MartyConnelly
martyconnelly at shaw.ca
Sat Feb 12 15:14:53 CST 2005
Here are some of my notes from about 6 months ago when I putzed about
with this.
What made me throw up my hands on certificates for signing code for now,
(note not the same as digital signature certicate signing for electronic
documents or email
this can be handled by a net admin install of server software or
signcode.exe wizard from url below)
is the deployment of certificates, It quickly becomes OS and network
specific as how to handle
certificate stores across a domain. Maybe someone has come across an
article as to how to do this
from a birds eye view. I have seen bits and pieces of code that can read
certificate stores via vba
or vbs but require access to ADSI, LDAP or domains. Maybe SageKey has a
generic handler.
It also seems each new OS has different methods of handling and building
certificates.
IE Win 2003 Server has an installable type of certificate server.
Also you may need new certificates in as little time as 12 months.
----------------------------
Assuming you are not going to spring $ 400 for a version Veritas 2 year
certificate.
and 'Class 2' certificates for individual developers, are
unobtainable, as no
CA Certificate Authority currently sells them.
I never got as far as network deployment. Selfcert won't work you need
makecert
Don't know if you can get a makecert certificate into a list of trusted
publishers.
This was done on WinXP home.
I got it working standalone with this makecert call
Since I have a standalone version of Access2003, I had to download makecert
from here, standalone version of 2003 doesn't have makecert installed.
http://support.microsoft.com/default.aspx?scid=kb;en-us;828407
I created certificates with these parameters in Start-->Run
C:\Security\Makecert\codesigningx86\makecert -sk SelfSignedCerts -n
"CN=MyCert" -b 01/01/2003 -e 01/01/2009 -ss My -r -eku 1.3.6.1.5.5.7.3.3
or
: Use makecert.exe with the "-pe" option to create and store the
certificate with an exportable private key:
This maybe necessary for network deployment but "pe" only available
with makecert.exe version 5.131 or higher.
makecert -r -pe -n "CN=Your Name" -b 01/01/2000 -e 01/01/2099 -eku
1.3.6.1.5.5.7.3.3 -ss My
Then you can export the certificate from the certificate store,
including the private key.
after install of certificate; see it listed on the Trusted Root
Certification Authorities tab in Certificates
window (CntrlPanel-- > Users --> Advanced).
Forgotten how to attach to mdb but it should be here in the url below
To set the security level. It's under tools --> macro --> security
Here is description of how to sign vba project with certificate
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/odeopg/html/deovrsigningvbaproject.asp
and
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/makecert.asp
Two caveats
You need Jet 8 SP installed to stop squawking messages about unsafe
SQL expressions.
Setting security to Low and then running the macro does not register the
certificate in the trusted sources list.
Security must be set to Medium or High before any certificates are posted
to the trusted Trust Publishers list. In cases where security is set to
High on all computers, a Selfcert.exe-signed macro can be deployed, but it
does not have a secure enough certificate level for use by other users
who are
running with the High security level. Only a certificate issued by a
certificate authority can be used to provide a distributable certificate
and signature to others and still pass through Medium and High security
levels in Office.
Theoretically, you could tell your clients to
use selfcert to create a certificate on each workstation,
but even if they were willing to do this, your db security
may prevent them from opening the VBA project to add digital certificate.
If you are developing in-house applications, talk to your network
administrator. Using Certificate Server on Windows
2000/2003 Server, an administrator can create a
certificate that will be valid across the domain.
Also to see if personal certificate is installed properly
run certmgr.exe
This is supposed to work but I never got this far. Since I couldn't find
out how to network deploy a makecert certificate.
This assumes Jet SP8 installed
2. Before you create the MDE file, go to modules open one and in VB
assign a digital certificte to it.
3. Make the MDE
4. Open the app on users pc, when it asks if you want to Block unsafe
expressions answer yes.
5. The next window should tell you that there is a Digital Certificate.
Click on Advanced and install the Certificate.
6. Open the database
7. Close the database and reopen it. You should now have the option of
checking the box to always trust apps with this digital certificate.
Check that and open the database. 8. Close the database and reopen it.
It should open without any prompts, at least mine do now.
--------------------------------------------------------------
A couple of other ways around this.
Get your network guy to change the following registry settings of the
following key, should help you change the security level of the macro in
Access 2003. He should be able to change this globally across the
network for each client PC, there is even a way to do this from Access
VBA code using WMI with proper network permissions.
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Access\Security\Level
If the value is 1, then the macro security of Access 2003 is set to low.
If the value is 2, then the macro security of Access 2003 is set to medium.
If the value is 3, then the macro security of Access 2003 is set to high.
WARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system.
Microsoft cannot guarantee that you can solve problems that result from
using Registry Editor incorrectly. Use Registry Editor at your own risk.
Gustav Brock wrote:
>Hi Marty et all
>
>As a comment, I can recommend those interested in this topic to read up
>the links to Microsoft provided by
>Marty.
>
>/gustav
>
>
>
>>>>martyconnelly at shaw.ca 11-02-2005 19:19:45 >>>
>>>>
>>>>
>Are you doing this just to get around macro security or do you really
>want to sign them.
>SageKey installs have a method of removing macro security.
>
>There are a lot of if, but's and and's to this
>
>Cause you will have to get around locked down users getting the
>certificates into their own personal certificate store
>Certificates expire, some in 12 months.
>
> for Medium and High Access 2003 security, if you add the author to
>the
>list of Trusted Publishers. It turns out thought that you cannot add a
>self-signed certificate to the list of Trusted Publishers on any
>machine
>other than the one where it was created. So this is hardly an option
>for
>application deployment, after all.
>
>Does CAcert produce a level 2 or 3 certificate. I think Verisign only
>produces level 3?
>
>If the mdb file will be used within an organization, use Windows
>Certificate Services from server?
>So you don't need a 3'd party certificate in above case
>
>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/odeopg/html/deovrsigningvbaproject.asp
>
>http://office.microsoft.com/en-us/assistance/HA011225981033.aspx
>http://office.microsoft.com/en-us/assistance/HP010397921033.aspx
>
>What I have been doing is using a vbs script file in the opening
>shortcut to the mdb
>
>Const cDatabaseToOpen = "C:\<FileToOpen>.mdb"
>
>On Error Resume Next
>Dim AcApp
>Set AcApp = CreateObject("Access.Application")
>If AcApp.Version >= 11 Then
> AcApp.AutomationSecurity = 1 ' msoAutomationSecurityLow
>End If
>AcApp.Visible = True
>AcApp.OpenCurrentDatabase cDatabaseToOpen
>If AcApp.CurrentProject.FullName <> "" Then
> AcApp.UserControl = True
>Else
> AcApp.Quit
> MsgBox "Failed to open '" & cDatabaseToOpen & "'."
>End If
>
>
>
>Gustav Brock wrote:
>
>
>
>>Hi all
>>
>>I'm not that much into certificates, but will those from CAcert:
>>
>> https://www.cacert.org/
>> Code signing certificates
>>
>>do as Digital Certificates for Access 2003?
>>
>>/gustav
>>
>>
>>
>>
>
>
>
--
Marty Connelly
Victoria, B.C.
Canada