locked
How to install a certificate in a Windows 10 virtual machine for use in Access RRS feed

  • Question

  • Hi Folks,

    I recently purchased a code signing certificate from a certificate authority (Comodo, i.e. Sectigo) having been assured by sales people that “The certificate can be issued to you under your organization's name or if you're an individual developer, your own name. This allows you to sign different applications as well as export the certificate to different machines as necessary, all for the same business/person.” Certificate delivery required Internet Explorer, on the same machine as the certificate was ordered from. The recommended procedure was to then export the certificate from Internet Explorer as a .pfx file, with the private key, for installation on other machines. So I installed the certificate in Internet Explorer on my desktop computer (XPS desktop), no problem. The certificate shows up as a code signing option in Access 2013, and signs code. Oddly, however (to me), when I look for the certificate in MMC on XPS desktop, and do a search for it in "all certificate stores", it cannot not be found. Next I exported the .pfx file to a Dropbox location shared with the virtual machines (VMs) that are also installed on my desktop computer, and imported the certificate to a VM using the Internet Explorer Certificate Import Wizard, storing it to the local machine. The certificate this time is visible in MMC on the VM, under Certificates > Personal > Certificates. And, of course, a search for it in MMC in "all certificate stores" finds it. However, when I try to sign code in Access 2010 on the VM, the certificate is not visible. I get the same result when I import the certificate into another VM that has Access 2013, so the Access version does not appear to be the issue. I’m thinking that the certificate location has something to do with it. So my question is: where should the certificate be put, to be visible as a signing option in Access? Sectigo referred me to Microsoft, as their tech support did not know the answer. I tried to get the certificate re-delivered in the VM, but it can apparently only be delivered once.

    Rob

    Saturday, August 1, 2020 4:20 PM

Answers

  • I never use ACCDC files as I feel they offer no real purpose when distributing files.

    The .exe files that I distribute mainly via my website include code that makes the included ACCDE or ACCDB files trusted before they are opened for the first time by end users. This is done by script in the installation package that edits the registry to add the install location as trusted. As a result, end users NEVER see the ACCDE security warning that you describe.

    Code signing certificates can only be used on the workstation where they were first 'created'

    However you can prepare any necessary files such as 64-bit ACCDEs on other workstations then package them with the signed certificate on the 'host' workstation. I do this for all my apps

    Installer programs include many other benefits as well. There are several available both commercial & free.

    I use a commercial app called SamLogic Visual Installer Professional. A cheaper Standard version also exists but is less fully featured and in my opinion is a false economy.

    There are several other installer programs available including SSE Setup which many developers rate highly.

    There is a free installer called Inno which also works well but it is entirely script based.

    • Marked as answer by RobH18 Saturday, August 8, 2020 6:34 PM
    Friday, August 7, 2020 10:33 PM

All replies

  • I also have purchased code signing certificates from Sectigo/Comodo for the past 7 years. 
    It sounds like you followed the steps correctly to install it.

    However you may have misunderstood its purpose.
    You cannot attach a code signing certificate to an Access file though that isn't clear from Access help
    It is intended for use when distributing files as .exe or .msi using professional installer applications.
    For example I package new apps & updated versions as .exe files which are then distributed from my website.
    When a customer/client downloads the files, the .exe file will be designated as trusted by Windows Smart Screen.
    Without such a certificate, a warning message is shown indicating that the file may not be trustworthy.

    You may find this article worth reading: Signing VBA Code in Access .accdb databases - A (bad) joke?


    Thursday, August 6, 2020 10:22 PM
  • Thanks, isladogs52. My purpose is to give the user who downloads an .accdc file from my website some confidence to know that it comes from a legitimate company. I do the “Package and Sign” thing with my .accde file, and it works fine on the computer that I used to order and install the Comodo certificate. That is, when the .accdc file is downloaded from the website to another computer it shows the digital signature as valid on the Security Notice when it is opened. Disconcertingly, however, when the delivered .accde file itself is opened the Security Notice is again shown, and reverts to the warning that the file may not be trustworthy! Your link (thanks again) explains why: the file itself is not signed, which does somewhat defeat the purpose of the certificate. It does, however, establish that a trustworthy company packaged it, which is something.

    I’m hoping that I do not need to use a professional installer, mostly because the .accde file in the .accdc file is itself an installer that I have just expended effort to construct. I also built an updater (incorporated into my main application) and a joiner (both .accde files), and they all kind of work together. I’m wondering whether, in your set-up using a professional installer (to deliver .accde files?), the Security Notice still runs with the warning when the .accde file runs, or is the installation location made trustworthy by the installer? My installer downloads a zipped folder from the website, unpacks it, installs the files to a user-defined location, sets the location as trusted in Access (which bypasses the Security Notice when the main application runs), and puts a shortcut on the desktop. Would a professional installer provide an additional benefit?

    The original question, in any case, still remains. I can make an .accdc file on my desktop computer, but not in the VMs on that computer, even though I imported the certificate into them, apparently successfully. I can (duh!) open any 32-bit .accde files made in the VMs in Access on the desktop computer and sign them, so I do not have to have the certificate in those VMs. However, I can’t do that with the 64-bit .accde files made in the VMs with 64-bit Office. I expect that if I order (& pay for) another certificate on one of the 64-bit Office VMs, then I could use that for any 64-bit .accde that I could open in that VM. Or, would I be better off cutting my losses and spending the money on a professional installer?

    Friday, August 7, 2020 2:16 PM
  • I never use ACCDC files as I feel they offer no real purpose when distributing files.

    The .exe files that I distribute mainly via my website include code that makes the included ACCDE or ACCDB files trusted before they are opened for the first time by end users. This is done by script in the installation package that edits the registry to add the install location as trusted. As a result, end users NEVER see the ACCDE security warning that you describe.

    Code signing certificates can only be used on the workstation where they were first 'created'

    However you can prepare any necessary files such as 64-bit ACCDEs on other workstations then package them with the signed certificate on the 'host' workstation. I do this for all my apps

    Installer programs include many other benefits as well. There are several available both commercial & free.

    I use a commercial app called SamLogic Visual Installer Professional. A cheaper Standard version also exists but is less fully featured and in my opinion is a false economy.

    There are several other installer programs available including SSE Setup which many developers rate highly.

    There is a free installer called Inno which also works well but it is entirely script based.

    • Marked as answer by RobH18 Saturday, August 8, 2020 6:34 PM
    Friday, August 7, 2020 10:33 PM
  • Thanks, isladogs52, that’s helpful. Are you saying that the promise from Comodo that “This allows you to sign different applications as well as export the certificate to different machines as necessary, all for the same business/person” is not in fact true, because “Code signing certificates can only be used on the workstation where they were first 'created'”? That would explain why I can’t get it to work on my VMs.

    I’m concluding that going the installer route will be the best solution, if I want to avoid the Security Notice.

    Saturday, August 8, 2020 6:33 PM
  • Hmm. I've not seen or possibly have forgotten that promise from Comodo 

    You can certainly sign an unlimited number of applications within the time period the certificate is valid.

    It is my understanding that the certificate has to be used on the same machine that was used to download it.

    However, I haven't tried to use it on other machines and would be pleased to know if I am wrong about that.

    My main 'certificated PC' runs 32-bit Office on 32-bit Windows and I use that to create all 32-bit ACCDEs

    I also create 64-bit ACCDE files for distribution on a different PC then copy them back to the main PC when I am creating a 64-bit installation EXE package

    Incidentally, I usually distribute files containing both 32-bit & 64-bit versions of the ACCDE files.

    When the installer runs, the script checks the Office bitness and only installs the correct version for that PC


    • Edited by isladogs52 Saturday, August 8, 2020 9:08 PM
    Saturday, August 8, 2020 9:07 PM
  • The “promise” from Comodo was just in an email from the sales people before I bought the certificate. I wanted to know specifically if I could use the same certificate to sign code in all my VMs. I took the answer to be “yes”, based on this comment: “The certificate can be issued to you under your organization's name or if you're an individual developer, your own name. This allows you to sign different applications as well as export the certificate to different machines as necessary, all for the same business/person.” Anyway, no harm done, since if I go the installer route I will only need one certificate.
    Sunday, August 9, 2020 3:04 AM
  • I agree that using an installer will make things easier. No need for ACCDC packaging and you can easily include other related files as part of the EXE file you create and distribute.

    For me, one of the most useful features is the ability to have a script run before or after installation. Amongst other things, I use that to set the install folder as trusted in the registry so the end user never sees the yellow enable content security bar. 

    You will still need to use your security certificate with the EXE to handle the smart screen warnings. Out of interest, did you purchase the basic OV certificate or the more expensive EV one? Code signing certificates

    It may be worth you contacting Sectigo to see whether the certificate can be used on more than one computer...or transferred to another PC. 

    Sunday, August 9, 2020 8:03 AM
  • I purchased the Standard Certificate, not the EV. I’m wondering now if that was the best choice, since my app does not yet have any reputation yet (just getting started). But when I download my .accde (or .accdc) installer from my website and use it to install the app on another computer I do not get the SmartScreen message, so I thought the extra money was not worth it.

    But now I’m also wondering: if I go the installer route, and package as .exe file, is that going to land me back at square one, if it triggers the SmartScreen, unless I buy the EV? My installer already does everything I would want the professional installer to do, except that I get the pesky Security Notice twice: once when running the .accdc, with the certificate that hopefully reassures the user, and once when running the .accde unpacked from the .accdc, which does not refer to the certificate, and may unsettle the user. I guess I could provide some sort of explanation on my website to reassure the user that the .accdc also legitimizes the .accde, but that’s a bit ugly. Do you use an EV? Does it work OK with your installer? (I read EVs can create problems for installers) The extra $195/yr for an EV is a bit steep. I would want to be sure there was a guaranteed benefit.

    I already have gone round in circles with Comodo. They referred me to Sectigo tech support, who could not help, and referred me to Microsoft, which is why I posted this.
    Monday, August 10, 2020 2:56 PM
  • PS: Ameliorating factor: I found that if the user selects “Trust All From Publisher” option on the first Security Notice when .accdc is run, then the second Security Notice does not run when the .accde is opened. Duh!

    Monday, August 10, 2020 4:32 PM
  • Sorry about the delay replying. Problems with my computer and website. Hopefully now fixed.

    I only have the OV certificate. My circumstances do not justify purchasing the costly EV version. I registered with Dunn & Bradstreet so my company credentials could be verified as part of the certification process.

    As previously stated I don't use ACCDC files. An installer program will provide more power and flexibility so doing that will be superfluous.

    All my commercial apps and some of my free apps are distributed from my website as EXE files.

    Suggest you try one of my free apps to try out the end user experience

    For example the free Currency Exchange Rate Tracker app. It will be installed to a set location and that will be marked as trusted in the registry. It will also create a desktop icon and Start menu items. You can easily uninstall it from Add/Remove Programs when done.

    You may see a Smart Screen warning but no other security alerts

    NOTE: If you decide to use the app to download the latest exchange rate data in JSON format, you would need to purchase an API key from the data provider (not me!)

    Hope that helps


    • Edited by isladogs52 Tuesday, August 11, 2020 11:18 AM
    Tuesday, August 11, 2020 11:18 AM
  • Thanks isladogs52. I downloaded your app and was impressed by the smooth experience, and did not get the SmartScreen warning. Is that because you have had enough downloads without complaint? How many downloads did it take before the SmartScreen stopped showing? About how many is enough?

    I also went the Dunn & Bradstreet route.

    FYI, on selecting USD as the base currency I got a download error message "Your subscription plan does not support HTTPS Encryption". Because I had no API key, I suppose.

    Rob

    Thursday, August 13, 2020 1:00 AM
  • The error message was indeed because you had no API key. It used to be completely free but the exchange rate data provider changed the rules

    Sorry but I've no idea how many downloads are needed to overcome smart screen issues.

    However, it may be relevant that I first obtained a code signing certificate back in 2014.

    If you wish you could try downloading some of the other free apps from my website just for getting an idea for likely UX if you follow the same route. Whilst many of the free apps are zip files, several are .EXE. For example:

    JSON Analyse & Transform for Access (pre-release version)

    Countdown Timer (ACCDR version)

    Exam Timer (evaluation version)

    Just to be clear, I'm not trying to sell you anything and hope I'm not breaking forum rules with these links. 

    The first two are completely free. The last is a time limited evaluation version.



    • Edited by isladogs52 Thursday, August 13, 2020 5:02 PM
    Thursday, August 13, 2020 5:00 PM