Forgive my noob status in this realm, and I hope I'm posting to the appropriate forum. I'm researching using certificates for our Office macros, and would like to enforce 'High' security on these.However, I don't know how to create an in-house certificate and properly push it out to our workstations. Everything I've read about makecert.exe says you shouldn't use it to create certificates for a production environment. I'm not finding much detailed guidance as to other alternatives for creating in-housecode-signing certificates. I'm guessing this isn't that big of a deal, I just don't know where to start. Is it really that bad to use the makecert utility?Any help pointing me toward available resources would be greatly appreciated.Thanks in advance,jt

You could set up an internal PKI to issue the certificates.Check out the Certificate Services Best Practices whitepaper:http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspxThe Microsoft Press PKI Book:(2003 version)http://www.microsoft.com/mspress/books/6745.aspx(2008 version)http://www.microsoft.com/MSPress/books/9549.aspxCode signing certificates are not hard to issue once you have the PKI established. There is an existing certificate template all ready to use.Brian

Thanks Brian! Are there any step-by-step guides out there? I'm not sure where to begin wading through all that material...

The books both have chapters on deploying the CA hierarchy and implementing code signingBrian

Hello, Makecert.exe is just for testing purposes. For digitally signing macros, you may use a tool called SelfCert.exe that includes in Office to easily create your own self-signed certificate. However, if you take an object signed by a SelfCert-generated certificate to another machine, Office's High security setting will refuse to load it, because the signer doesn't appear on the trusted sources list for that machine. Yes, to enforce "High" security, you may have to implement PKI in your environment as Brian said. For your reference: Certificate Creation Tool (Makecert.exe) http://msdn.microsoft.com/en-us/library/bfsktky3(VS.80).aspx Signing Office Objects http://www.microsoft.com/technet/archive/community/columns/security/5min/5min-402.mspx Description of digital signatures and code signing in Word 2002 and in later versions of Word http://support.microsoft.com/kb/920627/en-us Hope it helps.

Hi Guys,Thanks for the info. I started reading that white paper, and it's just way too much general info. I don't have time to read a 200 page white paper. I guess there are the books, but I'm a cheapskate. :) I get the concepts, and how to choose a certificate to use to sign within Office. And I get how to enforce the security through group policy. All the references I see discuss selfcert, and only mention that it's possible with an internal CA in passing. Forgive my laziness, but I'm guessing there must be some kind of resource online on how to create the cert and push it out. Also, we have 2003 Standard, which I've seen doesn't have some of the capabilities of Enterprise/Datacenter with v2 templates, etc. Not sure how that will affect trying to create a code-signing cert. Thanks for your help, and any additional guidance!jt

Hi All,I think I figured out what I'm looking for, in case anyone else is lookng for similar information. I AM FAR FOM AN EXPERT, USE THIS INFO AT YOUR OWN DISCRETION. In order to get signed macros working for office files, I took several steps: Install CA Request new (user) code-signing cert from client workstation using certificates snap-in On same client workstation, sign your office files that contain macros with code-signing cert Export certificate via certificates snap-in and copy to CA server Create new group policy (I did it all under computer, although some seems it could be done under user) Computer > Admin Templates > MS Office 2003(you may have to download) > change Macro security level to high for desired apps (Word, Excel, Access) Computer > Windows Settings > Security Settings > Software Restriction Policies (you may have to add via Action > Add Software Restriction Policies) > Trusted Publishers >Here, if you wish, you can set trusted publishers to only be added by Enterprise Administrators Same location, right-click Additional Rules > New Certificate Rule > Change to Unrestricted > Browse to saved cert and apply (This adds the certificate to the Trusted Publishers on clients) Wait for group policy to apply or run gpupdate /force on client Now a regular user should be able to open files with macros signed by this cert without receiving any warnings. However, they won't be able to run any macros that aren't specified in group policy for the Trusted Publishers, nor will they be able to add the publisher to their Trusted Publishers listthemselves. Hope this is of some use to someone attempting something similar.jt

Hi,if you are signing macros, I would also recommend to timp-stamp the macros when signing. Otherwise, you have to re-sign macros when the code signing certificate has expired. Due to security reasons there is not way to automate re-signing of macros (...build a worm that signs itself...). When macros are signed Office checks if the signature of the code signing certificate has been valid at the time of signing irrespective if it has expired or has beed revoked in the meantime. If you do not need to sign macros extremely often I would use the time stamping service provided by a vendor, e.g. Verisign. (There is no time stamping service built into the Windows PKI) You configure the "code signing workstation" for time stamping by simply adding the URL of the time stamp server to the Office registry, see this Office white paper:http://www.microsoft.com/downloads/details.aspx?FamilyID=7E3EAB1F-B313-44F4-8900-3399ABB2001D&displaylang=ENBest regards,ElkeElke