macros or Code

I’ll assume you know how to do this.

Locate or Install SelfCert.exe on Your Development Machine

SelfCert.exe is installed as part of Office XP—look in C:\Program Files\Microsoft Office\Office10. In Office 2000, it’s an optional component you can install—use Control Panel/Add/Remove Programs/Microsoft Office/Add or Remove Features/Update Features/Office Tools/Digital Signatures for VBA Projects. See the To Install the SelfCert Tool section of Microsoft Knowledge Base article Q206637 – OFF2000: Overview of Digital Certificates or the Creating a Test Certificate section of Q217221 – OFF2000: Using SelfCert to Create a Digital Certificate for VBA Projects for more info.

Generate Your Own Digital Certificate Using SelfCert.exe

To create your certificate, simply run SelfCert from wherever it is and enter the name you want to give the certificate. That’s it. The name can be your company’s name, or it can be something like "<Company Name> Internal", or whatever seems appropriate to you. See the To Create a Test Certificate section of Q206637 – OFF2000: Overview of Digital Certificates or the Creating a Test Certificate section of Q217221 – OFF2000: Using SelfCert to Create a Digital Certificate for VBA Projects for more info.

Sign Your Template with This New Digital Certificate

To sign your template, go into the Visual Basic Editor (Alt/F11 from Word), select the template project you wish to sign, select Tools/Digital Signature, select Choose, choose the certificate from the list, and click OK twice. Refer to the screen snapshots below. See the Adding a Digital Signature to a Macro Project section of Q307731 – HOW TO: Add a Digital Signature to a Custom Macro Project in an Office XP Program for more info.
 
Figure 1—The Digital Signature dialog box showing the user clicking the Choose button.

Figure 2—The Select Certificate dialog box showing the user selecting the certificate and clicking the OK button.

Copy the Template to its Desired Location

In a network environment, this may be to the Workgroup templates location. In Word, look in Tools/Options/File Locations. I’ll leave this part up to you.

Install the Certificate on Each Machine

This is the tough part that Dian Chapman and I collaborated on. And they said it couldn’t be done! I was unable to find any documentation on this procedure on the Web. The procedure is non-intuitive because you’re trying to trust a non-authenticated digital signature. You’ll want to do this procedure yourself (rather than having users do it) to make sure it’s done right. As you’ll see, it’s not really hard to do.

  1. Open a document based on the template in Word, using File/New/New from Template/General Templates. You will get the Macro Security dialog box.
  2. The dialog box will mention the name of the certificate. Click Details.

    Figure 3—The Security Warning dialog box showing the user clicking the Details button.
  3. Click on View Certificate.
  4. Click on Install Certificate.

    Figure 4—The Certificate dialog box showing the user clicking the Install Certificate button.
  5. A wizard will appear. Click Next twice and Finish.
  6. A dialog box may appear to ask if you are sure you want to Add the certificate. Click Yes.
  7. Click OK twice to get back to the dialog box shown during step 1.
  8. Check the Always trust macros from this publisher checkbox.
  9. Click Enable Macros.

That’s it!

Special thanks go to Dian Chapman for her assistance with this article.

References

For a good overall description of most of the process:
5-Minute Security Advisor—Signing Office Objects
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/5min/5min-402.asp

For an overview of digital certificates, a description of the different Macro Security levels, information about how to obtain a signature, and instructions for using SelfCert:.
Microsoft Knowledge Base Article – Q206637
OFF2000: Overview of Digital Certificates
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q206637

For a brief description of how to use SelfCert:
Microsoft Knowledge Base Article – Q217221
OFF2000: Using SelfCert to Create a Digital Certificate for VBA Projects
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q217221

For a brief description of how to sign your code:
Microsoft Knowledge Base Article – Q307731
HOW TO: Add a Digital Signature to a Custom Macro Project in an Office XP Program
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q307731

For Microsoft’s list of Certificate Authorities:
Microsoft Root Certificate Program Members
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/rootcertprog.asp

Leave a Reply

Your email address will not be published. Required fields are marked *