In short
To sign a VBA macro, open the VBA editor (Alt+F11), go to Tools → Digital Signature, and choose a code signing certificate from your Windows certificate store. The signature is stored inside the file, so it travels with the workbook or document and proves who wrote the macros and that they haven't changed. One thing signing does not do: it won't clear the red "Microsoft has blocked macros" banner on files from the internet — that block keys off where the file came from, not whether it's signed.
Signing an Office macro sounds like it should be one checkbox, and the signing part almost is. What turns it into an afternoon is everything around it: which certificate Office will actually accept, a timestamp setting with no button anywhere in the interface, a trusted-publisher step that decides whether anyone but you can run the macro without a prompt, and — since 2022 — a separate internet-macro block that a signature can't touch. This guide walks the whole path in order, so you know not just how to sign but why a correctly signed macro sometimes still refuses to run.
What signing a VBA macro does
Signing a VBA macro attaches an Authenticode signature to the VBA project — the code behind your document, not the document's visible content. Office hashes the project, signs that hash with your certificate's private key, and stores the signature inside the file itself. When someone opens the file, Office re-checks the signature against the code and asks two questions: does the hash still match (has the code changed?), and do I trust the publisher who signed it?
This is the same Authenticode mechanism that signs Windows executables — the SignTool guide covers that side — applied to the macro code rather than a program file. One consequence catches people out: because the signature is a hash of the project, any change to the code voids it. Add a module, rename a variable, import a userform, and Office quietly treats the project as unsigned again. Sign last, once the code is frozen.
Signing the macro is not signing the document
A macro signature vouches for the code. It says nothing about the cells, paragraphs, or slides around it — those can be edited without disturbing it. If what you actually need is a provably authentic contract or report, that's a document signing certificate, a different tool for a different job. A file can carry both.
What you need before you sign
One thing: a certificate with the code signing purpose, visible to Windows with its private key. Which kind you need comes down to a single question — who has to run the macro without being warned? Your own machine, machines inside your organization, and machines out in the world each answer that differently.
- Just your own machine: Office ships a tool for this. Run
SelfCert.exefrom the Office program folder — its Start-menu name is "Digital Certificate for VBA Projects" — and it creates a self-signed certificate in a couple of clicks. The macro then counts as signed, but only where you've manually added that certificate to Trusted Root Certification Authorities and Trusted Publishers. Perfect for a personal spreadsheet; a dead end for distribution. - Inside one organization: a code signing certificate from your internal CA (Active Directory Certificate Services, usually) verifies on every domain-joined machine automatically, because they already trust the internal root. This is the standard setup for IT teams that enforce signed macros through Group Policy.
- Files that leave your organization: you need a certificate from a publicly trusted CA, issued to a validated identity. My-SSL carries Certum standard and EV code signing certificates that sign VBA projects the same way they sign an EXE; the validation paperwork is listed in the required documents guide.
Publicly trusted keys live on hardware now
Under CA/Browser Forum rules in force since June 1, 2023, publicly trusted code signing certificates ship with the private key on a certified USB token, smart card, or cloud HSM — not as a .pfx file you copy around. For VBA signing this changes little in practice: once the token's middleware is installed, the certificate shows up in the VBA editor's Digital Signature dialog like any other, and signing prompts for the token PIN instead of a password.
Sign the project in the VBA editor
All the signing happens in the VBA editor, and the steps are identical in Word, Excel, PowerPoint, and the rest. Freeze the code first — remember that a later edit voids the signature — then work through the dialog.
1. Open the file, then press Alt+F11 to open the VBA editor.
2. In the Project Explorer, click the project you want to sign
(the entry named after your file, e.g. VBAProject (Report.xlsm)).
3. Go to Tools -> Digital Signature.
4. Click Choose..., pick your code signing certificate, click OK.
5. Click OK again to apply the signature.
6. Save the file. Macro-enabled formats only:
Excel -> .xlsm Word -> .docm PowerPoint -> .pptm
(Saving as plain .xlsx / .docx strips the macros and the signature.)If the certificate list in step 4 is empty, Windows can't see a certificate that has both the code signing purpose and an available private key — jump to troubleshooting below. And watch the save format in step 6: the single most common way people lose a freshly applied signature is saving back to a macro-free format, which discards the whole VBA project on the way out.
Timestamp the signature (there's no button)
A timestamp has a trusted authority record when you signed. Without one, every macro you've signed stops verifying the day your certificate expires; with one, the signature stays valid because it's judged against the certificate's validity at signing time, not today. The catch in Office is that the VBA editor has no timestamp option anywhere. You turn it on through the registry, and from then on the editor timestamps automatically.
Key: HKEY_CURRENT_USER\Software\Microsoft\VBA\Security
TimeStampURL REG_SZ http://time.certum.pl
TimeStampRetryCount REG_DWORD 3
TimeStampRetryDelay REG_DWORD 3
# After this, every signature the VBA editor applies is timestamped.
# Existing signatures are not touched -- re-sign to add a timestamp.One important detail decides whether this works: the VBA signing path uses the older Authenticode timestamp protocol, not the RFC 3161 protocol that SignTool's /tr flag speaks. So the URL here must be a legacy Authenticode endpoint. Certum's http://time.certum.pl answers it; if you pick a URL that only supports RFC 3161, the editor signs the project but silently skips the timestamp. Our timestamping explainer covers the difference between the two protocols and why a timestamp keeps old signatures alive.
Make it run for other people
A signed macro doesn't run itself. Two things on the reader's machine decide what happens: the Trust Center macro setting, and whether your publisher is trusted. The setting that makes signing worthwhile is Disable all macros except digitally signed macros, found under File → Options → Trust Center → Trust Center Settings → Macro Settings. Under it, unsigned macros are blocked and macros from a trusted publisher run without a word.
Becoming a "trusted publisher" is the second half. The first time someone opens your signed file, Office shows a security prompt naming you and offers to trust all macros from this publisher. Accepting it copies your certificate into that machine's Trusted Publishers store, and every file you sign afterward runs silently. For one or two colleagues that click is enough; across an organization, IT pushes your certificate to Trusted Publishers with Group Policy — Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Trusted Publishers — so no one is ever prompted.
This is also where a publicly trusted certificate earns its keep. A self-signed one has to be installed as trusted on every machine by hand; a CA-issued certificate chains to a root the machine already trusts, so only the one-time publisher prompt stands between the reader and a silently running macro.
Why a signed macro can still be blocked
Here's the part that sends people hunting for a certificate when a certificate isn't the fix. Since 2022, Office blocks macros in files that came from the internet — by default, across Word, Excel, PowerPoint, Access, Visio, and Publisher on Windows. When it triggers, the user sees a red banner: "Microsoft has blocked macros from running because the source of this file is untrusted." There's no Enable Content button. And a valid signature from a publisher the machine trusts does nothing to lift it.
The reason is that this block keys off the file's origin, not its signature. Windows tags files that arrive from browsers, email, and messaging apps with a Mark of the Web, and the macro block reacts to that tag before it ever looks at who signed the code. Signing answers "who wrote this?"; the Mark of the Web is about "where did this come from?" — two separate questions, and only the second one draws the red banner.
That means the fix is about provenance, not signing. To let a macro from the internet run, either remove the Mark of the Web — right-click the file, open Properties, and tick Unblock — or open the file from a Trusted Location, a folder Office treats as exempt from the check. Organizations often distribute macro-enabled files through a share configured as a Trusted Location for exactly this reason. Signing still matters once the file is past the block: it's what carries the macro from "the user has to enable it" to "it runs because they trust you."
Common errors and fixes
Almost every failed attempt is one of five things: no certificate to pick, a lost signature after saving, the red internet banner, a signed macro that still prompts, or a signature that "expired." Match your symptom.
The Digital Signature dialog shows no certificate to choose
Windows can't see a certificate that combines the code signing purpose with an accessible private key. Usual causes: the certificate was imported without its key, an SSL certificate is being pressed into service (wrong key usage — it won't appear), or the USB token is unplugged or its middleware isn't installed, so the key is invisible. Check the user's Personal store in certmgr.msc.
The signature vanishes after I save
You almost certainly saved to a macro-free format. A workbook saved as .xlsx (or a document as .docx) has its entire VBA project stripped out, signature included. Save as .xlsm, .docm, or .pptm. If the signature drops even in a macro-enabled format, you edited the code after signing — re-sign.
"Microsoft has blocked macros from running…" (red banner)
Not a signing problem — the file carries a Mark of the Web. No certificate clears this banner. Remove the mark (right-click → Properties → Unblock) or open the file from a Trusted Location. See the section above for why signing and the Mark of the Web are separate checks.
The macro is signed but users still get a yellow prompt
The signature verified, but your publisher isn't trusted on that machine yet. The user can pick "Trust all documents from this publisher" once to stop the prompts, or IT can push the certificate to Trusted Publishers by Group Policy. With a self-signed certificate you'll also need it in Trusted Root first, or the prompt calls the publisher unverified.
The signature reads as invalid after the certificate expired
It was signed without a timestamp, so Office judges it against today's date and sees an expired certificate. Set the registry values above, re-sign, and confirm the file now carries a timestamp. Timestamped signatures survive certificate expiry; un-timestamped ones don't.
The bottom line
Sign the frozen project through Alt+F11 → Tools → Digital Signature, turn on timestamping in the registry so the signature outlives the certificate, and get your publisher into the reader's Trusted Publishers store so it runs without a prompt — all while remembering that the red internet banner is a separate problem signing can't solve. For macros that go beyond machines you control, a Certum code signing certificate gives them an identity Windows already trusts, and signs your EXEs and installers with the same key.