SSL certificate maximum validity is being reduced to 200 days from March 2026. Read more →

SSL Certificates

Cheap SSL DV SSL Wildcard SSL Multi-Domain (SAN) OV & EV SSL

Specialty Certificates

Code Signing Document Signing Email / S/MIME VMC / BIMI
In effect now Certificate Lifetime

Automation

Overview Auto DNS FairSSL vs Let's Encrypt

Platforms

Windows Setup Linux & Kubernetes Appliances ACME Clients

Tools

SSL Scanner Certificate Decoder CAA Generator

Guides

Windows Server Linux & Open Source All guides

Company

About Us Contact Installation Service
News

Language

Dansk Svenska English

Currency

Login Create Account

Code Signing certificate for Office macros

Sign VBA macros in Excel, Word and PowerPoint with a Code Signing certificate. Remove security warnings when users open macro-enabled documents. Distribute signed macros across your organisation via Group Policy.

Both OV and EV Code Signing certificates work for Office macro signing. OV is the obvious choice, since EV provides no additional benefit for VBA signing.

See products ↓ Compare all key storage options →

What is Office macro signing?

VBA code signing applies an Authenticode signature to VBA projects in Office documents. When a macro is signed with a certificate that is trusted via Trusted Publishers, Office runs the macro without warnings or prompts.

Signed macros can be trusted via Group Policy without lowering macro security settings. IT administrators add the certificate to the Trusted Publishers store via GPO, and all machines in the domain then trust macros signed with that certificate.

Since June 2023, all Code Signing certificates (OV and EV) require HSM-backed key storage. You can use a USB token, Azure Key Vault, Google Cloud KMS, or AWS CloudHSM.

Supported file types

.xlsm (Excel).docm (Word).pptm (PowerPoint).xlam (Excel add-in).dotm (Word template).potm (PowerPoint template).accdb (Access)

All macro-enabled Office file types support VBA code signing via Authenticode.

32-bit requirement

Office VBA signing requires 32-bit signing tools. Even on 64-bit Windows, the VBA host uses 32-bit components. Use the correct architecture for your signing tool.

  • AzureSignTool: Install the x86 .NET runtime. Use the 32-bit version of AzureSignTool.
  • signtool.exe: Use the x86 version from the Windows SDK (typically C:\Program Files (x86)\Windows Kits\10\bin\...\x86\signtool.exe).
  • Jsign: Java-based and cross-platform. Works on any architecture without 32-bit requirements.

Self-signed vs CA-issued certificate

Self-signed certificate

  • Free to create
  • No identity validation
  • Must be manually distributed to each machine
  • Not trusted by default
  • Fine for personal use and internal testing

CA-issued certificate (FairSSL)

  • Trusted by Windows out of the box
  • Company name in the signature
  • Deploy once via Group Policy
  • Works across organisations
  • Required for distribution to external parties

Distribution via Group Policy

IT administrators can add the Code Signing certificate to the Trusted Publishers store via GPO. All machines in the domain then trust macros signed with that certificate, without lowering the macro security level.

1

Sign your VBA macros

Use signtool.exe (x86), AzureSignTool, or Jsign to sign the VBA project.

2

Export the public certificate

Export the certificate without the private key (.cer file).

3

Create GPO

Computer Configuration → Windows Settings → Security Settings → Public Key Policies → Trusted Publishers.

4

Import the certificate

Import the .cer file into Trusted Publishers via GPO. All domain computers now trust signed macros.

Step-by-step guide to signing Office macros

We have a complete guide with commands and screenshots for signing VBA macros with signtool.exe, AzureSignTool, and Jsign.

Read the guide →

Related pages: USB Token | Azure Key Vault | Google Cloud KMS | AWS KMS | Office Macros | Compare all →

Code Signing certificates for Office macros

OV Code Signing

DigiCert

DigiCert CodeSign OV

OV

DigiCert OV Code Signing. Works for Office VBA signing.

from €475 /year See details →
GlobalSign

GlobalSign CodeSign

OV

GlobalSign OV Code Signing. Works for Office VBA signing.

from €375 /year See details →

EV Code Signing

DigiCert

DigiCert CodeSign EV

EV

DigiCert EV Code Signing. Office macros + kernel drivers.

from €740 /year See details →
GlobalSign

GlobalSign CodeSign EV

EV

GlobalSign EV Code Signing. Office macros + instant SmartScreen trust.

from €428 /year See details →
See all products with prices →

Frequently asked questions about Office macro signing

Find answers to the most common questions about SSL certificates and FairSSL.

Yes. Both OV and EV work. EV provides no additional benefit specifically for Office macros. OV is the obvious choice.
Yes, all Code Signing certificates require hardware-backed key storage. You can use a USB token, Azure Key Vault, or Google Cloud KMS.
No. VBA code signing with Authenticode is only supported in Office for Windows. Office for Mac ignores Authenticode signatures.
Timestamped signatures remain valid after expiry. Always use an RFC 3161 timestamp server when signing, and your signatures will remain valid indefinitely.
Yes. A Code Signing certificate can sign both Authenticode (EXE, DLL, MSI) and VBA macros. You do not need separate certificates.

Ready to sign your Office macros?

Create a free account and issue your first certificate in under 10 minutes.

Create free account Compare certificates