we are using Sectigo Code Signing certificate (only OV - Organization Validation, not EV) to sign our .exe app. There has been no problem in recent years.

Now we are trying to sign VBA in Word/Excel with same certificate but without success. When I open VBA editor -> Tools -> Digital Signature -> Select Sectigo cert -> ok -> close VBA and save Excel but then I received error:

There is a problem with the digital certificate. The VBA project could not be signed. The signature will be canceled

I was not able to work this out. Self signed certificate works just fine...

Any ideas? Thank you

CodePudding user response：

The code signing certificate needs to include all certificates in the certificate path.

Try to export the original certificate in the certmgr (including private key!) with the option

• "Include all certificates in the certificate path if possible"

enabled and then import it again into your personal certificates.

Adding the timestamp

As you already showed in your link, it can be done in Excel by setting the following registry keys before signing the file:

reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampURL" /f /d "http://timestamp.sectigo.com"
reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampRetryCount" /f /t REG_DWORD /d 2
reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampRetryDelay" /f /t REG_DWORD /d 1

run the commands in windows command line.

Checking the timestamp

The only workaround I know to check the timestamp manually is:

1. Ensure that certificate with which the macro is signed is NOT located in "Trusted Publishers" store on the computer (check both User and Machine stores).

2. In Excel's Trust Center, set Macro Settings to "Disable all macros with notification".

3. Restart Excel

4. Open the signed file. You should see yellow warning panel saying "Macros have been disabled." Don't click on it.

5. Go to "File" › "Info", on the top of that page you should see "Security Warning" block. Click "Enable Content" › "Advanced options".

6. You'll get a new window saying that signature is valid, but publisher is not trusted. Click on "Show Signature Details" link.

7. Now we get the same window which shows digital signatures on executables when you view their properties in Windows Explorer. And in "Countersignatures" section we see our timestamp.