|
In this article, I'll discuss how to use SelfCert.exe to generate your
own digital certificates (or signatures) to sign your in-house VBA template
projects. Then I'll explain how to install these templates on other machines
which are set to High (or Medium) Macro Security. I'll also provide links
to useful Microsoft Knowledge Base articles. These instructions have been tested
on Word 2002 (XP) and probably work similarly with Word 2000.
Scenario
You're an in-house IT person, or perhaps a small developer. Your company (or
client) needs to have Macro Security set to High (or at least Medium) to provide
some sense of protection against macro viruses. You want to deploy some templates
in Word with custom macros. Because of the macro security feature, you need
to have your code signed with a digital certificate. You don't want to purchase
a digital certificate from a certificate authority just so you can deploy some
templates with macros. You know you can use SelfCert.exe to generate your own
certificate. It works fine on your development machine, but you've been having
trouble deploying the templates onto other machines on the network. This article
describes how to do it.
A few clarifications are in order. For one, even if you have an email antivirus
system installed, leaving Macro Security set to High, or at least
Medium, is a good idea. With it set to Medium, every time your user attempts
to load a template which hasn't been verified, she will get a dialog box asking
if she wants to Enable Macros. Inconvenient, to say the least. If Macro
Security is set to High, if you haven't verified the certificate, your user
won't even be allowed to enable the macros.
One problem with certificates generated with SelfCert is they can be forged.
However, the forger would need to have specific knowledge about your in-house
certificate. This would mean they would either have to have a big grudge against
your company or client, or be someone in-house with a degree of technical sophistication.
Under many circumstances, this is not a real risk. However, under these circumstances,
you may wish to consider purchasing a verified code-signing digital signature
from a Certificate Authority (CA). See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/rootcertprog.asp
for Microsoft's list of Certificate Authorities.
Let's Do It
The basic procedure is:
- Create your template with custom macros or code
- Locate or install SelfCert.exe on your development machine.
- Generate your own digital certificate using SelfCert.exe.
- Sign your template with this new digital certificate
- Copy the template to its desired location
- Install the certificate on each machine
Let's now look at each step in detail.
Create your Template with Custom Macros or Code
I'll assume you know how to do this.
Locate or Install SelfCert.exe on Your Development Machine
SelfCert.exe is installed as part of Office XP—look in C:\Program
Files\Microsoft Office\Office10. In Office 2000, it's an optional component
you can install—use Control Panel/Add/Remove Programs/Microsoft Office/Add
or Remove Features/Update Features/Office Tools/Digital Signatures for VBA
Projects. See the To Install the SelfCert Tool section of Microsoft Knowledge Base
article Q206637
- OFF2000: Overview of Digital Certificates or the Creating a Test Certificate
section of Q217221
- OFF2000: Using SelfCert to Create a Digital Certificate for VBA Projects
for more info.
Generate Your Own Digital Certificate Using SelfCert.exe
To create your certificate, simply run SelfCert from wherever it is and
enter the name you want to give the certificate. That's it. The name can be
your company's name, or it can be something like "<Company Name> Internal",
or whatever seems appropriate to you. See the To Create a Test Certificate
section of Q206637
- OFF2000: Overview of Digital Certificates or the Creating a Test Certificate
section of
Q217221 - OFF2000: Using SelfCert to Create a Digital Certificate for VBA Projects
for more info.
Sign Your Template with This New Digital Certificate
To sign your template, go into the Visual Basic Editor (Alt/F11
from Word), select the template project you wish to sign, select Tools/Digital
Signature, select Choose, choose the certificate from the list, and
click OK twice. Refer to the screen snapshots below. See the
Adding a Digital Signature to a Macro Project section of
Q307731 - HOW TO: Add a Digital Signature to a Custom Macro Project in an Office XP
Program for more info.
Figure 1—The Digital Signature dialog box showing the user clicking
the Choose button.
Figure 2—The Select Certificate dialog box showing the user selecting
the certificate and clicking the OK button.
Copy the Template to its Desired Location
In a network environment, this may be to the Workgroup templates location. In
Word, look in Tools/Options/File Locations. I'll leave this part up to
you.
Install the Certificate on Each Machine
This is the tough part that Dian
Chapman and I collaborated on. And they said it couldn't be done! I was
unable to find any documentation on this procedure on the Web. The procedure
is non-intuitive because you're trying to trust a non-authenticated digital
signature. You'll want to do this procedure yourself (rather than having users
do it) to make sure it's done right. As you'll see, it's not really hard to
do.
- Open a document based on the template in Word, using File/New/New from
Template/General Templates. You will get the Macro Security dialog
box.
- The dialog box will mention the name of the certificate. Click Details.
Figure 3—The Security Warning dialog box showing the user clicking
the Details button.
- Click on View Certificate.
- Click on Install Certificate.
Figure 4—The Certificate dialog box showing the user clicking the
Install Certificate button.
- A wizard will appear. Click Next twice and Finish.
- A dialog box may appear to ask if you are sure you want to Add the
certificate. Click Yes.
- Click OK twice to get back to the dialog box shown during
step 1.
- Check the Always trust macros from this publisher checkbox.
- Click Enable Macros.
That's it!
Special thanks go to Dian
Chapman for her assistance with this article.
References
For a good overall description of most of the process:
5-Minute Security Advisor—Signing Office Objects
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/5min/5min-402.asp
For an overview of digital certificates, a description of the different
Macro Security levels, information about how to obtain a signature, and instructions
for using SelfCert:.
Microsoft Knowledge Base Article - Q206637
OFF2000: Overview of Digital Certificates
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q206637
For a brief description of how to use SelfCert:
Microsoft Knowledge Base Article - Q217221
OFF2000: Using SelfCert to Create a Digital Certificate for VBA Projects
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q217221
For a brief description of how to sign your code:
Microsoft Knowledge Base Article - Q307731
HOW TO: Add a Digital Signature to a Custom Macro Project in an Office XP
Program
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q307731
For Microsoft's list of Certificate Authorities:
Microsoft Root Certificate Program Members
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/rootcertprog.asp
Need more help getting your VBA code working right? Join our free VBA support
groups. See these links for details: http://groups.yahoo.com/group/Word_VBA/ and/or
http://groups.yahoo.com/group/ExcelVBA/.
|
