Score:1

How do I fix "No usable signing certificates are available" in VBA?

ne flag

We have a VBA script in Outlook that generates a popup when sending external emails. Apparently the script's signature expired over the weekend. The person who signed it is no longer here. I see the certificate in the CA on our DC but no option to renew.

I've generated a code signing cert and imported it into my computer but the VBA editor keeps saying No usable signing certificates are available. I see the cert in my cert store. The template says "Code Signing" instead of original cert "%ORG% Code Signing" if that matters.

I really have no idea what I'm doing and have spent hours digging online and researching to get this far. I'm at a dead end and could use some help getting this signed again. If there is a better more modern alternative to get a user prompt for external recipients let me know.

joeqwerty avatar
cv flag
TBH, why do you need to do this? What's the business need?
naps1saps avatar
ne flag
We don't want to accidentally send internal emails to clients it could be a big deal with our type of clients. We also don't want to have users fall for spoofing emails since any breach is a huge huge deal that could have financial consequences due to regulation, etc. We do have the banner but it's pretty ignorable TBH. In our field user prompts are pretty standard procedure.
Massimo avatar
ng flag
VBA in 2021? *Really*?!?
naps1saps avatar
ne flag
@Massimo we ended up ditching the VBA script early this year after I found it would need to be modified and re-signed to use in x64 Office. I didn't feel it was worth it and the higher ups agreed.
Score:1
kg flag

I was able to fix this by importing the certificate via the Internet Options / Content / Certificates interface, into the following three stores: Personal, Trusted Publishers, Trusted Root Certification Authorities.

Previously, I'd imported the certificate into all three locations via "Manage computer certificates", for machine-level, and "Manage user certificates", for user-level, but although the certificate showed up in all six locations (three locations machine, three locations user), Excel didn't recognize it.

However, going through the Internet Options UI did the trick.

Score:1
us flag

Sorry, I'm not a big expert here, but will still try to add my 5 cents...

First of all, have you tried self-signed certificate? It is easier to debug, will help you test locally. https://social.technet.microsoft.com/Forums/lync/en-US/6b06b276-4266-4f29-ae22-2a3c86c4238f/certificate-for-digital-signature?forum=outlook

Next, are you sure you have imported private key as well with the certificate? Most probably you will need it, as far as I understand the signing mechanism (sorry if I will mislead you; if you are buying the idea of private key, kindly check how to install it there: https://security.stackexchange.com/questions/25996/how-to-import-a-private-key-in-windows - you'll need PFX instead of CER, otherwise no private key is imported).

Last, in which container in your certificate store have you imported your certificate? It might also impact the outcome. https://answers.microsoft.com/en-us/msoffice/forum/all/vba-i-installed-digital-signing-certificate-but/231529b1-8099-4c7b-9bb6-2c36aeba00a4

Steps to get certificate for signing

  1. On the signing computer, open Manage User Certificates
  2. Right click Personal > All Tasks > Request New Certificate
  3. Select Active Directory Enrollment Policy > Next
  4. Choose a Code Signing template and click Enroll

VBA editor should now see the certificate and allow you to sign the script.

naps1saps avatar
ne flag
I have it in personal and trusted root and trusted publisher. Looking at that last link I'm fairly convinced I need to export a PFX and not a CER. I think I did have a PFX imported at first that didn't work but it wasn't a code signing cert specifically. I'll take another look so thanks for pointing me in a direction.
Alex avatar
us flag
As I understand, the major difference is that private key should be present. You should be able to check it using this guide: https://knowledge.digicert.com/quovadis/ssl-certificates/ssl-general-topics/how-do-i-know-if-my-certificate-has-the-private-key-attached-within-windows.html
naps1saps avatar
ne flag
I'm not able to export the private key from the server so maybe I need to go back to step 1 and create a new cert that allows PFX export? I used the method of going to HTTPS://%ServerFQDN/certsvr and requested a new cert > advanced > code signing > add BASE64 request string I can't remember where I got it from > download but no PFX option or export from root CA MMC.
Alex avatar
us flag
Disclaimer: I'm not a pro here. Having said that, I'm still convinced you need the private key. And be aware that CA server usually will *not* store the private key, that's how cryptography works You *create* a pair (private key + public key) on your developer machine, then you sign the software with your *private* key, and then you distribute your *public* key across your audience so that they can verify the software. Hence, there's no need for the CA server to store the private key - it doesn't require it, end of story. Does MMC on CA show that the certificate contains a private key?
naps1saps avatar
ne flag
If I go to the local machine and request a certificate I checked show all templates and code signing shows up but is unavailable. I think I need to go through this like you're saying and skip the server so I'll focus on getting through that. I might need to sign in with my elevated credentials to get this to work. Thanks again.
Alex avatar
us flag
Dear @naps1saps, kindly note that I'm not an expert, just a blind guesser here unfortunately :( I am very sorry if my proposals will actually just divert you from your goal, but that is quite possible, please keep that in mind and assess my assumptions from your side as well. Best luck in your quest, please publish an answer here once you get a solution)
naps1saps avatar
ne flag
I got it now. I didn't notice there was a specific certificate MMC for both user and computer. I was able to get the certificate added with the user MMC. Thanks again for pointing me in that direction. Edited your answer to give you credit.
naps1saps avatar
ne flag
Well I'm closer but now I'm having problems getting VBA to save the signed state to the project file. Very frustrating.
Alex avatar
us flag
Glad to hear you were able to make it!) For the next issue, it might be good to create a separate question.
naps1saps avatar
ne flag
I got it now. You have to compile the project before it will save the signed state. I love how Microsoft's own documentation does not say this is needed but instead at the end recommends it.
Alex avatar
us flag
Congratulations! Thanks for sharing, it might help someone one day)
Alex avatar
us flag
And just to add here: see, signing something is actually freezing it in its current state, completely. Even if you change one bit, the signature is void. That's probably the reason why you have to compile first, and then only sign - to avoid any errors or modifications afterwards.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.