OFF2000: Overview of Digital Certificates

ID: Q206637


The information in this article applies to:


SUMMARY

This article is a general overview of digital certificates and how they relate to digitally signed Office macros, signed programs, and ActiveX controls. This article answers the following questions:


MORE INFORMATION

What Is a Digital Certificate?

Digital signatures and certificates of authenticity can be applied to executable programs, ActiveX controls, or Office Visual Basic for Applications macros. These signatures provide you with the assurance that what you are about to use comes from a realiable source and that it has not been tampered with. Digital certificates help to eliminate macro viruses from being introduced into your Office documents, your computer, and your local network.

A digital certificate is an ID that is carried with a file. To validate a signature, a certifying authority validates information about the software developers and then issues them digital certificates. The digital certificate contains information about the person to whom the certificate was issued, as well as information about the certifying authority that issued it. When a digital certificate is used to sign programs, ActiveX controls, and documents, this ID is stored with the signed item in a secure and verifiable form so that it can be displayed to a user to establish a trust relationship.

What Is a Signature? Why Do We Need Them?

Office has introduced digital signatures to help users distinguish legitimate code from undesirable and potentially damaging code. If you open an Office document and see a macro security warning with digital signature information, you can feel reasonably confident that the person (or corporation) signing the macros also created them. You can choose to trust all macros signed by this person by clicking to select the Trust all macros from this source check box. From then on, Office will enable the macros without showing a security warning for any future documents containing macros signed by this trusted source.

A digital signature is the public certificate plus the value of the signed data encrypted by a private key. The value is a number generated by a cryptographic algorithm for any data that you want to sign. This algorithm makes it nearly impossible to change the data without changing the resulting value. So, by encrypting the value instead of the data, a digital signature allows the end user to verify the data was not changed.

What Happens with Each Security Level?

To take advantage of the benefits of digital signatures for macros, Office introduces security levels. To set the security level, on the Tools menu, point to Macro and click Security. These security levels are outlined in the following table:

Level       Action
------------------

Low         Turns off all macro security
            warnings in Office programs.

Medium      User prompted to enable or disable 
            the macros on a file-by-file basis.

High        Only allows signed and trusted 
            code to run. 
When opening a file with macros under medium security, a security warning offers the user a choice between enabling or disabling macros. The Office 2000 Medium Security Warning dialog box has digital signature information, if it is available for the file being opened. This security level allows existing Office 97 solutions, which are not yet signed, to be enabled. Once a user chooses to trust all macros from a source, Office on medium security will automatically enable signed macros from that trusted source.

Under high security, Office silently disables unsigned macros. This helps avoid accidental enabling of potentially dangerous macros. To help fight the larger number of Microsoft Word macro viruses spread through documents, Word 2000 is set to high security level by default. Under high security, a security warning is shown for digitally signed macros that have not been previously added to the Trusted Sources list. This allows you the opportunity to inspect the digital certificate, and if you choose to trust all macros from the source, click Enable Macros. The Enable Macros button is unavailable until you click to select the Always trust macros from this source check box.

Low security is useful if you have installed the latest version of a virus scanner and the most current virus signature files for that program and you feel confident this virus scanner will detect all viruses.

NOTE: Microsoft recommends using anti-virus software that is certified by ICSA, Inc. ICSA is completely independent and shares vital security information with security product manufacturers, developers, security experts, academia, and corporations. For more information, refer to the ICSA Certified Anti-Virus Products Web site at:
http://www.icsa.net/services/consortia/anti-virus/certified_products.shtml
For more information about security levels, please see the following article in the Microsoft Knowledge Base:
Q215715 XL2000: "The macros in this project are disabled." Error
Q192073 WD2000: Macros Disabled When Security Level Is Set to High

How Can I Get a Signature?

To obtain a digitial signature, first, you need to get a digital certificate. One option is to get a fully certified certificate from a certificate authority. Both individuals and commercial entities can obtain a commercially authenticated certificate for their code. To learn about the application process and requirements, see Introduction to Code Signing at the Microsoft Authenticode Web site. A list of Certificate Authorities is provided at:
http://officeupdate.microsoft.com/office/redirect/fromOffice9/cert.htm
A Certificate Authority can issue you a digital certificate for code signing for a fee. The Certificate Authority will do an in-depth identification check before issuing a digital certificate for signing code. Be sure to get a digital certificate that can sign code with Microsoft Authenticode (Verisign calls this Class 2 or 3; Thawte calls this Developer Certificates), rather than one that can only sign e-mail. If you try to use a digital certificate that is not authorized to sign code, Office will warn that the digital certificate is not trustworthy.

You can create your own certificate for personal use or testing purposes with the SelfCert.exe tool provided in Office. This unauthenticated certificate will allow you to sign your own macros, and to trust this digital certificate so that all macros you sign will not generate a security warning. This type of certificate is not validated by a Certifying Authority, therefore, other users will see a warning not to trust it.

If you see the security warning
This publisher has not been authenticated and therefore could be imitated. Do not trust these credentials.
and this is not your certificate, you should assume this certificate was forged.

A malicious virus might be digitally signed by a digital certificate by the name of "Microsoft Corp." However, the security warning will warn you that this is NOT an authenticated certificate, and therefore the certificate cannot be from Microsoft.

To Install the SelfCert Tool

If you do not see a program icon for Digital Signature for VBA Projects in your Office folder, to install the tool, follow these steps:
  1. Quit all Office programs. Click the Start button, point to Settings, and then click Control Panel.


  2. In Control Panel, double-click the Add/Remove Programs icon.


  3. On the Install/Uninstall tab, click to select <Office 2000 product>

    where <Office 2000 product> is the version of Office you are using.


  4. If you are using a stand-alone version of one of the Office programs, click to select the appropriate product in the list. Click Add/Remove.

  5. In the Setup dialog box, click Add or Remove Features.


  6. In the Microsoft Office 2000: Update Features dialog box, click the plus sign (+) to expand the features list next to Office Tools. If the sign is already a minus sign (-) the features list is already expanded.


  7. Click the symbol next to Digital Signature for VBA projects, and then click Run from My Computer in the list that appears. Click Update Now.


To Create a Test Certificate

To create a test certificate for use with your Visual Basic for Applications projects in Office, follow these steps:
  1. Click Start, point to Programs, and then click Windows Explorer.


  2. In Windows Explorer, navigate to the <path>\Microsoft Office\Office folder.

    where <path> is the drive and folder location where you installed Office.


  3. Find the SelfCert.exe program and double-click it to start it.


  4. After SelfCert starts, type your name in the Your name box, and click OK.


This will generate a digital certificate for the name you entered.

Additional query words:


Keywords          : 
Version           : WINDOWS:2000
Platform          : WINDOWS 
Issue type        : kbhowto 

Last Reviewed: May 25, 1999