In February, we posted a download that contains a Systems Management Server (SMS) package definition (.sms) file for Office 2007, along with security certificate (.cer) files used for publishing to users’ Trusted Publishers so Office 2007 will automatically trust Microsoft add-ins. We’ve received a TON of negative feedback about the security certificates because they are expired, so I decided to clear things up a bit here.
In a Nutshell
It’s OK that the certificates are expired. In fact, that’s part of the normal process for certs, and you still need the certs to validate the add-ins that were signed with them.
Microsoft uses a certificate authority (or certification authority) (CA) to sign code, like that in various Microsoft Office add-ins. The CA issues a certificate to accompany the code, and the cert is used to validate the code and ensure that it’s safe to use. That’s the whole idea behind using Trusted Publishers in Office 2007. If you change your Add-ins setting to “Require Application Add-ins to be signed by Trusted Publisher,” you can install certificates to your Trusted Publishers so that you don’t get error messages from add-ins from Microsoft or other companies whose certificates you have installed to Trusted Publishers.
As with any certificate authority (CA), certs from the Microsoft code-signing CA expire from time to time, and the CA uses new certs to sign new code. However, code that was signed with an expired cert remains signed by that expired cert, and that expired cert is still required to validate the signed code. If you only have the most recent certificate from Microsoft installed in your Trusted Publishers, Office 2007 won’t accept it as the cert for add-ins signed with a previous certificate that is now expired—it can’t, because the new cert wasn’t the one used to sign the code.
That’s about as far as I want to go into describing certs and CAs for now (I’m still a little bruised from the last time I set up a PKI). If you really want to delve into the world of certificates and public key infrastructures (PKIs), you can start here.
When You Should Care
By default, installed and registered add-ins are allowed to run without notification, so you probably don’t need to read this post. However, if your organization has (or wants to have) higher security standards, read on.
In a higher security context, you have Add-ins set to “Require Application Add-ins to be signed by Trusted Publisher.” (See View or change the add-in security settings for how to do this.)
If an add-in doesn’t have the certificate that signed it installed to Trusted Publishers, it will generate a Security Warning at program start-up:
If your users see this warning, they can choose whether to trust the add-ins, as shown in What should I do when a security warning asks if I want to enable or disable an add-in or application extension?.
To avoid generating the above error at all, you can push certificates to the Trusted Publishers locations on client computers. That is what the download in question was designed to help you to do.
The best thing to do, however, is to determine which certs you need and create and install them yourself, instead of just installing the certs that are in the download. This way, you catch all the certs from all add-ins, including those from companies other than Microsoft and those published by Microsoft after 2007.
1. Start at your test machine or at a client computer that has a typical configuration for your organization, including any add-ins that your users need. In the Trust Center, set Add-ins to Require Application Add-ins to be signed by Trusted Publisher (if it hasn’t already been set). To do this, click the Office Button, Word Options, Trust Center, Trust Center Settings, Add-ins, Require Application Add-ins to be signed by Trusted Publisher.
2. Exit and re-start Word. You will see a Security Warning bar saying Application add-ins have been disabled.
3. Disable SmartTags: Click Office Button, Word Options, OK. The Security Warning bar now says Some active content has been disabled. Click Options on this bar. (If you do not disable SmartTags with this step, you will get a different window from which you won’t be able to install certificates.)
4. Install certificates: A window appears saying Security Alerts – Multiple Issues. For each add-in that shows a valid digital signature, select Show Signature Details. In the Digital Signature Details window, select View Certificate. In the Certificate window, select Install Certificate. In the Certificate Import Wizard, click Next. Select Place all certificates in the following store. Click Browse, then select Trusted Publishers and click OK. Click Next, then click Finish. This installs the certificate to Trusted Publishers.
5. Create certificate files to distribute: In Trusted Publishers (click Office Button, Word Options, Trust Center, Trust Center Settings, Trusted Publishers), you can view the certificates you just installed. Do this for each certificate: Double-click the certificate. In the Certificate window, select the Details tab. Click Copy to File…. In the Certificate Export Wizard, click Next. Click Next again to accept the default file format, type in a filename and select a location to store the file, and click Finish.
6. Use the resulting files to configure Trusted Publishers settings (see next heading).
Configure trusted publishers settings with the OCT
Follow this procedure to use the Office Customization Tool (OCT) to add trusted publishers to the trusted publishers list. You cannot use the Office 2007 Administrative Templates to add trusted publishers to the trusted publishers list. To add a trusted publisher to the trusted publishers list, you must have the digital certificate (.cer file) that the publisher used to sign their ActiveX control, add-in, or macro. For more information about how you can obtain a publisher’s digital certificate, see Plan trusted locations and trusted publishers settings for the 2007 Office system.
In the left pane of the OCT, click Office security settings.
In the details pane, under Add the following digital certificates to the Trusted Publishers list, click Add.
In the Add Digital Certificates dialog box, click the digital certificate that you want to add and click Add.
– Andrea Weiss