1

Short: Is there anyway to trust a certificate or publisher, so that the trust remains even after the certificate has expired?

Much longer: We develop (among other things) Excel documents for a number of customers. The documents contain VBA-macros. Before delivering the documents to our customers, we sign the documents with our code signing certificate. The default macro settings in Excel (which all our customers stick to) will prompt the user with a security warning, even if the document is digitally signed. This is a good thing, security wise, but some of our customers' end-users complained. Although they could click "Enable content" to make the code run, they thought it was a bit tiresome to do this many times a day.

About a year ago, we thus started to instruct these customers to configure their computers to trust our certificate (i.e. add the certificate to "Trusted publishers" on their PC:s). I don't know exactly how this was done, but GPO:s were involved. This has the effect that "our" documents are now opened and VBA-code run without warning. Users are happy.

However, our code signing certificate just expired after two years, so we "renewed" it. (This is from DigiCert if it matters). To test the certificate, I just signed a new Excel document with the renewed certificate, uploaded it to one of our customers and tested it. The security warning again appeared. Apparently, this new certificate isn't trusted. It turns out that the "renewed" certificate is actually a brand new certificate, with (as far as I understand) no connection to the previous certificate, the one that has been trusted. So, we now have to tell our customers to again configure their PC:s to trust this certificate. And every two years (it could have been three if we had bought the maximum length) this process has to be repeated.

DigiCert claims this is by nature - there is really no way to get around this. "Renewing" a certificate is actually just another word for "Getting a brand new certificate". It has the same textual name of our company as publisher, but that's it. Is this true? Is there no other way around it, like extending the validity period of an expiring certificate? Or can you trust the certificate somehow differently, so that new certificates from the same "publisher" are all trusted?

Hope I made myself understood...

Fredrik Gunne
  • 11
  • 2
  • Seems like expected behavior to me. – Greg Askew Feb 15 '21 at 19:32
  • Yes, in our case, this is probably expected behavior. Still, it is annoying (and our customers will be annoyed) to have to repeat the process of configuring Trusted Publishers every second/third year. I don't know much about certificates, CA:s etc, but are there ways to avoid this, but still have the same level of security? – Fredrik Gunne Feb 16 '21 at 08:33
  • Perhaps using certificates issued by a CA that has broader trust, so you don't need to install an end entity certificate in the Trusted Publishers store. – Greg Askew Feb 16 '21 at 11:36

1 Answers1

0

You need to use a timestamp when you sign the macros. That way, as long as you signed them when the certificate was valid, they will still be able to run after the certificate expires. (Unless the certificate gets revoked, but that's a separate issue!)

There are some instructions here: https://stackoverflow.com/questions/55481835/do-i-need-to-re-code-sign-excel-macros-after-renewing-the-certificate Basically, you need to edit the registry for the user profile that does the signing.

NB It's too late to do anything about the documents that are already out there. So, you will need to re-issue all of them after you've configured timestamps. However, once you get this process in place, it will help you in the future.

John C. Kirk
  • 27
  • 3
  • Thanks for you response, John. The timestamp is not our issue here (we are aware of how it works, registry etc). The problem is that when our certificate expires (timestamped or not) we have to replace it with a renewed (new) certificate to sign new or modified Excel documents. And, although it is called "renew the certificate", it is actually a brand new certificate. This has the consequence that this new certificate has to be trusted in order to avoid the security warning. – Fredrik Gunne Feb 22 '21 at 09:49
  • That's correct - the new certificate is different to the old one. Internally, you could re-deploy it via GPO, so it should only be once per organisation rather than once per person. – John C. Kirk Feb 22 '21 at 11:56