Signing Excel macro-enabled files is important for your security, integrity, and trust. With DigiCert’s KeyLocker and Microsoft SignTool, you can securely use the cloud for signing Excel macro projects, utilising your own private key through the Key Storage Provider (KSP).

This will bypass the need for local storage of sensitive keys while maintaining enterprise-class security.

Prerequisites

You must have the following components installed and configured before signing your Excel macro projects:

• Windows operating system
• Microsoft Office SIPs (32-bit version required)
• Visual C++ 2010
• DigiCert KeyLocker client tools
• Configured KeyLocker credentials
• Installed SignTool (Windows SDK)
• Valid certificate file
• Keypair alias from DigiCert KeyLocker

Setting Up Macro Signing

Prior to signing macro projects within Excel, new environments must be configured so that the Windows OS can recognise the files to allow the signing process to take place.

This includes both the installation of all tools necessary to find the proper files for registration and to launch the appropriate Command Prompt (CMD) in Administrator mode.

The Microsoft Office SIP installation provides you with two important DLL files for registering these files with your Windows OS:

• msosip.dll
• msosipx.dll

Both of these DLLs must be present for Windows to support the signing of an Excel macro file.

To register the Office SIPs DLL, run the following command using the complete path of each:

regsvr32.exe <complete path to msosip.dll>regsvr32.exe <complete path to msosipx.dll>

After successful registration, you will receive the following confirmation:

DllRegisterServer in <complete file path> succeeded.

Now that you have registered each DLL, you are ready to sign Excel macro project files using SignTool.

Signing the Excel Macro File

Once you have configured your office and registered your DLL’s, you are ready to use SignTool with the KSP library to sign your newly created macro-enabled file.

You need to use the 32-bit version of SignTool, and this will usually be found at the following location:

C:\Program Files (x86)\Windows Kits\10\bin\<version>\x86

Using the 64-bit version may result in a failure to sign.

To sign your Excel macro file, please use this command:

<Path_to_32_bit_signtool.exe> sign /csp "DigiCert Signing Manager KSP" /kc "<keypair alias>" /f certname.crt /v /debug /fd SHA256 macroname.xlsm

Explanation of Parameters:

• /csp “DigiCert Signing Manager KSP”: Specifies the Key Storage Provider. This value must remain exactly as shown.
• /kc “<keypair alias>”: Replace with your actual keypair alias from DigiCert KeyLocker.
• /f certname.crt: Path to your certificate file.
• /fd SHA256: Defines the hashing algorithm used for signing.
• macroname.xlsm: The Excel macro-enabled file you want to sign.

If you execute this command successfully, then your Excel macro file will be digitally signed and can be verified.

You can verify your file after signing by using:

<Path_to_signtool.exe> verify /pa macroname.xlsm

This will confirm that your file has been signed and is trusted.

Conclusion

DigiCert KeyLocker is a means of securing your private keys while keeping you in compliance with DigiCert’s key signing requirements. In addition to this, the rigorous requirements for establishing the appropriate policies and procedures will lead you toward an efficient and

Cloud Code Signing

Seamless Automated Code Signing Tasks without Need of Physical HSM or Token using Cloud Code Signing Certificate.

Code Signing as a Service