How to Digitally Sign VBA Macros using eSigner CKA

eSigner CKA (Cloud Key Adapter) is a Windows application leveraging the CNG interface (KSP Key Service Provider), enabling tools like certutil.exe and signtool.exe to access the eSigner Cloud Signature Consortium (CSC) API for enterprise code signing. Functioning as a virtual USB token, it loads code signing certificates into the Windows certificate store.

Requirements

1. Purchase an SSL.com Code Signing Certificate or Extended Validation (EV) Code Signing Certificate 
2. Enroll your code signing certificate in eSigner
3. Download and install eSigner CKA

Download and install Microsoft Office Subject Interface Packages for Digitally Signing VBA Projects using this link: https://www.microsoft.com/en-us/download/details.aspx?id=56617 Note: Some users may encounter a failure in signing because VBA offers a SHA1 hash of the code to send to eSigner but eSigner requires SHA256 or greater. To resolve this. Microsoft recommends the following: You can add a DWORD registry key-value V1HashEnhanced to choose another hash algorithm, under HKCU\SOFTWARE\Microsoft\VBA\Security with value-algorithm rules (1 to SHA1, 2 to SHA256, 3 to SHA384, 4 to SHA512).

Steps to Sign

Once installed, perform the following steps:

1. Open an administrator command prompt and type the following, the path will be where you just installed the files:
   regsvr32.exe <complete path to example.dll>
   regsvr32.exe <complete path to example.dll>
   For more information on how to register OLE controls, visit Microsoft’s website.
   If successful, you will see a message: “DIIRegister Server in <complete file path> succeeded.”
2. Install the following: download.microsoft.com/download/C/6/D/C6D0FD4E-9E53-4897-9B91-836EBA2AACD3/vcredist_x86.exe
3. Install eSigner CKA
4. Run SignTool command to sign macros based on this guide: https://www.ssl.com/how-to/automate-ev-code-signing-with-signtool-or-certutil-esigner/#components-of-the-command-line