digitally signing macros for Word 2003

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Doug P - 27 May 2008 21:18 GMT

I am using a template in the office startup directory with some macros. This
works fine in Word 2002 but not in Word 2003 with high security. I have seen
several posts here asking about this and some instructions on how to
digitally sign the macros with a self-generated certificate. This also works
in Word 2002 but not in 2003. Word cannot verify the publisher and will still
not enable self signed macros under high security, even after the certificate
is installed on the computer. Is there a way to get self signed macros to
work in Word 2003 with high security? I don't want to have to spend several
hundred dollars for a certificate for macros used within my own network.

Reply to this Message

Doug Robbins - Word MVP - 27 May 2008 23:06 GMT

Even with the Macro security level set to Very High, macros in Trusted
Locations will be run. Such locations are the User and Workgroup Template
folders (and their subfolders) and the Word Startup folder (note it is the
Word Sartup folder, not the Office Startup folder). The Word Startup folder
is located at C:\Documents and Settings\[UserName]\Application
Data\Microsoft\Word\Startup

Signature

Hope this helps.

Please reply to the newsgroup unless you wish to avail yourself of my
services on a paid consulting basis.

Doug Robbins - Word MVP

>I am using a template in the office startup directory with some macros.
>This
[quoted text clipped - 11 lines]
> several
> hundred dollars for a certificate for macros used within my own network.

Reply to this Message

Doug P - 28 May 2008 14:16 GMT

Ah ha. I was using Office11\Startup directory. Is there any way to trust the
office11\startup directory so I only have to do it once per machine?

> Even with the Macro security level set to Very High, macros in Trusted
> Locations will be run. Such locations are the User and Workgroup Template
[quoted text clipped - 18 lines]
> > several
> > hundred dollars for a certificate for macros used within my own network.

Reply to this Message

Jay Freedman - 28 May 2008 14:48 GMT

Office 11 doesn't have a way to add trusted locations. That feature was
added in Office 12 (aka Office 2007).

One thing that may help in moving the templates: the environment variable
%appdata% points to C:\Documents and Settings\[UserName]\Application Data,
removing the need to discover the [UserName].

Signature

Regards,
Jay Freedman
Microsoft Word MVP FAQ: http://word.mvps.org
Email cannot be acknowledged; please post all follow-ups to the newsgroup so
all may benefit.

> Ah ha. I was using Office11\Startup directory. Is there any way to
> trust the office11\startup directory so I only have to do it once per
[quoted text clipped - 31 lines]
>>> hundred dollars for a certificate for macros used within my own
>>> network.

Reply to this Message

Doug P - 28 May 2008 18:42 GMT

Thanks for you help, Doug and Jay.
Your information was helpful but I wanted to keep the .dot file in the
office startup because it adds a menu to the menu bar and from the office
startup directory applies to all users.
With help from Cindy below, I figured out how to get a proper internal code
signing certificate generated and installed into the .dot file.

Reply to this Message

Cindy M. - 28 May 2008 11:10 GMT

Hi =?Utf-8?B?RG91ZyBQ?=,

> I am using a template in the office startup directory with some macros. This
> works fine in Word 2002 but not in Word 2003 with high security. I have seen
[quoted text clipped - 5 lines]
> work in Word 2003 with high security? I don't want to have to spend several
> hundred dollars for a certificate for macros used within my own network.

Selfcert was really designed to only allow signed projects *on the PC and for
the user where the certificate was generated*. It was never meant to allow you
to trust and distribute macros on multiple machines or for multiple users. The
loopholes have been closed in each new version of Office.

Depending on what kind of network software you've licensed, you might have a CA
generator (Certification Authority) that will let you create a code-signing
certificate for your own company. (Windows 2003 Server has this, I believe)

Cindy Meister
INTER-Solutions, Switzerland
http://homepage.swissonline.ch/cindymeister (last update Jun 17 2005)
http://www.word.mvps.org

This reply is posted in the Newsgroup; please post any follow question or reply
in the newsgroup and not by e-mail :-)

Reply to this Message

Doug P - 28 May 2008 14:19 GMT

I have a Windows 2003 AD domain. If I install the CA, will it automatically
be a trusted publisher in my domain?

> Hi =?Utf-8?B?RG91ZyBQ?=,
>
[quoted text clipped - 24 lines]
> This reply is posted in the Newsgroup; please post any follow question or reply
> in the newsgroup and not by e-mail :-)

Reply to this Message

Doug P - 28 May 2008 16:03 GMT

I have installed the CA and generated some certificates for testing but they
are all "unsuitable for code signing". Is the CA capable of generating a
certificate for code signing?

> Hi =?Utf-8?B?RG91ZyBQ?=,
>
[quoted text clipped - 24 lines]
> This reply is posted in the Newsgroup; please post any follow question or reply
> in the newsgroup and not by e-mail :-)

Reply to this Message

Cindy M. - 28 May 2008 16:53 GMT

Hi =?Utf-8?B?RG91ZyBQ?=,

> I have installed the CA and generated some certificates for testing but they
> are all "unsuitable for code signing". Is the CA capable of generating a
> certificate for code signing?

I thought it was, but I'm not an expert in this area. (I actually bit the
bullet and bought a code-signing certificate. But not from Verisign; from a
company with reasonable prices: GlobalSign.) Try asking in a newsgroup for the
Server you're using.

Cindy Meister
INTER-Solutions, Switzerland
http://homepage.swissonline.ch/cindymeister (last update Jun 17 2005)
http://www.word.mvps.org

This reply is posted in the Newsgroup; please post any follow question or reply
in the newsgroup and not by e-mail :-)

Reply to this Message

Doug P - 28 May 2008 18:03 GMT

I found out how to enable the code signing template in the 2003 Certificate
Authority so I could generate a code signing certificate. When I try to use
it to sign the macro project, Word tells me "there is a problem with the
certificate" and it won't be used.
One step forward, two steps back...

> Hi =?Utf-8?B?RG91ZyBQ?=,
>
[quoted text clipped - 14 lines]
> This reply is posted in the Newsgroup; please post any follow question or reply
> in the newsgroup and not by e-mail :-)

Reply to this Message

Doug P - 28 May 2008 18:36 GMT

Never mind that last comment. I have now successfully signed a macro project
with an internally generated cert which allows me to put the .dot file in the
office startup directory. When Word starts up, it prompts once about the
macros and allows the user to check the box to always trust it. Yippie...

Thanks for you help.

> I found out how to enable the code signing template in the 2003 Certificate
> Authority so I could generate a code signing certificate. When I try to use
[quoted text clipped - 20 lines]
> > This reply is posted in the Newsgroup; please post any follow question or reply
> > in the newsgroup and not by e-mail :-)

Reply to this Message

Cindy M. - 29 May 2008 09:46 GMT

Hi Doug,

> Never mind that last comment. I have now successfully signed a macro project
> with an internally generated cert which allows me to put the .dot file in the
> office startup directory. When Word starts up, it prompts once about the
> macros and allows the user to check the box to always trust it. Yippie...

Super <g>! It's always encouraging to learn a theory applies to the real world.

Cindy Meister
INTER-Solutions, Switzerland
http://homepage.swissonline.ch/cindymeister (last update Jun 17 2005)
http://www.word.mvps.org

This reply is posted in the Newsgroup; please post any follow question or reply
in the newsgroup and not by e-mail :-)

Reply to this Message