Why do I get the error "Signing failed with error 800B0106" when signing an Office file including VBA project with a self-signed certificate?

Tamas Meszaros 0 Reputation points
2024-09-30T06:01:06.1166667+00:00

Hi,

I have created a self-signed certificate in Azure Key Vault (4k key, default settings).

I can use it to sign exe files, but I get the error "Signing failed with error 800B0106" when trying to sign an Excel XLSM file including VBA scripts. The error code belongs to error "A certificate is being used for a purpose other than that for which it is permitted"

(I'm using azuresigntool, and the required Office SIP tool is installed).

Is this because the certificate is self-signed? Will this work with one having a trusted parent?

(~ I'm trying to test all scenarios before purchasing the code signing certificate).

thank you,

Tamas Meszaros

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,288 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vinodh247 20,976 Reputation points
    2024-10-02T12:56:11.7333333+00:00

    Hi Tamas Meszaros,

    Thanks for reaching out to Microsoft Q&A.

    Yes, the fact that the certificate is self-signed is likely the cause of this issue. Office applications, especially when dealing with VBA scripts, enforce stricter certificate validation rules, and self-signed certificates often lack the required trust chain and key usage for such purposes. Using a certificate with a trusted parent (from a CA) and proper key usage for code signing might resolve your issue.

    1. Check Certificate Extensions:
      • Ensure that your self-signed certificate has the correct key usage for code signing. This can usually be viewed under the certificate properties (ex;, "Code Signing" or similar attributes).
      • You can check if the certificate includes extensions like digitalSignature and nonRepudiation, which are often required for signing Office documents.
    2. Testing with a Trusted CA:
      • If the self-signed certificate doesn't work, testing with a certificate from a trusted CA (even a trial certificate) might help confirm whether this is the root cause.
      • A certificate issued by a trusted CA is more likely to be accepted for signing Office VBA projects because it will have the proper trust chain and key usage extensions.
    3. AzureSigntool & Office SIP Tool:
      • Ensure that both AzureSigntool and the Office SIP tool are configured properly and can access the certificate in azure key vault with the right permissions.
      • Double check the tool's logs or output to see if there are any other clues regarding certificate validation or signing issues.
    4. Workaround for Testing:
      • If you need to test the signing process without purchasing a certificate immediately, you can try using a development or trial certificate from a CA, or ensure that the self-signed certificate is installed and trusted in the appropriate certificate stores on your machine

    Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will benefit other community members who face the same issue.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.