Using your own SSL certificate for digital signatures

April 28, 2010 — 2 Comments

I recently had the fun task of trying to deploy our own SSL certificate to all users so that they trusted documents that had been signed with this certificate, so that users did not see the “Do you want to enabled macros” prompt every time they opened a document with VBA code in. We also needed several users to be able to sign their own documents with this certificate. I found several guides on the internet on how to do both of these things but none of them seemed to be a complete guide for the entire process and missed out several key points, so now that we have got our implementation all up and running I figured it might be a good idea to write a guide for other people to follow. I’m not claiming that this is the best way to do it, just that this is what we have done and I know it works.

Lets get what seem to be the most common misconceptions out of the way first – No you do not need to buy an SSL certificate, no you do not need your own certificate server,  and no you cannot use Selfcert.exe to create your certificate.

I will update this post with further details and a full step by step guide shortly but here is a basic outline of what we did:

  • Created a certificate using MakeCert.exe and specified that the private key should be exportable
  • Deployed the certificate to end users via group policy – placing the certificate in the Trusted Root Authorities store
  • Added the certificate to users Trusted Publishers store by creating a Software Restriction rule in group policy and specifying that the rule type is “Certificate Rule”, selected our certificate, then set the rule to Unrestricted.
  • If users need to be able to sign documents themselves, we export the private key from the certificate and then import it on the user’s machine via the Certificates MMC snap-in. If you do not do this and just import the certificate (.cer file) rather than the private key (.pfx file) then when users try to sign a document with the certificate they will see an error like this when they try to save the document “There was a problem with the digital signature”.

Hope that helps someone out in the future.

2 responses to Using your own SSL certificate for digital signatures

  1. 

    I am in the process of distributing an Outlook macro (yes, it should be an add-in, but I don’t have time to reprogram it) to all of our users. I’ve worked out the details of the distribution but am having difficulty with the digital certificate. I will look forward to the step-by-step.

    • 

      How far have you got? If you can tell me which bit in particular you are struggling with I might be able to help before I get round to putting the full guide up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s