19.2. Signing Your Macro Projects With Digital Signatures
VBA provides a security mechanism for securing macro projects with digital signatures. The digital signatures provide a means of establishing the provenance of the projects, which should help you decide whether to trust the code. If you trust the source of the code to produce benevolent code, you can open the project and run the code. If you suspect the source or the information of being malignant, you can either avoid opening the project or open the project with the code disabled.
The same goes for other people: if others are concerned about macros, you may need to sign your projects so that other people know where they come from and who created them. Once you've signed the projects, the code is available to any application that has specified you as a trusted source for macro projects. (This assumes users have chosen one of the Disable options in the Macro Settings dialog box. You'll see how to set the security level later in the section "Specifying a Suitable Security Setting.")
This section discusses what digital certificates are, what they mean in practical terms, how you obtain them, and how you use them to create digital signatures.
19.2.1. What Is a Digital Certificate?
A digital certificate is a piece of code that uniquely identifies its holder. You use your digital certificate to create a digital signature for a project. This project can be a document project, a template project, or an add-in. The project doesn't have to contain macros, procedures, user forms, classes, or VBA code for you to sign it, although these contents are the usual reason for signing a project.
A digital signature applies to a whole macro project — typically, a document project or a template project. You can't apply a digital signature to just part of a project — say, just to one module of code or to one user form. Each macro project item in that macro project — each module, user form, class, and reference — is covered by the digital certificate.
19.2.2. Getting a Digital Certificate
There are several types of digital certificates: those you create yourself as described earlier, those you get from your company or organization, and those you get from a commercial certification authority, or certificate authority (CA).
A digital certificate you create yourself is of little use to people beyond you and those who trust you, whereas a certificate from a commercial certification authority should be good enough for general use in the world. A certificate issued by your company falls in the middle: in many cases, the company will have obtained the certificate from the commercial certification authority, which means the commercial certification authority has established to its satisfaction that the company is trustworthy. Whom the company chooses to trust with the certificate is another matter and introduces another link of complication into the chain of trust. However, server software such as Windows 2003 Server include independent certification-authority services that do not require a certificate from a commercial certification authority, so you should be careful which certificates you trust. See the section "Whose Certificate Is It, and What Does It Mean?" later in this chapter, for a discussion of how to discern a certificate's provenance and meaning.
19.2.2.1. Creating a Digital Certificate of Your Own
The quickest and easiest way of getting a digital certificate is to create one yourself. This kind of certification only works on the computer on which the certificate was created
To understand how digital certificates work, you'll probably want to create several of your own and practice with them on sample files. By designating some of your digital certificates as trusted publishers and leaving others untrusted, you can get a clear idea of how digital certificates work without having to use suspect code on your system.
To open the Create Digital Certificate dialog box (see Figure 19.1), choose Start 
All Programs 
Microsoft Office 
Microsoft Office Tools 
Digital Certificate for VBA Projects. You'll see the form you can "sign" as shown in Figure 19.1.
Type the name for the certificate in the text box, and then click the OK button. The SelfCert application creates the certificate and installs it automatically.
19.2.2.2. Getting a Digital Certificate from Your Company
Your second option is to get a digital certificate from a digital certificate server that your company has. The details of this procedure vary from company to company. The certificates the company provides via its digital certificate server are generated in the same fashion as the digital certificates distributed by the commercial certification authorities discussed in the next section. However, a company distributes the certificates from a pool that it has allocated, without needing to apply to the certification authority for each certificate as it's needed, or creates the certificates of its own accord without getting them from a certification authority.
19.2.2.3. Getting a Digital Certificate from a Commercial Certification Authority
Your third choice is to get a digital certificate from a commercial certification authority, such as VeriSign (http://www.verisign.com), Thawte, Inc. (http://www.thawte.com, a VeriSign company), GeoTrust (http://www.geotrust.com, another VeriSign company), or Comodo (http://www.comodo.com).
Figure 19.1. You can self-sign a certificate, but Office only permits such certification to be trusted within the computer where the certificate was created.
Several types of certificate are available, depending on what you want to do. If you're creating and distributing software, you'll probably want to consider one of the certificates targeted at developers.
The procedure for proving your identity varies depending on the CA and the type of certificate you want. Generally speaking, the greater the degree of trust that the certificate is intended to inspire, the more proof you'll need to supply. For example, you can get a basic certificate on the strength of nothing more than a verifiable e-mail address, but this type of certificate is unlikely to make people trust you. Other certificate types require you to appear in person before a registration authority with full documentation (such as a passport, driver's license, or other identity documents). Such certificates carry more trust.
19.2.2.4. Installing a Digital Certificate
Once you have a digital certificate, you need to install it so that Windows and the applications that will use it know where it's located.
To install a digital certificate, follow these steps (you must be logged on as an Administrator to view the Certificates dialog box):
Click the Start button. A Start Search field opens just above the Start button.
In the Start Search field, type certmgr.msc .
When certmgr.msc appears in the Programs list, click it. You'll likely be asked if you want to give yourself permission to take this step. Go ahead and grant the permission by clicking the Continue button.
You now see the Certificates dialog box shown in Figure 19.2.
Figure 19.2. Windows provides the Certificates dialog box to manage digital certificates.
As you can see in Figure 19.2, I, Richard, granted code signing certification to myself, also Richard, as described earlier in this chapter in the section "Creating a Digital Certificate of Your Own."
Click the Trusted Publishers folder in the left pane of the Certificates dialog box.
Choose Action
All Tasks 
Import from the Certificates dialog box menu. The Certificate Import Wizard opens, as shown in Figure 19.3.Figure 19.3. Vista includes the Certificate Import Wizard to manage digital certificates.
Click Next to display the Certificate Store page of the wizard, shown in Figure 19.4.
Figure 19.4. On the Certificate Store page of the Certificate Import Wizard, choose the certificate store in which to store the certificate you're importing.
Choose how to store the certificate:
To have Windows store each certificate automatically in the default certificate store for the certificate's type, select the Automatically Select the Certificate Store Based on the Type of Certificate option button.
To control where Windows stores the certificates, select the Place All Certificates in the Following Store option button. To specify the store, click the Browse button to display the Select Certificate Store dialog box, shown in Figure 19.5. Choose the certificate store (for example, Personal) and click the OK button. To specify a particular location within a certificate store, select the Show Physical Stores check box, and then click the plus (+) sign next to the store in question to display its subfolders. Select the folder you want, and then click the OK button.
Click the Next button to finish setting up the import procedure. The Completing the Certificate Import Wizard dialog box is displayed to confirm the choices you've made.
Review your choices, and then click the Finish button. The Certificate Import Wizard imports the certificate and then confirms that the operation was successful.
If you decide to import the certificate into the root certificate store rather than one of the other stores, Windows displays a Security Warning dialog box (see Figure 19.6) to make sure you understand that placing the certificate in the root store will make Windows automatically trust any certificate issued by the CA. Double-check the certificate, as it probably belongs in another store.
Figure 19.5. Use the Select Certificate Store dialog box to specify the certificate store in which you want to store the certificate. The screen on the left shows the categories of stores; the screen on the right shows the physical stores.
Figure 19.6. Windows displays a Security Warning dialog box when you're about to import a certificate into the root certificate store.
Now that you've imported the certificate, it appears in the Certificates dialog box on the appropriate page.
19.2.2.5. Exporting a Digital Certificate
You may need to export a certificate for backup (so that you can keep it safely on removable media away from your computer) or so that you can install it on another computer. For security, you should not store the digital certificate on your hard drive after you install it, because storing it there is a security risk.
To export a certificate, select it in the Certificates dialog box and click the Export button. Windows starts the Certificate Export Wizard, which walks you through the process of exporting the certificate. If you choose to export the private key with the certificate, be sure to protect it with a password.
19.2.2.6. Removing a Digital Certificate
To remove a digital certificate from Windows' digital certificate store, follow these steps:
Display the Certificates dialog box (follow steps 1–3 in the section earlier in this chapter on installing a certificate).
Click the folder in the left pane that contains the digital certificate in question, and then select the certificate you want to remove.
Click the red X icon, or choose Action
Delete. Windows displays a dialog box warning you of the consequences of deleting the digital certificate and asking you to confirm the deletion. Figure 19.7 shows the warning you get when removing a certification authority (above) or a personal certificate (below). Click the Yes button to delete the certificate.
Figure 19.7. Two of the warnings the Certificate Manager displays when you're about to remove a digital certificate
19.2.2.7. Signing a Macro Project with a Digital Signature
Once you've completed a macro project and have it ready for distribution, you sign it with a digital signature so that applications that use a high level of security can use it.
To sign a macro project digitally, follow these steps:
In the Visual Basic Editor, navigate to the document or template project that contains the macro project.
Select the project in the Project Explorer.
Choose Tools
Digital Signature to display the Digital Signature dialog box (see Figure 19.8).If the Digital Signature dialog box lists the certificate you want in the Sign As area, simply click the OK button to use that certificate.
Figure 19.8. Use the Digital Signature dialog box to specify the digital signature for a macro project.
Figure 19.9. Use the Select Certificate dialog box to specify the certificate with which to sign the macro project.
Click the Choose button to display the Select Certificate dialog box (see Figure 19.9).
Click the certificate you want to use for the macro project.
Click the OK button to apply the selected certificate and close the Select Certificate dialog box.
Click the Save button on the Standard toolbar, press Ctrl+ S, or choose File
Save to save the document or template project with the digital signature applied to it.
19.2.2.8. Removing a Digital Signature from a Macro Project
To remove a digital signature from a macro project, follow these steps:
In the Visual Basic Editor, navigate to the document or template project that contains the macro project.
Select the project in the Project Explorer.
Choose Tools
Digital Signatures to display the Digital Signature dialog box.Click the Remove button. Both the Certificate Name readout in the The VBA Project Is Currently Signed As area and the Certificate Name in the Sign As area of the Digital Signature dialog box will display [No Certificate] to indicate that the project currently has no digital certificate assigned to it.
Click the OK button to close the Digital Signature dialog box.
You can always reapply the digital signature to the project whenever you wish, as described earlier in this chapter.
19.2.2.9. Whose Certificate Is It, and What Does It Mean?
When you receive a digitally signed project, you'll want to find out who has signed it and what type of digital certificate they used. To view the details of a digital certificate, follow these steps:
In the Visual Basic Editor, navigate to the document or template project that contains the macro project.
Select the project in the Project Explorer.
Choose Tools
Digital Signature to display the Digital Signature dialog box.Click the Details button to display the Certificate dialog box (see Figure 19.10).
Figure 19.10. Use the Certificate dialog box to examine the properties of a certificate.
If you want to view the details of one of your own certificates, click the Choose button in the Digital Signature dialog box, choose the certificate in the Select Certificate dialog box, and then click the View Certificate button to display the Certificate dialog box.
You can also view a certificate by double-clicking its entry in the Certificates dialog box.
The Certificate dialog box has three pages:
The General page displays basic information about the certificate: for what purpose the certificate is intended, to whom the certificate is issued, by whom it's issued, and the period for which it's valid.
The Details page of the Certificate dialog box, shown in Figure 19.11, contains specifics on the certificate. Click one of the fields in the list box to display its value in the text box below.
Figure 19.11. The Details page of the Certificate dialog box contains a host of details about the certificate.
The Certification Path page of the Certificate dialog box shows the path by which the certificate has been issued from the issuing authority to the current holder. To check one of the links in the chain, select it in the Certification Path list box and click the View Certificate button (if it's available). You'll then see the Certificate dialog box for the certificate in question. You can then pursue the certification path for that certificate if you choose or click the OK button to dismiss the second (or subsequent) Certificate dialog box and return to the previous one.
When you finish exploring the certificate, click the OK button to close the Certificate dialog box.