Knowledge Base

Warning! 

The steps for updating the registry have been provided by Microsoft and are for timestamping your Microsoft Office and VBA files ONLY. Any other changes you make to your registry can affect the operation of your computer.

By default, Office does not use a timestamping service when signing or validating code. Using a timestamping service usually takes more time than the default digital signing process. To use a timestamping service, Office needs to communicate with a certificate authority s timestamp server over the Internet to complete the action. You cannot timestamp a digital signature unless you are connected to the Internet.

There is no built-in Office user interface to use this option. To have Office use a timestamping service with all future digital signatures, you need to set these registry keys.
The values should be entered under ONE key.

Please use the following instructions:

1. Create a Security key at the VBA level:
   HKEY_CURRENT_USER\Software\Microsoft\VBA\Security
2. Add a String value Item to the Security key named TimeStampURL with the value set to the time stamp URL below.
   
   Important: Microsoft tools VBA, MAGE do not currently support RFC 3161 protocol.
   
   The SHA-1 timestamping URL is http://timestamp.digicert.com
   
   Note: DigiCert does offer RFC 3161 Timestamp services that can be used when support becomes available for RFC 3161. (RFC3161 compliant Time Stamp Authority (TSA) server)
   
   
3. Add a DWORD value item to the Security key named TimeStampRetryCount with the value data set to '3' (In my case I used 3 but you can pick a different number).
    
4. Add a DWORD value item to the Security key named TimeStampRetryDelay with the value data set to '3' (In my case I used 3 but you can pick a different number).

To reduce the likelihood that a malicious user can derive a digital certificate's private key from its public key, a commercially obtained digital certificate expires after one year. Office will not allow you to use an expired certificate to sign macros, and will also warn the end-user when a digital signature for a file has expired. The end user will see a warning in the usual Digital Signature security warning, which indicates that the certificate is no longer trustworthy. The user can determine if the certificate has expired by looking in the Details dialog box for the certificate.

To prevent you from having to resign your software and Visual Basic for Applications projects every time your certificate expires, some commercial certificate authorities provide a timestamping service. If you use a timestamping service when signing code, a hash of your code is sent to a server to record a timestamp for your code. When using a timestamping service, a user's software can distinguish between code signed with an expired certificate that should not be trusted and code that was signed with a certificate that was valid at the time the code was signed, but which has subsequently expired.