Show All

Hide All

A digital certificate is like a driver's license or passport. In Microsoft Office XP, digital certificates can be used to sign files — such as documents, presentations, and workbooks — and macro projects. When you work with a signed file or macro project, a digital signature can provide another level of authenticity to the file or project. If the entire file is signed, the certificate can help ensure that the file has not been modified since it was signed. Similarly, if the file contains signed macros, the certificate used to sign the macros ensures that they have not been tampered with since they were signed. With signed macros you can also add a macro developer to a list of "trusted sources" so that you can open macros from that source without receiving a warning message.

Reviewing a certificate

When you review a signed file or when you receive a file that contains a signed macro project, it's a good idea to look at the attached certificate to see whether it's valid. You should do this before you decide to trust the document's contents, add a macro developer to your list of trusted sources, or enable macros.

A certificate contains a lot of information. While some of the information may seem overwhelmingly complex, there are a few relatively simple things that you can (and should) check to ensure that the certificate is valid. For example, reviewing the certificate allows you to check for things such as whether the certificate was issued by a reputable organization, whether you know or trust the person to whom the certificate was issued, and whether the certificate was used while it was valid.

Checking for the red X

A valid certificate has the image of an unblemished certificate in its upper-left corner.

A certificate with problems shows the image with a red X.

Certificates are marked with a red X for several reasons, including:

• The signed file or macro has been tampered with.
• The certificate was not issued by a trusted certification authority (CA).
• The certificate was issued without verification (for example, it was offered by a CA as a free, trial download).
• The certificate was not valid when it was used to sign the file or macros.

Issued by

Certificates can be issued by certification authorities such as VeriSign or E-lock. They can also be issued by organizations, or they can be created by individuals. You should look in the Issued by field to see whether you trust the CA (or the organization or individual) who issued the certificate.

Some CAs issue free, non-validated certificates. This lack of validation is noted in the comments section of the certificate, and is similar to the following:

VeriSign Class 1 CA Individual Subscriber-Persona Not Validated

Certificates created by individuals using the Selfcert.exe tool that ships with Office XP contain comments similar to the following:

This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store.

As a rule, certificates with comments such as demo, test, or sample in them should not be trusted.

Issued to

Just as you should have a certain degree of trust for the CA who issued the certificate, you should also be aware of the person or organization to whom the certificate was issued.

Validity period

A file or macro project should be signed while a digital certificate is valid. The way to verify the signed date differs depending on whether you're checking a file or whether you're checking a macro.

By clicking View Certificate, you can verify that the certificate was still valid when the file or macro was signed. To do this, click the General tab of the certificate, look at the dates next to Valid from. Compare the date that the file or macro was signed with the Valid from dates in the certificate.