Q & A: Can a digital signature remain valid even after the certificate expires?


Q: Is it possible to have a signature valid even after the certificate expires? I sign Excel 2007 Macros (and other Office documents) and would like to obtain a timestamp so that the digital signature remains valid even after the certificate expires.

A: Yes. A certificate simply states that the code was signed when the signature was valid, and therefore, the signature remains valid as long as you still trust the original signer. It allows you to avoid having to redistribute a whole solution just because the signature expired. There is no requirement for the certificate to be purchased again. For more information, see Signing Macros Digitally to Verify the Source.

– Andrea Weiss

Comments (3)

  1. You’re right–I should have noted that the signature needs to be timestamped in order to be considered valid after the cert expires. Thank you for adding the information on how to set up timestamping!

    I appreciate this feedback, because it may inspire a new article for the Office Resource Kit. 🙂

    Thanks!

    Andrea

  2. David Wood says:

    I believe Andrea’s answer is likely to be wrong. Usually a digital signature on a piece of code (including VBA and Macros) is only regarded as valid after the certificate has expired if there’s a countersignature from a trusted timestamping authority.

    Even in Office 2007, there’s no user interface to set up timestamping – but it is possible to do. Cut and paste the following into a .reg file, then double click it to import it into your Registry – it sets up timestamping with VeriSign.

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USERSoftwareMicrosoftVBASecurity]

    "TimeStampURL"="http://timestamp.verisign.com/scripts/timstamp.dll"

    "TimeStampRetryCount"=dword:00000003

    "TimeStampRetryDelay"=dword:00000005