Code Signing Microsoft Office Macros and Visual Basic for Applications
In today’s Ask the Admin, I’ll show you how to sign Microsoft Office VBA code and macros so they can be distributed securely to business partners.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Macros help save time and headaches by automating repetitive or complex tasks. Sometimes, macros prove such a productivity booster that you would like to share them with colleagues and business partners. The best way to do this securely and to keep your document being blocked as potential malware by antivirus software is to sign documents containing code with a certificate.
There are several ways to obtain a certificate. If your organization has its own Public Key Infrastructure (PKI), speak to your IT department about how to request a code-signing certificate. Certificates issued by your organization’s PKI may or may not be trusted automatically by external partners, so you need to make sure you understand who you want to share your document with and the scope of the certificate issued. If an internal PKI is not available, then obtaining a certificate from a public certification authority (CA) is the best option. Certificates issued by any of Microsoft’s certificate root program members will be trusted by Windows. There is a fee for certificates issued by public CAs and they can vary a lot in price. Make sure you shop around.
If you just want to test the code-signing process or some code internally, you can create a self-signed certificate. Self-signed certificates should not be used in production environments but can be useful for testing. You can create a self-signed certificate using the SELFCERT program included in Office 2016. You can find the executable in Program Files (x86) > Microsoft Office > root > Office16. Self-signed certificates are issued by the computer on which they are created and unless exported to another computer, they are only trusted by the device where the certificate was created.
Sign an Office Document
From within the Microsoft Office applications Excel, PowerPoint, Publisher, Outlook, Visio, and Word, make sure you have the Developer tab enabled in the ribbon. You can do this by following these steps:
- Click File, then Options in the column that appears on the right.
- Then click Customize Ribbon in the right-hand column.
- You will see on the right side of the window options for customization. Make sure that Developer is checked under Main Tabs and you are ready to go.
Create the macro or Visual Basic Application (VBA) that you want to distribute. In Word 2016, documents containing macros must be saved as the Word Macro-Enabled Document type. The same applies to other Office programs that support macros.
Next, you will need to have your code-signing certificate ready. If the certificate was created using the SELFCERT program, it will automatically be installed on the computer where it was run. Before you can sign a document in Office 2016, the code-signing certificate you want to use must be installed on the local PC in the user’s Personal certificate store. If you obtained your certificate from an internal PKI or public CA, you might need to manually import the certificate on your PC.
Open the file containing the VBA code that you wish to share and follow these steps:
- Click the Developer tab in the ribbon.
- Click on the Visual Basic icon on the right side of the Developer ribbon.
- A new window will open, Microsoft Visual Basic for Application.
- Click on the Tools menu and select Digital Signature.
- Here, click on Choose Signature under the Sign as section.
- Click on the signature you wish to use, and you are ready to go.
When the signed document is opened on a computer that does not trust the certificate, users might either receive a warning or be blocked from opening the document. For more information on Office macro security settings, see Managing Macro Security in Office 2016 on the Petri IT Knowledgebase.
In this article, I showed you how to digitally sign your Microsoft Office VBA code and macros for security and peace of mind.
Follow Russell on Twitter @smithrussell.