Skip to main content

    How to Sign a VBA Macro (Word, Excel & PowerPoint)

    Sign a VBA macro in Word, Excel, or PowerPoint: pick a code signing certificate in the VBA editor, add a timestamp, and set the publisher as trusted so it runs.

    MS
    My-SSL Security Team
    ·
    12 min read
    ·
    Published July 17, 2026
    ·
    Last updated July 17, 2026

    In short

    To sign a VBA macro, open the VBA editor (Alt+F11), go to Tools → Digital Signature, and choose a code signing certificate from your Windows certificate store. The signature is stored inside the file, so it travels with the workbook or document and proves who wrote the macros and that they haven't changed. One thing signing does not do: it won't clear the red "Microsoft has blocked macros" banner on files from the internet — that block keys off where the file came from, not whether it's signed.

    Signing an Office macro sounds like it should be one checkbox, and the signing part almost is. What turns it into an afternoon is everything around it: which certificate Office will actually accept, a timestamp setting with no button anywhere in the interface, a trusted-publisher step that decides whether anyone but you can run the macro without a prompt, and — since 2022 — a separate internet-macro block that a signature can't touch. This guide walks the whole path in order, so you know not just how to sign but why a correctly signed macro sometimes still refuses to run.

    What signing a VBA macro does

    Signing a VBA macro attaches an Authenticode signature to the VBA project — the code behind your document, not the document's visible content. Office hashes the project, signs that hash with your certificate's private key, and stores the signature inside the file itself. When someone opens the file, Office re-checks the signature against the code and asks two questions: does the hash still match (has the code changed?), and do I trust the publisher who signed it?

    What happens when you sign a VBA macro projectA four-step flow. Office hashes the VBA project's code, the certificate's private key signs that hash, and the resulting signature is stored inside the Office file itself rather than in a separate file. Office re-checks the signature against the code every time the file opens.What signing does to the VBA projectVBA projectyour macro codeHash of the codecontent fingerprintPrivate keysigns the hashcert from your storeSignature storedinside the filenot a separate fileThe signature covers the VBA project only — the macro code — not the cells, text, or slidesaround it. Change one line of code and the hash no longer matches, so the signature is void.
    Because the signature lives inside the document, an emailed or copied file carries its proof of authorship with it — but only for the macro code, not the content.

    This is the same Authenticode mechanism that signs Windows executables — the SignTool guide covers that side — applied to the macro code rather than a program file. One consequence catches people out: because the signature is a hash of the project, any change to the code voids it. Add a module, rename a variable, import a userform, and Office quietly treats the project as unsigned again. Sign last, once the code is frozen.

    Signing the macro is not signing the document

    A macro signature vouches for the code. It says nothing about the cells, paragraphs, or slides around it — those can be edited without disturbing it. If what you actually need is a provably authentic contract or report, that's a document signing certificate, a different tool for a different job. A file can carry both.

    What you need before you sign

    One thing: a certificate with the code signing purpose, visible to Windows with its private key. Which kind you need comes down to a single question — who has to run the macro without being warned? Your own machine, machines inside your organization, and machines out in the world each answer that differently.

    • Just your own machine: Office ships a tool for this. Run SelfCert.exe from the Office program folder — its Start-menu name is "Digital Certificate for VBA Projects" — and it creates a self-signed certificate in a couple of clicks. The macro then counts as signed, but only where you've manually added that certificate to Trusted Root Certification Authorities and Trusted Publishers. Perfect for a personal spreadsheet; a dead end for distribution.
    • Inside one organization: a code signing certificate from your internal CA (Active Directory Certificate Services, usually) verifies on every domain-joined machine automatically, because they already trust the internal root. This is the standard setup for IT teams that enforce signed macros through Group Policy.
    • Files that leave your organization: you need a certificate from a publicly trusted CA, issued to a validated identity. My-SSL carries Certum standard and EV code signing certificates that sign VBA projects the same way they sign an EXE; the validation paperwork is listed in the required documents guide.

    Publicly trusted keys live on hardware now

    Under CA/Browser Forum rules in force since June 1, 2023, publicly trusted code signing certificates ship with the private key on a certified USB token, smart card, or cloud HSM — not as a .pfx file you copy around. For VBA signing this changes little in practice: once the token's middleware is installed, the certificate shows up in the VBA editor's Digital Signature dialog like any other, and signing prompts for the token PIN instead of a password.

    Sign the project in the VBA editor

    All the signing happens in the VBA editor, and the steps are identical in Word, Excel, PowerPoint, and the rest. Freeze the code first — remember that a later edit voids the signature — then work through the dialog.

    Sign a VBA project, step by step
    1. Open the file, then press Alt+F11 to open the VBA editor.
    2. In the Project Explorer, click the project you want to sign
       (the entry named after your file, e.g. VBAProject (Report.xlsm)).
    3. Go to Tools -> Digital Signature.
    4. Click Choose..., pick your code signing certificate, click OK.
    5. Click OK again to apply the signature.
    6. Save the file. Macro-enabled formats only:
         Excel -> .xlsm    Word -> .docm    PowerPoint -> .pptm
       (Saving as plain .xlsx / .docx strips the macros and the signature.)

    If the certificate list in step 4 is empty, Windows can't see a certificate that has both the code signing purpose and an available private key — jump to troubleshooting below. And watch the save format in step 6: the single most common way people lose a freshly applied signature is saving back to a macro-free format, which discards the whole VBA project on the way out.

    Timestamp the signature (there's no button)

    A timestamp has a trusted authority record when you signed. Without one, every macro you've signed stops verifying the day your certificate expires; with one, the signature stays valid because it's judged against the certificate's validity at signing time, not today. The catch in Office is that the VBA editor has no timestamp option anywhere. You turn it on through the registry, and from then on the editor timestamps automatically.

    Registry values that enable VBA timestamping
    Key:  HKEY_CURRENT_USER\Software\Microsoft\VBA\Security
    
      TimeStampURL         REG_SZ     http://time.certum.pl
      TimeStampRetryCount  REG_DWORD  3
      TimeStampRetryDelay  REG_DWORD  3
    
    # After this, every signature the VBA editor applies is timestamped.
    # Existing signatures are not touched -- re-sign to add a timestamp.

    One important detail decides whether this works: the VBA signing path uses the older Authenticode timestamp protocol, not the RFC 3161 protocol that SignTool's /tr flag speaks. So the URL here must be a legacy Authenticode endpoint. Certum's http://time.certum.pl answers it; if you pick a URL that only supports RFC 3161, the editor signs the project but silently skips the timestamp. Our timestamping explainer covers the difference between the two protocols and why a timestamp keeps old signatures alive.

    Make it run for other people

    A signed macro doesn't run itself. Two things on the reader's machine decide what happens: the Trust Center macro setting, and whether your publisher is trusted. The setting that makes signing worthwhile is Disable all macros except digitally signed macros, found under File → Options → Trust Center → Trust Center Settings → Macro Settings. Under it, unsigned macros are blocked and macros from a trusted publisher run without a word.

    How each Trust Center macro setting treats signed and unsigned macrosA four-row comparison of the Trust Center macro settings for a file without a Mark of the Web. Disable all without notification blocks both signed and unsigned macros. Disable all with notification lets the user enable either. Disable all except digitally signed macros, highlighted in gold, blocks unsigned macros but runs macros from a trusted publisher. Enable all macros runs everything and is not recommended.What each macro setting does with your signatureTrust Center settingUnsigned macroTrusted-publisher macroDisable all without notificationblockedblockedDisable all with notificationuser may enableuser may enableDisable all except digitallysigned macrosblockedruns silentlythe setting to targetEnable all macros (not advised)runsrunsSigning only pays off under the gold row — the only setting that treats a signed macro differently from an unsigned one.
    Rolling out signed macros means moving users to the highlighted setting; under the others, your signature is either ignored or irrelevant.

    Becoming a "trusted publisher" is the second half. The first time someone opens your signed file, Office shows a security prompt naming you and offers to trust all macros from this publisher. Accepting it copies your certificate into that machine's Trusted Publishers store, and every file you sign afterward runs silently. For one or two colleagues that click is enough; across an organization, IT pushes your certificate to Trusted Publishers with Group Policy — Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Trusted Publishers — so no one is ever prompted.

    This is also where a publicly trusted certificate earns its keep. A self-signed one has to be installed as trusted on every machine by hand; a CA-issued certificate chains to a root the machine already trusts, so only the one-time publisher prompt stands between the reader and a silently running macro.

    Why a signed macro can still be blocked

    Here's the part that sends people hunting for a certificate when a certificate isn't the fix. Since 2022, Office blocks macros in files that came from the internet — by default, across Word, Excel, PowerPoint, Access, Visio, and Publisher on Windows. When it triggers, the user sees a red banner: "Microsoft has blocked macros from running because the source of this file is untrusted." There's no Enable Content button. And a valid signature from a publisher the machine trusts does nothing to lift it.

    The two separate checks a macro passes before it runsA decision tree with two gates. Gate one: did the file come from the internet, carrying a Mark of the Web? If yes, the macro is blocked with a red banner and no Enable Content button, regardless of any signature. If no, or the mark was removed, the file reaches gate two. Gate two, under the disable-all-except-signed setting: is the macro signed by a trusted publisher? If yes, it runs silently; if signed but the publisher is not yet trusted, the user is prompted to trust it; if unsigned, it is blocked.Two gates, and a signature only opens the second oneGate 1: from the internet?does the file carry a Mark of the Web?yes✕ red bannersignature ignoredno / mark removedGate 2: signed & trusted?"disable all except digitally signed"Unsignedblocked, no promptSigned, new publisher? asked once to trustpublisherTrusted publisher✓ runs silentlySigning is the work that gets you from "blocked" to "trusted publisher" at Gate 2. It does nothing at Gate 1.
    Most "my signed macro won't run" reports are Gate 1 problems — a file from the internet — being mistaken for signing problems at Gate 2.

    The reason is that this block keys off the file's origin, not its signature. Windows tags files that arrive from browsers, email, and messaging apps with a Mark of the Web, and the macro block reacts to that tag before it ever looks at who signed the code. Signing answers "who wrote this?"; the Mark of the Web is about "where did this come from?" — two separate questions, and only the second one draws the red banner.

    That means the fix is about provenance, not signing. To let a macro from the internet run, either remove the Mark of the Web — right-click the file, open Properties, and tick Unblock — or open the file from a Trusted Location, a folder Office treats as exempt from the check. Organizations often distribute macro-enabled files through a share configured as a Trusted Location for exactly this reason. Signing still matters once the file is past the block: it's what carries the macro from "the user has to enable it" to "it runs because they trust you."

    Common errors and fixes

    Almost every failed attempt is one of five things: no certificate to pick, a lost signature after saving, the red internet banner, a signed macro that still prompts, or a signature that "expired." Match your symptom.

    The Digital Signature dialog shows no certificate to choose

    Windows can't see a certificate that combines the code signing purpose with an accessible private key. Usual causes: the certificate was imported without its key, an SSL certificate is being pressed into service (wrong key usage — it won't appear), or the USB token is unplugged or its middleware isn't installed, so the key is invisible. Check the user's Personal store in certmgr.msc.

    The signature vanishes after I save

    You almost certainly saved to a macro-free format. A workbook saved as .xlsx (or a document as .docx) has its entire VBA project stripped out, signature included. Save as .xlsm, .docm, or .pptm. If the signature drops even in a macro-enabled format, you edited the code after signing — re-sign.

    "Microsoft has blocked macros from running…" (red banner)

    Not a signing problem — the file carries a Mark of the Web. No certificate clears this banner. Remove the mark (right-click → Properties → Unblock) or open the file from a Trusted Location. See the section above for why signing and the Mark of the Web are separate checks.

    The macro is signed but users still get a yellow prompt

    The signature verified, but your publisher isn't trusted on that machine yet. The user can pick "Trust all documents from this publisher" once to stop the prompts, or IT can push the certificate to Trusted Publishers by Group Policy. With a self-signed certificate you'll also need it in Trusted Root first, or the prompt calls the publisher unverified.

    The signature reads as invalid after the certificate expired

    It was signed without a timestamp, so Office judges it against today's date and sees an expired certificate. Set the registry values above, re-sign, and confirm the file now carries a timestamp. Timestamped signatures survive certificate expiry; un-timestamped ones don't.

    Frequently Asked Questions

    Get instant answers to common questions about SSL certificates and our services.

    Still Have Questions?

    Our SSL experts are available 24/7 to help with any questions about certificates, installation, or technical issues.

    The bottom line

    Sign the frozen project through Alt+F11 → Tools → Digital Signature, turn on timestamping in the registry so the signature outlives the certificate, and get your publisher into the reader's Trusted Publishers store so it runs without a prompt — all while remembering that the red internet banner is a separate problem signing can't solve. For macros that go beyond machines you control, a Certum code signing certificate gives them an identity Windows already trusts, and signs your EXEs and installers with the same key.