Show trust by adding a digital signature

You can show that you believe a database is safe and that its content can be trusted by adding a digital signature to the database. This helps people who use the database decide whether to trust it and its content.

The process that you use to digitally sign a database depends on whether the database uses a newer file format, such as an .accdb file, or an earlier format, such as an .mdb file. However, both processes require that you use a security certificate.

You can use a commercial security certificate, or you can create your own. This topic explains how to create your own security certificate.

In this article

Before you begin

Package, sign, and distribute an Access 2010 database

Digitally sign an earlier version database

Before you begin

To add a digital signature, you must first obtain or create a security certificate. Think of a security certificate as a pen that you use to digitally sign things, or a wax seal that only you can apply.

If you don't have a security certificate, you can create one by using the SelfCert tool (included with Microsoft Office).

Create a self-signed certificate

1. In Microsoft Windows, click the Start button, point to All Programs, point to Microsoft Office, point to Microsoft Office Tools, and then click Digital Certificate for VBA Projects.

   -or-

   Browse to the folder that contains your Microsoft Office 2010 program files. The default folder is Drive:\Program Files\Microsoft Office\Office14. In that folder, locate and double-click SelfCert.exe.

   The Create Digital Certificate dialog box appears.

2. In the Your certificate's name box, type a name for the new test certificate.

3. Click OK twice.

Note: If you don't see the Digital Certificate for VBA Projects command, or you can't find SelfCert.exe, you might need to install SelfCert.

Install SelfCert.exe

1. Start your Microsoft Office 2010 Setup CD or other installation media.

2. In Setup, click Add or Remove Features, and then click Continue.

   Note: If you work in an environment in which Microsoft Office 2010 is installed on individual computers by IT administrators rather than by CD, follow these steps:

   1. In Microsoft Windows, click the Start button, and then click Control Panel.

   2. Double-click Add or Remove Programs.

   3. Select Microsoft Office 2010, and then click Change.

      Setup starts.

   4. Click Add or remove features, and then click Continue.

   5. Continue with the following steps.

3. Expand the Microsoft Office and Office Shared Features nodes by clicking the plus signs (+) next to them.

4. Click Digital Certificate for VBA Projects.

5. Click Run from My Computer.

6. Click Continue to install the component.

You should only use SelfCert to create signatures for use within your own organization. If you want to digitally sign a database and then distribute that database commercially, you should obtain a commercial security certificate from a commercial certificate authority (CA). For more information, see the See Also section.

Package, sign, and distribute an Access 2010 database

Access 2010 makes it easy and fast to sign and distribute a database. When you create an .accdb file or .accde file, you can package the file, apply a digital signature to the package, and then distribute the signed package to other users. The Package and Sign tool places the database in an Access Deployment (.accdc) file, signs the file, and then places the signed package at a location that you determine. Users can then extract the database from the package and work directly in the database (not in the package file).

Remember these facts as you proceed:

• Packaging a database and signing the package is a way to convey trust. When you package and sign a database, your digital signature confirms that the database has not been altered after you created the package.

• After the database is extracted from the package, there is no longer a connection between the signed package and the extracted database.

• You can use the Package and Sign tool only with databases saved in a newer file format (.accdb, .accde,...). Access 2010 also provides tools to sign and distribute databases that have an earlier file format. You must use the digital signature tool that is appropriate for the database file format that you are using.

• You can add only one database to a package.

• The process digitally signs a package that contains your entire database, not just macros or modules.

• The process compresses the package file to help reduce download times.

• You can extract databases from package files that are located on servers running Windows SharePoint Services 3.0 or later.

The steps in the following sections explain how to create a signed package file and how to extract and use the database from a signed package file.

Create a signed package

1. Open the database that you want to package and sign.

2. Click the Office Button, point to Saving, and then, under Advanced, click Package and Sign.

   The Select Certificate dialog box appears.

3. Select a digital certificate and then click OK.

   The Create Microsoft Office Access Signed Package dialog box appears.

4. In the Save in list, select a location for your signed database package.

5. Enter a name for the signed package in the File name box, and then click Create.

   Access creates the .accdc file and places it in the location that you chose.

Extract and use a signed package

1. Click the Office Button, point to Open, and then on the right, click Open. The Open dialog box appears.

2. Select Microsoft Office Access Signed Packages (*.accdc) as the file type.

3. Use the Look in list to locate the folder that contains your .accdc file, select the file, and then click Open.

4. Do one of the following:

   • If you chose to trust the security certificate that was used to sign the deployment package, the Extract Database To dialog box appears. Go to the next step.

   • If you have not yet chosen to trust the security certificate, the following message appears.

     

     If you trust the database, click Open. If you trust any certificate from that provider, click Trust all from publisher. The Extract Database To dialog box appears.

     Note: If you use a self-signed certificate to sign a database package and then click Trust all from publisher when you open that package, packages signed by using your self-signed certificates will always be trusted.

5. Optionally, in the Save in list, select a location for the extracted database and then, in the File name box, enter a different name for the extracted database.

   Tip: If you extract the database to a trusted location, its contents will be automatically enabled whenever you open it. If you choose a non-trusted location, some database content may be disabled by default.

6. Click OK.

If you are unsure of whether to trust a certificate, the article How to tell if a digital signature is trustworthy provides general information about checking the dates and other items in a certificate to help ensure that it is valid.

Top of Page

Digitally sign an earlier version database

Important: The steps in this section do not apply to databases that use one of the new file formats.

For databases earlier than Access 2010, you can apply a digital signature to the components in the database. A digital signature confirms that any macros, code modules, and other executable components in the database originated with the signer and that no one has altered them since the database was signed.

To apply a signature to your database, you first need a digital certificate. If you create databases for commercial distribution, you must obtain a certificate from a commercial certificate authority (CA). Certificate authorities do background checks to verify that the people who create content (such as databases) are reputable.

To learn more about certification authorities that offer services for Microsoft products, refer to the See Also section.

If you want to use a database for personal or limited workgroup scenarios, Microsoft Office 2010 provides a tool for creating a self-signed certificate. The steps in the following sections explain how to install and use a tool called SelfCert.exe to create a self-signed certificate.

Code sign a database

Note: Remember that these steps apply only when you are using databases in Access 2010 that use one of the earlier database file formats, such as an .mdb file. To sign newer databases, see the section Package, sign, and distribute an Access 2010 database.

1. Open the database that you want to sign.

2. On the Database Tools tab, in the Macro group, click Visual Basic to start the Visual Basic Editor.

   Keyboard shortcut  Press ALT+F11.

3. In the Project Explorer window, select the database or Visual Basic for Applications (VBA) project that you want to sign.

4. On the Tools menu, click Digital Signature.

   The Digital Signature dialog box appears.

5. Click Choose to select your test certificate.

   The Select Certificate dialog box appears.

6. Select the certificate that you want to apply.

   If you followed the steps in the previous section, select the certificate that you created by using SelfCert.

7. Click OK to close the Select Certificate dialog box, and click OK again to close the Digital Signature dialog box.

Tips for signing earlier version databases

• If you want to prevent users of your solution from accidentally modifying your VBA project and invalidating your signature, lock the VBA project before signing it.

  Note: Locking your VBA project doesn't prevent another user from replacing the digital signature with another signature. Corporate administrators might re-sign templates and add-ins so that they can control exactly what users may run on their computers.

• When you digitally sign a VBA project, consider obtaining a timestamp so that others can verify your signature even after the certificate used for the signature has expired. See Microsoft Office Online for more information about VBA security and timestamps.

Top of Page