Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Description of digital certificates
Article ID: 206637 - View products that this article applies to.
This article was previously published under Q206637
This article is a general overview of digital certificates and how they relate to digitally signed Office macros, signed programs, and ActiveX controls. This article answers the following questions:
What Is a Digital Certificate?Digital signatures and certificates of authenticity can be applied to executable programs, ActiveX controls, or Office Visual Basic for Applications macros. These signatures provide you with the assurance that what you are about to use comes from a realiable source and that it has not been tampered with. Digital certificates help to eliminate macro viruses from being introduced into your Office documents, your computer, and your local network.
A digital certificate is an ID that is carried with a file. To validate a signature, a certifying authority validates information about the software developers and then issues them digital certificates. The digital certificate contains information about the person to whom the certificate was issued, as well as information about the certifying authority that issued it. When a digital certificate is used to sign programs, ActiveX controls, and documents, this ID is stored with the signed item in a secure and verifiable form so that it can be displayed to a user to establish a trust relationship.
What Is a Signature? Why Do We Need Them?Office has introduced digital signatures to help users distinguish legitimate code from undesirable and potentially damaging code. If you open an Office document and see a macro security warning with digital signature information, you can feel reasonably confident that the person (or corporation) signing the macros also created them. You can choose to trust all macros signed by this person by clicking to select the Trust all macros from this source check box. From then on, Office will enable the macros without showing a security warning for any future documents containing macros signed by this trusted source.
A digital signature is the public certificate plus the value of the signed data encrypted by a private key. The value is a number generated by a cryptographic algorithm for any data that you want to sign. This algorithm makes it nearly impossible to change the data without changing the resulting value. So, by encrypting the value instead of the data, a digital signature allows the end user to verify the data was not changed.
What Happens with Each Security Level?To take advantage of the benefits of digital signatures for macros, Office introduces security levels. To set the security level, on the Tools menu, point to Macro and click Security. These security levels are outlined in the following table.
When opening a file with macros under medium security, a security warning offers the user a choice between enabling or disabling macros. The Office 2000 Medium Security Warning dialog box has digital signature information, if it is available for the file being opened. This security level allows existing Office 97 solutions, which are not yet signed, to be enabled. Once a user chooses to trust all macros from a source, Office on medium security will automatically enable signed macros from that trusted source.
Level Action --------------------------------------------- Low Turns off all macro security warnings in Office programs. Medium User prompted to enable or disable the macros on a file-by-file basis. High Only allows signed and trusted code to run.
Under high security, Office silently disables unsigned macros. This helps avoid accidental enabling of potentially dangerous macros. To help fight the larger number of Microsoft Word macro viruses spread through documents, Word 2000 is set to high security level by default. Under high security, a security warning is shown for digitally signed macros that have not been previously added to the Trusted Sources list. This allows you the opportunity to inspect the digital certificate, and if you choose to trust all macros from the source, click Enable Macros. The Enable Macros button is unavailable until you click to select the Always trust macros from this source check box.
Low security is useful if you have installed the latest version of a virus scanner and the most current virus signature files for that program and you feel confident this virus scanner will detect all viruses.
NOTE: Microsoft recommends using antivirus software that is certified by ICSA, Inc. ICSA is completely independent and shares vital security information with security product manufacturers, developers, security experts, academia, and corporations. For more information, see the following ICSA Certified Anti-Virus Pr
oducts Web site:
(http://www.icsalabs.com/technology-program/anti-virus)For additional information about security levels, click the article numbers below to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/215715/EN-US/ )XL2000: "The Macros in This Project Are Disabled" Error Running Macro
(http://support.microsoft.com/kb/192073/EN-US/ )WD2000: Error Message: The Macros in the Project Are Disabled
How Can I Obtain a Signature?To obtain a digitial signature, first, you must obtain a digital certificate. One option is to get a fully certified certificate from a certificate authority. Both individuals and commercial entities can obtain a commercially authenticated certificate for their code. To learn about the application process and requirements, see Introduction to Code Signing at the Microsoft Authenticode Web site. A list of Certificate Authorities is provided at the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/ms537361.aspxA Certificate Authority can issue you a digital certificate for code signing for a fee. The Certificate Authority will do an in-depth identification check before issuing a digital certificate for signing code. Be sure to get a digital certificate that can sign code with Microsoft Authenticode (Verisign calls this Class 2 or 3; Thawte calls this Developer Certificates), rather than one that can only sign e-mail. If you try to use a digital certificate that is not authorized to sign code, Office will warn that the digital certificate is not trustworthy.
You can create your own certificate for personal use or testing purposes with the SelfCert.exe tool provided in Office. This unauthenticated certificate will allow you to sign your own macros, and to trust this digital certificate so that all macros you sign will not generate a security warning. This type of certificate is not validated by a Certifying Authority, therefore, other users will see a warning not to trust it.
If you see the following security warning
This publisher has not been authenticated and therefore could be imitated. Do not trust these credentials.and this is not your certificate, you should assume this certificate was forged.
A malicious virus might be digitally signed by a digital certificate by the name of "Microsoft Corp." However, the security warning will warn you that this is not an authenticated certificate, and therefore the certificate cannot be from Microsoft.
To Install the SelfCert ToolIf you do not see a program icon for Digital Signature for VBA Projects in your Office folder, to install the tool, follow these steps:
To Create a Test CertificateTo create a test certificate for use with your Visual Basic for Applications projects in Office, follow these steps: