Knowledge Base

Due to the new industry Private Key Storage requirements, Code signing certificate private keys must be stored on a compliant HSM. One option available is the DigiCert provided hardware token by SafeNet. This compliant hardware token, in conjunction with the SafeNet drivers, allows for signing code on the local machine but does change the process required to sign Visual Basic for Applications (VBA) macros. When storing the private key in the machine’s keystore directly, VBA signing can take place. However, when storing it on the SafeNet hardware token, signing attempts will return an error until a few extra steps are taken.

Error:

“There is a problem with the digital certificate. The VBA project could not be signed. The signature will be canceled.”

Reason:

VBA macro signing uses the outdated and distrusted Microsoft MD5 hashing algorithm. SafeNet, like many others, has disabled the use of that algorithm by default because of speed issues as well as its vulnerability to collision and preimage attacks. The certificate cannot be exported from the hardware token.

Fix:

The solution is to allow older hashing algorithms like SHA1 and MD5 in the SafeNet Driver. This can be done in registry:

Hive: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAC\Crypto
Key: Disable-Crypto
Value: None

After setting this value the signing of VBA macros works as expected:

Open VBA editor -> Tools -> Digital Signature -> Select DigiCert Certificate -> Ok -> Close VBA and Save

Alternate Fix:

If you are unable or unsure about editing the SafeNet driver registry you can also download the old SafeNet drivers here.

The older drivers have not disabled the older hashing algorithms and may allow them to be used for signing without editing the driver registry.