3

I created 2 self signed certificates:

  1. A root certificate: MyRootCA self-signed
  2. A code signing certificate: MyCodeSign signed by MyRootCA

Now I add MyRootCA to the Trusted Publishers in Excel's Trust Center and sign my VBA code with MyCodeSign (which is not added to the Trust Center).

Now I believe, that because I trusted the MyRootCA which signed MyCodeSign, that Excel should trust also all MyCodeSign-signed code (chain of trust). But it doesn't. Only if I add the MyCodeSign to the Trust Center my code is trusted.

Does anyone have an idea where I'm thinking wrong? Or does Excel just not trust child-signed code if its parent certificate is trusted?

So below you see A is MyRootCA and B is MyCodeSign issued by A:

enter image description here

Now I think that when I trust A in the Trust Center, that all code signed with B should be trusted too. But Excel still asks for trusting/enable macros.

So perhaps someone can confirm that issue (so I know it's not my fault) or disprove it?
I'm working on the latest version of Office 2016 x64 Edition. If that matters.

enter image description here

(Sorry for the German screenshots)

Pᴇʜ
  • 56,719
  • 10
  • 49
  • 73
  • 1
    Go to the Digital Signature settings and click "Detail..." Check your Certification Path Tab. It should show the relationship between the certificate and the root. – HackSlash Mar 06 '18 at 18:38
  • @HackSlash Thanks for your input, the certification path looks ok. I added some screenshots which should make it more clear. – Pᴇʜ Mar 07 '18 at 07:58

2 Answers2

3

So obviously Excel is driving me nuts and changed the option from

  • disable all macros except digitally signed macros

back to default (Probably that happened during an update or something.):

  • disable all macros with notification

    With this option even digitally signed VBA code gets a security warning, and it asks you to activate macros.

And of course for "disable all macros except digitally signed macros" the chain of trust is valid then and I don't need to trust every single certificate. Trusting the root CA is enough as I expected.

  • Pro side: Excel enables macros and doesn't ask anymore on digitally signed macros.
  • Con side: Excel disables macros and doesn't ask anymore on un-signed macros.

Nevertheless I miss a mix of both options like:
"disable all macros with notification except digitally signed macros"
Which would perfectly meet my wishes.

Community
  • 1
  • 1
Pᴇʜ
  • 56,719
  • 10
  • 49
  • 73
0

Looks like you have to trust the publisher even if you have a valid certificate:

https://www.groovypost.com/howto/howto/office-2010-outlook-self-signed-digital-certificate/

Take a look at these three tabs:

Trusted CA | Trusted Publishers | Untrusted Publishers

enter image description here

HackSlash
  • 4,944
  • 2
  • 18
  • 44
  • 1
    Of course I trusted the publisher. Not the one that signed the code (B) but the root one (A) that singed the certificate which signed the code (B). So the chain of trust should be valid but somehow Excel doesn't follow the certification path. – Pᴇʜ Mar 07 '18 at 08:00
  • 1
    Having the root makes your certificate valid. You would get an invalid certificate warning otherwise. I am saying that you also have to trust each publisher even if they have a valid signature. – HackSlash Mar 07 '18 at 16:22
  • Is that documented anywhere? If that's true that would be against the whole concept of the chain of trust. If that is true then there is no advantage in having a certificate from a trusted CA over a self signed certificate. The advantage of trusting the root certificate should be that you NOT have to trust every single child certificate. – Pᴇʜ Mar 08 '18 at 06:59
  • @Pᴇʜ Having a valid cert is different than trusting a publisher. Should we trust software written by anyone who can buy a valid cert? No, we should not. You do have a valid argument for using self-signed certificates for code signing. Unless you want to distribute the software, then you need to make sure that nobody can pretend to be you. This is why you buy a trusted cert. So they are two different problems. – HackSlash Apr 16 '21 at 19:31