none
Office 2007 not recognizing code signing certificate from Server 2012 RRS feed

  • Question

  • Hello,

    My goal is to sign Excel 2007 macros intended for intraoffice use only, by a team of five people. I have tried the Office Tools selfsign.exe certificate, but my coworkers get warnings. So I'm trying to use a Code Signing certificate issued by our local Windows Server 2012. I have found and followed the instructions for doing so (briefly, I have added the local CA to my Trusted Root Certification Authorities, have enabled Code Signing template on the server and allowed enrollment, and then I have requested, received, and installed a Code Signing certificate using the https://servername/certsrv method), and everything appears to have worked. The local CA appears in my Trusted Root Certification Authorities, and the Code Signing certificate appears in my Personal certificates tab, along with the aforementioned Office Tools certificate.

    The trouble is that when I try to sign my code in Excel Visual Basic (Tools/Digital Signature), the certificate does not appear to choose from. My only option is the self-signed certificate. If I delete the self certificate, I get a message - part of a message, really - that there are "no certificates that meet the application..." (if there's a way to expand that and see the end of that sentence, I can't find it.)

    Is there something wrong with a certificate based on the built-in Code Signing template? Is there a step I've missed to get Excel to recognize it? With so little information, I really don't know where to go from here.

    Tuesday, April 8, 2014 4:02 PM

Answers

  • Are you using SHA256 at your CA?

    (Just check Signature hash algorithm of any issued certificate)

    There was a bug in Office 2010 (see fix here) that prevented SHA256 signed certificates from showing up.

    In order to test if this is the root cause you could temporarity deny all users except a test user the right to Request Certificates at the CA (certsrv.msc, Properties, Security), change the hash algorithm to SHA1, issue another Code Signing certificate and check if you can select that, and change the algorithm and permissions back after the test.

    You can configure the hash algorithm in this registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<Your CA>\CSP

    Change CNGHashAlgorithm to SHA1 and restart the CA service.

    Elke

    Wednesday, July 2, 2014 7:03 PM

All replies

  • Hi Dave,

    Have you checked permissions on the code signing template on the CA?

    If not, please make sure that Read and Enroll permissions for users and computers are presented on the template. In addition, please have a look at this KB article:

    An installed certificate does not appear in the "Select the certificate you want to use" list in Live Communications Server 2003

    http://support.microsoft.com/kb/834474

    Best Regards,

    Amy Wang

    Thursday, April 10, 2014 1:50 AM
    Moderator
  • Hi Amy,

    Thank you for the suggestions.

    I verified that read and enroll permissions for the Code Signing template are checked for the user in question (me). But computer does not appear in the permissions for that template. Are we sure the computer needs permission too, for a certificate that is intended to verify my own identity, not my machine's identity? And as I said, I had no problem requesting, receiving, or installing the certificate. Seems if there was a permission problem, that would have failed.

    I took a look at the article, and I see that the symptom is very similar. However, I don't think the cause or resolution apply to a code signing certificate. According to the article, Live Communications Server 2003 requires a computer account certificate, not a personal certificate, so if the certificate is stored in the personal store, it won't be available. However, a code signing certificate is a personal certificate, and should be installed in the local user certificate store as a personal certificate. That was where it automatically installed, and also, that's where the self-sign certificate is stored, and it DOES appear as a choice. Or rather, as THE choice.

    Tuesday, April 15, 2014 2:57 PM
  • Hi there,

    I'm also having this same problem with a certificate issued from Windows Server 2008 R2.  Office 2007 doesn't recognize it on Vista or Windows 7.  It does recognize it under Windows XP.

    The only certificate I can get Vista/Windows 7 to recognize is the self-signed certificate from Office Tools.

    Does anyone have an answer for this thread?

    Thanks!

    Also_Dave

    Wednesday, July 2, 2014 6:07 PM
  • Are you using SHA256 at your CA?

    (Just check Signature hash algorithm of any issued certificate)

    There was a bug in Office 2010 (see fix here) that prevented SHA256 signed certificates from showing up.

    In order to test if this is the root cause you could temporarity deny all users except a test user the right to Request Certificates at the CA (certsrv.msc, Properties, Security), change the hash algorithm to SHA1, issue another Code Signing certificate and check if you can select that, and change the algorithm and permissions back after the test.

    You can configure the hash algorithm in this registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<Your CA>\CSP

    Change CNGHashAlgorithm to SHA1 and restart the CA service.

    Elke

    Wednesday, July 2, 2014 7:03 PM
  • I have just replied to the other Dave - see my answer and links below. It could be related to an issue Office has with SHA256 signed certificates ... unfortunately only fixed in Office 2010 as far as I can tell from the KB article.

    Are you using SHA256?

    Elke



    • Edited by Elke Stangl Wednesday, July 2, 2014 7:10 PM answer to the OP below, not "above"
    Wednesday, July 2, 2014 7:05 PM
  • Thanks Elke!

    This fixed my problem.  I changed the registry key; restarted the Active Directory Certificate Services and re-issued the code signing certificate and it's now visible to Office 2007 under Vista / Windows 7.  You were right, we were using SHA256 keys.

    Now that I have a valid and visible code signing certificate, I assume it's okay to change it back to SHA256 for all other requested certificates right?

    I know Office 2007 is getting along in years, but since it's still supported, I hope Microsoft issues their fix for 2007 soon.

    Thanks so much for your help!  This was driving me nuts!

    Also_Dave

    Wednesday, July 2, 2014 7:48 PM
  • Yes - exactly: You can switch back to SHA256 after you have issued the Code Signing certificate and then modify security settings again.

    Elke

    Thursday, July 3, 2014 5:30 AM
  • I'm having a problem that sounds very similar to this.  We distribute add-ins for Office and use a code signing certificate from GoDaddy.  Everything was fine until we renewed the certicate when it expired.  After renewing, the certiciate works in Office 2010 and Office 2013, but not in Office 2007. Office 2007 gives me an error saying "Warning: the digital signature on this application add-in is invalid and cannot be trusted. Application add-in is disabled".

    The old certificate that worked was sha1, the new one is sha256.

    Is this the same problem?  Do I need to get an sha1 certificate to fix? 
    Thursday, January 22, 2015 3:13 PM
  • You need to ask GoDaddy if they still offer SHA1 certificates - but finally the decision is up to the CAs and SHA1 is now gradually being phased out.
    • Proposed as answer by jimbr32 Tuesday, January 27, 2015 11:50 PM
    Sunday, January 25, 2015 6:42 PM
  • Thanks for the reply Elke.  GoDaddy told me SHA1 certificates are no longer available.

    At least I know what the problem is now

    Jim

    Tuesday, January 27, 2015 11:44 PM
  • We have the same Problem than jimbr32! (with Thawte)
    Wednesday, February 4, 2015 1:13 PM
  • @Franz96

    Did Thawte issue you with an SHA1 certificate?


    • Edited by _PWS_ Thursday, February 12, 2015 11:17 AM
    Thursday, February 12, 2015 11:17 AM
  • The other solution here is to add the location where your addin file (.dll, .xlsm, etc) which is signed, to the "Trusted Locations" in Office 2007 applications.  This allows you to maintain the macro security settings in Office, while enabling the use of the SHA256 certs for Office 2010+ (and not compromising security).  We successfully used this method to enable an add-in from SAP to work in Excel 2007, and it had a SHA256 cert in its certificate chain.
    Friday, April 15, 2016 8:47 PM