Digital / Self-signed certificates, what's the point?

**MagnusNovak** · 10-16-2020, 01:36 PM

Hi there,

I've built a spreadsheet that I share with people online. Someone asked if I could "digital sign my macros for those who are security conscious and block unsigned macros". Although open to the idea, I must admit I didn't know what he was referring to initially (and I'm still confused about it). I've looked online and it seems that there are two possibilities: a certificate provided by a commercial certificate authority or a self-signed certificate. The first option seems crazy expensive (hundreds of $ every year just to get a signature?) while I'm puzzled by the usefulness of the second. So here are my questions:
- What is the actual point of a digital certificate? How does it make my spreadsheet less risky for my users?
- Do people really spend hundreds of $ every year to get a certificate from a company?
- I've managed to self sign my excel file (VBA project) following an online tutorial but I still don't understand the purpose of it. What's the point of me signing it? Is it just to help users whose excel parameter is on "not execute VBA if unsigned"? Because they can easily go pass that and activate macros anyway, no?
- Is that what my initial user was most likely asking me to do?

Sorry for these basic questions, but reading articles online showed me how to self-sign (or get a certificate from an online provider) but it didn't make its purpose clearer to me.

Thanks

**6StringJazzer** · 10-16-2020, 03:39 PM

- What is the actual point of a digital certificate? How does it make my spreadsheet less risky for my users?

A digital certificate is a guarantee that you are who you say you are. If you receive a file with a cert from Six String Jazzer then you know it was really sent by Six String Jazzer. However, see next question.

- Do people really spend hundreds of $ every year to get a certificate from a company?

Yes. It is used more by companies than it is by individuals.

A Certificate Authority (CA) is a trusted third party who issues you a certificate after they do identity proofing to be absolutely certain you are who you say you are. I used to work for VeriSign. RSA was the first CA, and VeriSign bought them and went on to become the largest CA. Of course, if you receive a cert from someone, you have to also have trust in the CA.

Certs use the same encryption technology as public key encryption (PKA) but it's kind of inside out. I won't get into it here, but suffice it to say that it is reasonably secure. I am not a security expert but I think you would have to have the resources of a major government to break/fake a cert.

- I've managed to self sign my excel file (VBA project) following an online tutorial but I still don't understand the purpose of it. What's the point of me signing it? Is it just to help users whose excel parameter is on "not execute VBA if unsigned"? Because they can easily go pass that and activate macros anyway, no?

Typically a self-signed certificate is only for testing purposes. It is otherwise useless. It does not verify your identity. It's like you took an index card, wrote your name on it, then tried to use it as ID. IIRC Microsoft Office applications will not trust a self-signed certificate unless it was on the machine where it was generated, so it can be used for testing.

- Is that what my initial user was most likely asking me to do?

Possibly. If so, they don't understand certs. But that's OK because you are doing what they asked. However, as noted above, a self-signed cert may not work.

**MagnusNovak** · 10-23-2020, 02:09 PM

Thanks 6StringJazzer, I understand that process better now.

Another question I have is: if I go with a Certificate Authority and purchase a certificate, can I apply this certificate to multiple excel files? (I have different files that I share with users) Or is it one certificate per product / file? (if so, it becomes cost prohibitif)

I went online to check what's available but I'm not sure I'm using the right key words here. Everything I find is related to SLL certificates for webdomains mostly. And VeriSign's website is far from being intuitive...

Do you know any other providers of VBA / Excel certificates? Price wise, what would be the cheapest option?

Thanks again for your help!

**6StringJazzer** · 10-23-2020, 04:27 PM

A certificate is not just for one file. You can use the same one for all your files.

I am not an expert at the market for this. CAs sell certs for code signing, which is what I think you would need for VBA files, but I have never done it and I don't want to speculate. SLL for web sites is probably the most common.

VeriSign got out of the cert business; in 2010 they sold that unit to Symantec to focus on domain names, and then in 2017 Symantec sold it to someone else.

So I can't recommend a particular CA but if I have a little time I'll see if I can find any useful information for you.

**MagnusNovak** · 10-23-2020, 05:43 PM

Thanks 6StringJazzer, appreciate the help. Indeed it works better when searching "code signing certificate". Based on a quick google search, it appears that prices start at ~$70/year (the cheapest I found) from Comodo. I'll have to double check that it's indeed applicable to VBA / Excel but it's a good starting point.

Thanks again

Digital / Self-signed certificates, what's the point?

LinkBack

Thread Tools

Rate This Thread

Display

Digital / Self-signed certificates, what's the point?

Re: Digital / Self-signed certificates, what's the point?

Re: Digital / Self-signed certificates, what's the point?

Re: Digital / Self-signed certificates, what's the point?

Re: Digital / Self-signed certificates, what's the point?

Thread Information

Users Browsing this Thread

Similar Threads

Digital signatures and certificates

[SOLVED] Digital Certificates and workbook copies

Digital Signature Certificates

Digital Certificates and other users

[SOLVED] Digital Certificates

Removing Digital Certificates

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions