Re: Digital signature/certificate

[Dan G.]

"Unexperienced user" <anon...@discussions.microsoft.com> wrote in message news:<20b9601c4593b$7fee9060$a001...@phx.gbl>...
> When trying to sign a macro project (with a valid
> certificate), I receive the following error message:
> "There was a problem with the digital certificate. The
> VBA project could not be signed. The signature will be
> discarded."
>
> I have created several other certificates using SelfCert
> but the problem persist.
>
> Any help?
>
> Thanks for you help!

Sorry for the cross-posts, but this question seems to come up all
over.
Also, all my pictures got removed in the post, and the attachment is
gone, but keep searching and you'll find the files (try Christian's
page first) email me if you can't find them

Here is the solution to the problem I was having:

Problem: I had created a Digital Signature Certificate using the
selfcert.exe utility provided with Office XP, and used it for several
months. Then all of a sudden (the only thing I can imagine changed is
I changed my Network password) I started getting a message that my
Code could not be signed due to an error in the signature.

msg: "There was a problem with the digital certificate. VBA project
in the file 'XXX.doc' could not be signed. The signature will be
discarded."

After determining that reinstalling the Certificate wouldn't solve the
problem, I tried to create a new certificate with selfcert.exe, which
got me this error:

"An error occurred during certificate creation. Selfcert was unable
to create your certificate."

Note: the solution below seems to solve the problem, even if you
don't get this last message.

SOLUTION:

Searching around on the internet lead me to Christian d'Heureuse's
article on creating exportable Certificates
(http://www.source-code.biz/snippets/vbasic/3.htm). This article
basically describes how to create a certificate using makecert.exe
instead of selfcert.exe. I think the more important part to this is
that it allows you to create a PKCS #12 certificate, which allows
backups and private key exporting.

I've attached a zip file with the three programs you will need
(makecert.exe, cert2spc.exe, pvkimprt.exe)

All of the programs and commands are ‘in DOS'. So open a DOS window
and go to the directory where you saved the makecert, cert2spc and
pvkimprt files to.

First create an X.509 certificate using makecert.exe, this will create
a certificate with a default 35 year life span

Makecert –r –n "CN=Your Name" –sv CertFileName.pvk
CertFileName.cer

Where:
-r specifies a self issued certificate
-n Defines the Certs display name
-sv Defines the private key output file name (don't use spaces)

Do make note of the password used here, because you will need it again
in the last step.

Next create an PKCS #7 certificate from the *.cer file created above
using cert2spc

Cert2spc CertFileName.cer CertFileName.spc

Last, create a PKCS #12 certificate from the *.spc file created above
using pvkimprt. Though this program normally triggers the certificate
import wizard, the –pfx option forces the export wizard instead. This
export wizard uses the *.spc to create a *.pfx file that can be moved
to any computer to become the signing certificate.

Pvkimprt –pfx CertFileName.spc CertFileName.pvk

Note: Export the file to CertFileName.pfx. Also, here is where you
will need the password used to create the *.cer file. The password
will be needed again when you import the certificate into the
certificate store.

Be sure to check the box to ‘export the private key' otherwise you
will not get the *.pfx file output we are after, and you won't be able
to sign code.

Now that the certificate has been created, import the certificate into
the certificate store on the computer that will do the signing.
IMPORTANT: this PKCS #12 cert must be installed to the ‘Personal'
store. This was the only location that would allow the cert to show
up in the list on the module ‘Digital-Signature' selection window.
And the only place it can be to actually perform ‘Signing'

Click ‘Import…'

Enter your password from the first step, also, check the box to ‘Mark
this key as exportable.' This will allow you to move this certificate
to another computer, though since we have already created the export
*.pfx file, it's not really necessary (as long as this file is
backed-up and handy.)

Click ‘Next >'

Make sure to select 'Place all certificates in the following store'
and browse to 'Personal'

Click ‘Next >'

Click ‘Finish'

As an additional note, as if you have control of this, the user needs
to accept the default install location when they go to install the
certificate when they open the file. This default location is the
‘Root' store, and if they install it to another location, they will
continue to be asked to accept the certificate. This part applies to
you as well, when you open the file for the first time.

Further information can be found on each of the three files used here,
at the Microsoft MSDN page, though their file versions available are
old (unless you dig really deep). The file versions you will need (or
newer) are:

MakeCert 5.131.3617.0
Cert2spc 5.131.1863.1
Pvkimprt 5.131.2014.1

Dan Guzman - Database Coordinator

[willer....@gmail.com]

Still cant get it to work.. and (Yr Zip file isnt attached) .. :-/

[Michael Cole]

on 1/07/2013, willer....@gmail.com supposed :

> On Friday, 9 July 2004 00:17:56 UTC+1, Dan G. wrote:

[SNIP]

>>
>> Dan Guzman - Database Coordinator
>
> Still cant get it to work.. and (Yr Zip file isnt attached) .. :-/

You do realise that you are replying to a nine-year old message, don't
you?

--
Michael Cole