Excel VBA macros digital certificate
Applications based on Office can be developed quickly and easily using VBA macros. With VBA Fortes created several solutions for customers. For this reason, disabling macros completely is not an option for most companies.
However, malware programmers often misuse such macros. With the help of Group Policy Objects (GPOs) organizations protect themselves against this risk.
Central policies for Office macros
In general, users can use Office’s Trust Center for this purpose. Here you can define rules for the execution of active content such as ActiveX controls, add-ins, and VBA code.
However, given the importance of protecting against malware, admins should not leave this task to the end users. A central solution based on group policies is preferable. Since Office 2016, Microsoft has offered additional settings for managing macros.
You can configure it separately for each application and can also find it under Security > Trust Center (“Block macros from running in Office files from the Internet”).
The Trust Center section also contains a setting for blocking macros from the internet
This means you can still use digitally unsigned macros from internal sources whereas even digitally signed macros from the internet cannot run (after all, one could also digitally sign malware). However, the combination of both settings ensures that no macros from the internet and only digitally signed ones from other sources will run.
By default, Office programs show such documents in the protected view. If you click on “Enable Content,” one of the measures you’ve taken against the uncontrolled execution of macros will take effect in the next step. This can cause digitally unsigned macros or simply those that originate from the internet to be blocked.
What is a digital certificate?
Digital certificates and signatures help to assure you that the file that you are about to use comes from a reliable source. They help to assure you that the file has not been tampered with.
A digital certificate is an ID that a file carries with it. To validate a signature, a certifying authority validates information about the creator of the file and then issues the digital certificate. The digital certificate contains information about the person to whom the certificate was issued, as well as information about the certifying authority that issued it. When a digital certificate is used to sign a file, this ID is stored with the file in a verifiable form so that it can be displayed to a user.
Intention of signing a code
Excel uses digital signatures on the workbook contents to help ensure that the workbook has not been modified and saved since it was signed. Digital signatures can also help you distinguish workbooks and macros created by a reliable source from undesirable and potentially damaging workbooks or macro code (viruses).
A digital signature is a public certificate plus the value of the signed data as encrypted by a private key. The value is a number that a cryptographic algorithm generates for any data that you want to sign. This algorithm makes it nearly impossible to change the data without changing the resulting value. So, by encrypting the value instead of the data, a digital signature helps a user to verify the data was not changed.
How can I obtain a digital certificate from Fortes and upload it in the trusted store?
To export digital certificate from Fortes Macro follow these steps
- Open the workbook that contains the macro;
- Press ALT+F11 to open the Visual Basic Editor;
- On the Tools menu, click Digital Signature;
- Click on Detail and export to the format you wish
- Upload the exported certificate inside the trusted store
The exported certificate is expired. Is this normal?
Yes, a digital signature helps a user to verify the data was not changed. That means that at the moment that the macro’s are signed the certificate should be valid. After this period this certificate is valid till another macro change
Do I need to this step each time the macros are changes by Fortes?
A certificate is one year valid.
When Fortes decides to change the VBA code; Fortes will do this with a (new) valid certificate.
- In case the VBA change is inside the valid period of the certificate customers do not need to upload a new certificate in the trusted store.
- In case the VBA change is outside the valid period of the certificate; Fortes will buy a new valid certificate and then perform the change. In this case the customers will be informed to upload the new certificate in the trusted store.