I recently had the fun task of trying to deploy our own SSL certificate to all users so that they trusted documents that had been signed with this certificate, so that users did not see the “Do you want to enabled macros” prompt every time they opened a document with VBA code in. We also needed several users to be able to sign their own documents with this certificate. I found several guides on the internet on how to do both of these things but none of them seemed to be a complete guide for the entire process and missed out several key points, so now that we have got our implementation all up and running I figured it might be a good idea to write a guide for other people to follow. I’m not claiming that this is the best way to do it, just that this is what we have done and I know it works.
Lets get what seem to be the most common misconceptions out of the way first – No you do not need to buy an SSL certificate, no you do not need your own certificate server, and no you cannot use Selfcert.exe to create your certificate.
I will update this post with further details and a full step by step guide shortly but here is a basic outline of what we did:
- Created a certificate using MakeCert.exe and specified that the private key should be exportable
- Deployed the certificate to end users via group policy – placing the certificate in the Trusted Root Authorities store
- Added the certificate to users Trusted Publishers store by creating a Software Restriction rule in group policy and specifying that the rule type is “Certificate Rule”, selected our certificate, then set the rule to Unrestricted.
- If users need to be able to sign documents themselves, we export the private key from the certificate and then import it on the user’s machine via the Certificates MMC snap-in. If you do not do this and just import the certificate (.cer file) rather than the private key (.pfx file) then when users try to sign a document with the certificate they will see an error like this when they try to save the document “There was a problem with the digital signature”.
Hope that helps someone out in the future.