I have been working in VBA for Microsoft Office 2007 lately. And if you haven’t used it yet, I can tell you there have been significant changes in macro / VBA security versus Office 2003.
Basically, getting a VBA macro / module that hasn’t been digitally signed to run in Word 2007, Excel 2007 or Access 2007 requires the end user to go through a fairly complicated process — if his network’s group policies even allow unsigned macros to run — with many scary warnings against running unsigned code thrown in for good measure.
Tucows will sell a Comodo certificate for $75 per year, or $195 for three years — which, while not cheap, is less than half the cost some certificate authorities charge for a one-year cert, and a significant discount over Comodo’s published prices.
There’s not a lot on the Web about the experience and process of getting a certificate from Comodo, so I thought I would share some advice.
There’s No Privacy In Code Signing
It’s important to note that you can get a code-signing certificate from Comodo, issued in your name, if you aren’t incorporated or want a code-signing certificate for personal use. Many other sites state that Comodo will not issue code-signing certificates to individuals; that once was the case, but I got my cert as a private individual.
If you apply for a Comodo code-signing certificate as an individual, your name will appear as the publisher, you cannot use an alias or dba name. For example, if your name is Bob Smith, and you do business as The Software Place, your cert will bear the name Bob Smith; it cannot bear the name The Software Place. If you want to use The Software Place as the publisher name, you need to incorporate The Software Place and apply under that corporate name.
That said, if you are a conspiracy theorist, or simply don’t like sharing personal details with others, you won’t like Comodo’s vetting process one bit. This isn’t one of those $30 SSL certificates you can get for your Web site with a smile.
Which serves as a useful segue. A code-signing certificate can’t be used as an SSL certificate; it’s a single-purpose document.
Required: A Domain Name Under Your Name
However, in order to get a code-signing cert from Comodo as an individual, you need a domain name that lists you as the contact. The contact records should show the address that will appear on all your vetting documents — more on those shortly — and a real phone number for which you can produce a bill.
You’ll also need an e-mail address within that domain, to communicate with Comodo.
You will want to have the domain name, and its associated e-mail address, ready before you purchase your cert through Tucows.
You can, in theory, use a domain with private registration. Domains By Proxy, for example, will charge you $15 to create an “authorization letter” that will inform Comodo that you are associated with the domain name.
I didn’t go that route, because I have some experience in registrar issues and vetting processes, and know that the key to swift going is to remove as many potential obstacles as possible; an authorization letter is just begging for trouble.
I chose, instead, to cancel my private registration for my domain; create a special e-mail address for Comodo’s correspondence; temporarily correct my contact info, and change my contact records to alternate addresses / delete the e-mail address after I received my certificate.
The Documents You’ll Need
Before you attempt to get a code-signing certificate as an individual, you need to round up some documents. These documents must all bear the same address, and that address must be the same as the address on your domain. This is critical.
The first document you need is identification: either a driver’s license or a passport. You will be asked, via an e-mail from Comodo, for a copy of one shortly after you apply (in my case, about 20 minutes after purchase). You can e-mail a scan of your license to Comodo, or send it via fax.
Note that when Comodo first contacts you for this document, they do so from an unmonitored address; you’ll need to direct your reply to a different e-mail address. This is all described in the message they send to you.
After Comodo gets the copy of your ID, they will later (in my case, the next day) ask, again by e-mail, for three more documents:
- A utility bill, such as a water / gas / electric / tax bill, which bears your name and address. I sent an income tax statement. More on that momentarily.
- A bank statement or check that bears the name and address that will appear on your certificate. I sent a voided check.
- A telephone bill that shows your name and phone number. The phone number needs to be the same as the number on your domain name’s contact record. I sent a Vonage invoice.
I love talking to people I know well on the phone, but I hate speaking to strangers on the phone, and it shows.
My feeling: It’s less rude to make strangers leave a message, and get back to them when I am prepared, than it is to put either of us through my terse on-demand stranger chat, which often comes off as disinterest or annoyance but is actually my having little or nothing to say.
Update, 29 November 2015: I now use MagicJack as my throwaway number. It costs less than $40 per year. I would not recommend it for everyday use: sometimes the phone doesn’t ring when there’s a call; calls are often dropped; quality can be spotty; and it’s a real bandwidth hog. But for taking voicemail messages or a rare call, it works fine.
It took about a day for Comodo to respond to these items; I believe that’s because I sent the income tax notice, rather than a property tax bill, which is what they really meant by “tax bill.” Or, it might be that I was applying for the code-signing cert under the name “Doug Vanderweide,” but some of the documents I supplied use my full name.
Again, the fewer bumps you place in this road, the smoother the ride is going to be.
On Day 3, Comodo sent me an e-mail indicating they would call me. I received that phone call on Day 4, from a woman who asked for me, identified herself and said she would be issuing the certificate within 15 minutes, which she did.
Important Technical Notes
Which brings me to some important technical notes, namely the inevitable “big mistake” that all such ventures must, by their nature, cause me to make.
I would strongly recommend that before you purchase your certificate through Tucows, you visit Comodo’s support site and register for an account, using the e-mail address you will supply to them for your cert.
You can’t send e-mail to Comodo unless you have a support account — even if you are replying to their message — and you can use the support Web site to communicate with Comodo, including the ability to upload your documents through their Web site. (I sent my license to them via e-mail and the remaining documents, I uploaded through the support site.)
Also, you really, really, really want to use Internet Explorer when you purchase your cert and fill out Comodo’s form. Authenticode — Microsoft’s name for its code-signing tools — expects to find your code-signing cert stored among your IE security certificates.
I made the mistake of using Firefox, and I’ll explain how to recover from that shortly.
One more really important note: If you intend to create drivers for Vista 64-bit, or create other code that works directly with the kernel, you can’t use a Comodo cert; they aren’t authorized to sell kernel certs. You can find a list of providers who are here.
Purchasing The Certificate
You’ve got your domain name, e-mail address, phone number, phone bill and other identifying documents together; you’ve ensured that they all bear the same address and phone number; you’ve created user accounts at Tucows and Comodo Support.
Now, fire up IE, log in at Tucows, click the Code Signing Certificates link, select the term you want under the Comodo side, and click Next.
You’ll be directed to a payment page. Once your transaction is approved, you’ll be taken to the form that provides Comodo with your registration information. You shouldn’t have to worry about any of the settings there; just provide the minimum information requested, but make sure the information you supply matches your documentation.
Once you’ve completed the form, which is two pages, you’ll get a message from Tucows telling you to await first contact from Comodo — which, again, will be an e-mail requesting your ID.
Installing Your Certificate: Browsers Matter
When you’ve been approved, you’ll receive an e-mail containing a link and retrieval code to get your cert. You must use the same computer used to request the certificate, in order to retrieve it, and you should use the same Web browser.
For example, if you filled out the order form in Interent Explorer and try to retrieve the certificate with Firefox, you may not be able to install the certificate at all. (At least, that’s what Comodo claims; I did not face this issue because I used Firefox for the whole process.)
You simply provide your retrieval key in the form at the link — if the code isn’t filled in for you — and a couple of dialog-box clicks later, you should see the certificate listed under the Personal tab of Start –> Control Panel –> Internet Options –> Content –> Certificates.
You want to back this key up immediately. Tech Pro explains how to do so here.
If you’re a dummy like me, and you use Firefox for the ordering process, your certificate will not be installed in the same store used by Internet Explorer; it will go into Firefox’s certificate store.
You should then use the key export feature in Firefox to not only back up your certificate, but to allow you to import the certificate to IE’s store. When using the Firefox export, it will send the file out as a .p12 file; that’s OK, because IE can import that format just fine.
VBA Signing: You Need To Add Registry Keys
One of the problems with code signing is that once your certificate expires, so does the signature you placed on your code. Buy a one-year cert today and sign a program; 366 days later, your cert expires and your code throws the same sort of scary messages about expired certificates you sometimes see on the Web.
That is, unless you timestamp your signatures. A timestamp allows Comodo to “co-sign” your code, so even though your certificate has expired, Comodo continues to testify to your program’s legitimacy.
Timestamping is handled easily by Visual Studio’s built-in code-signing tools. But timestamping is not built in to Microsoft Office 2007; if you want your macros and modules to work after your certificate expires, you have to manually configure your registry to enable VBA timestamping.
Instructions on how to sign your Office 2007 VBA code can be found at GlobalSign, another certificate authority.