COM Addin not loading because the certificate is no longer valid RRS feed

  • Question

  • A customer of ours is reporting that our COM Add-In is not loading in Office 2010 because they have applied policy by GPO which apparently rejects digital signatures where the associated certificate has expired.

    In our case the certificate has expired (we typically use certs with a 12 month validity and the customer is using a fairly old version), but the DLL's signature was timestamped so technically the digital signature is still perfectly valid.

    I don't know exactly which policy is in play, though I have found that there is a Office 2010 policy called Do not allow expired certificates when validating signatures . This policy appears to apply to digitally signed documents (rather than Add-Ins). Can anyone confirm whether in fact the use of this policy will also affect the validation of signatures of Add-Ins loaded by Office even when they are timestamped. I can see that this policy would be useful to validate signatures haven't been timestamped, but a timestamped signature should be considered valid in perpetuity unless the certificate has been expressly revoked, rather than just expiring. In other words why is this policy such a blunt instrument. Shouldn't it be Do not allow expired certificates when validating signatures that are not timestamped??

    Tuesday, February 26, 2013 4:07 PM

All replies

  • Hi Sconnolly,

    Thank you for posting in the MSDN Forum.

    I'll consult your issue with my colleague. You'll be informed if there's any update.

    Thank you for your patience and understanding.

    Best regards,

    Quist Zhang [MSFT]
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, February 28, 2013 9:54 AM
  • Hi Sconnolly,

    The "Do not allow expired certificates when validating signatures" should not apply to the add-ins.  The Office 2010 Administrative Templates do include some Add-in specific settings, but as you mentioned, timestamped signatures should be valid unless the certificate has been revoked.

    Sharon M, Microsoft Online Community Support

    Saturday, March 9, 2013 2:28 AM
  • Thanks Sharon.

    Could you be a more confident than 'should'? Can you confirm that this policy absolutely "does not" affect plugins, only documents. Unfortunately the name of the policy doesn't mention documents explicitly.

    If you can confirm that the policy does not apply to plugins, it would be helpful to understand whether there are any other Office or Windows GPO policies that could affect the validation of a signed+timestamped plugin after its certificate has expired. I have seen at least two reports of customer issues in this area where they have got some kind of GPO set up that is causing problems loading our add-in. Unfortunately the cases were closed or resolved before I was able to get the details of what policy(s) might be responsible. Any help you can provide would be most welcome.


    Tuesday, March 12, 2013 9:18 AM