Ask a Question

Advanced Search

Solution ID : SO7492

Last Modified : 05/02/2018

Timestamp VBA Projects

Solution

By default, Office does not use a timestamping service when signing or validating code. Using a timestamping service usually takes more time than the default digital signing process. To use a timestamping service, Office needs to communicate with a certificate authority s timestamp server over the Internet to complete the action. You cannot timestamp a digital signature unless you are connected to the Internet.

There is no built-in Office user interface to use this option. To have Office use a timestamping service with all future digital signatures, you need to set these registry keys.
The values should be entered under ONE key. Please use the following instructions:

  1. Create a Security key at the VBA level:
    HKEY_CURRENT_USER\Software\Microsoft\VBA\Security
  2. Add a String value Item to the Security key named TimeStampURL with the value set to the time stamp URL below.

    Important: Thawte recommends customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn't allow use of SHA2 service.

    Exception: Microsoft tools VBA, MAGE do not currently support RFC 3161 protocol so the following legacy service can be used.

    The SHA-1 timestamping URL is http://timestamp.verisign.com/scripts/timstamp.dll
    The timstamp.dll filename is required to conform to old MS-DOS naming convention).

    Note: Thawte does offer RFC 3161 Timestamp services that can be used when support becomes available for RFC 3161. INFO4231
     
  3. Add a DWORD value item to the Security key named TimeStampRetryCount with the value data set to '3' (In my case I used 3 but you can pick a different number)
  4. Add a DWORD value item to the Security key named TimeStampRetryDelay with the value data set to '3' (In my case I used 3 but you can pick a different number).

To reduce the likelihood that a malicious user can derive a digital certificate's private key from its public key, a commercially obtained digital certificate expires after one year. Office will not allow you to use an expired certificate to sign macros, and will also warn the end user when a digital signature for a file has expired. The end user will see a warning in the usual Digital Signature security warning, which indicates that the certificate is no longer trustworthy. The user can determine if the certificate has expired by looking in the Details dialog box for the certificate.

To prevent you from having to resign your software and Visual Basic for Applications projects every time your certificate expires, some commercial certificate authorities provide a timestamping service. If you use a timestamping service when signing code, a hash of your code is sent to a server to record a timestamp for your code. When using a timestamping service, a user's software can distinguish between code signed with an expired certificate that should not be trusted, and code that was signed with a certificate that was valid at the time the code was signed, but which has subsequently expired.