This article describes how you can digitally sign a macro project on Windows by using a certificate. If you don't already have a digital certificate, you'll need to get one.

Tip: To use or test macro projects on your own computer, you can create your own self-signing certificate by using the Selfcert.exe tool. You'll find more details on that below.

Get a digital certificate

You can obtain a digital certificate from a commercial certificate authority (CA), from your internal security administrator, or information technology (IT) professional.

To learn more about certificate authorities that offer services for Microsoft products, see the list of Microsoft root certificate program members.

Because a digital certificate that you create isn't issued by a formal trusted certificate authority, macro projects that are signed by using such a certificate are known as self-signed projects. Microsoft Office trusts a self-signed certificate only on a computer that has the self-signing certificate added to the Trusted Root Certification folder in the Certificates - Current User store. That makes it good for testing or using on your own machine or a very small number of machines you manage, but not very good for distributing macros projects to other people.

Create a self-signing certificate

View the certificate in the Personal Certificates store

  1. Open Microsoft Edge.

  2. Enter edge://settings/privacy in the address bar.

  3. Scroll down to the Security section and select Manage certificates.

Digitally sign a VBA macro project in Excel, PowerPoint, Publisher, Visio, Outlook, or Word

  1. Open the file that contains the macro project that you want to sign.

  2. On the Developer tab, in the Code group, click Visual Basic.

    Note: If the Developer tab is not available: Click the File tab. Click Options. Click Customize Ribbon. In the Customize the Ribbon list, click Developer, and then click OK.

  3. In Visual Basic, on the Tools menu, click Digital Signature.

  4. The Digital Signature dialog appears.

  5. Select a certificate and click OK.

    Note: If you haven't selected a digital certificate or want to use another, click Choose. Select a certificate and click OK.

Add a time stamp to your signature

When people run your VBA macro, Office will check the signature and the certificate it was signed with. Adding a time stamp to your signature means that your macro will still be treated as signed, even after your certificate has expired, as long as the certificate isn't revoked. This can reduce disruption to the users.

A certificate that is merely expired can still be used to validate code, it just can't be used to sign new code.

To add a time stamp you need to add three keys to your registry.

Caution:  Editing the registry incorrectly might severely damage your system. Before you make changes to the registry, we recommend that you back up any valued data on the computer.

Key

Type

Description

HKCU\Software\Microsoft\VBA\Security\TimeStampURL

REG_SZ 

The URL of your preferred time stamp server. (Required)

HKCU\Software\Microsoft\VBA\Security\TimeStampRetryCount

REG_DWORD

The number of times the Visual Basic Editor will attempt to connect to the time stamp server before failing. (Optional - If you don't set this the Visual Basic Editor will only attempt to contact the server once)

HKCU\Software\Microsoft\VBA\Security\TimeStampRetryDelay  

REG_DWORD

The number of seconds (in milliseconds) the Visual Basic Editor will wait between retrying to connect to the time stamp server. (Optional - If you don't set this there won't be any delay between any retries)

Once you've added a working TimeStampURL entry the Visual Basic Editor will automatically add a time stamp any time you digitally sign a macro.

Additional notes

  • It's recommended that you sign macros only after your solution has been tested and ready for distribution: when code in a signed macro project is changed in any way, its digital signature is removed. However, if you have the valid digital certificate that was previously used to sign the project on your computer, the macro project is automatically re-signed when you save it.

  • One way to prevent users from accidentally changing your macro project and invalidating your signature is to lock the macro project before applying the signature. Your digital signature ensures that the project has not been tampered with since you signed it, but it does not prove that you wrote the project. Even if you have locked your macro project, another user may still be able to replace your signature with another signature. Corporate administrators can also re-sign templates and add-ins to ensure that only approved content is run on company computers.

  • If you create an add-in that adds code to a macro project, your code should determine if the project is digitally signed and should notify the users of the consequences of changing a signed project before they continue.

  • Users who use commercial certificates may encounter blocks because of the limitation of supported hash algorithms in signing. You can add a DWORD registry key-value V1HashEnhanced to choose another hash algorithm, under HKCU\SOFTWARE\Microsoft\VBA\Security with value-algorithm rules (1 to SHA1, 2 to SHA256, 3 to SHA384, 4 to SHA512 and others to MD5). This setting is available in the latest versions of the CC channel.

Learn more

Enable or disable macros in Microsoft 365 files

Note: This article was created by a person with the assistance of an artificial intelligence (AI).

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.