Adding a timestamp to a Digital Signature in Microsoft Office

Why would you want to timestamp your signature?  A timestamp adds proof of "when" you added your digital signature to an Office document. For example, without a timestamp, when your personal signing certificate has expired Microsoft Office will report on each of the documents that you signed the warning text: "Expired certificate - The certificate used to sign has expired".  If you timestamp your signature then Office can reliably determine if the signature was created prior to the certificate expiration. Proof of "when" the document was signed can be powerful proof in some cases.  Also, Timestamping your signatures is crucial if your personal signing credentials were compromised so that the public could separate which of your signatures are valid: those signatures you created before you "revoked" your signing certificate.

There is a one-time setup of Microsoft Office to enable timestamp, described below. In summary:

  1. Update Registry entries to tell Microsoft Office to retrieve a timestamp
  2. Import DigiStamp Root certificates
  3. Update your DigiStamp account to allow "IP-based Authentication"

The instructions below are for the individual user. If you are using Microsoft Active Directory we have instructions to help you push these changes to your network users.

Setup requirement: your digital signature

Microsoft Office software has built-in the capability to create digital signatures (the screen capture image below demonstrates). It is a little complex, for examle you need to get personl, digital signing credentials. Microsoft is your best souce of "how to" on this subject. Please do an Internet search for "Add or remove a digital signature in Office files" and look for links to Editor's details: we would give you direct links but the Microsoft support site is designed to prevent that.

Here is just an option, among many, for easily getting basic-level personal signing credentials:

How do I timestamp a signature?

The timestamp is created when you protect the Office document with your digital signature. This is done as shown in the graphic below, navigate the menu option < File >, < Protect Document >, < Add a Digital Signature >

Office Sign And Timestamp

How do I know the signature was timestamped?

In Office navigate the menu option < File >, < Protect Document >, < Add a Digital Signature > you navigate under the “File” tab to “View Signature” then right click on the signature for “Signature Details”

View Office Signature

Office Signature Timestamped


It should say as shown above in the blue circle “XAdES-T” to confirm the signature is timestamped.  These values also confirm that there is a timestamp: XAdES-C XAdES-X XAdES-X-L


Can I view the details of the timestamp?

Regretfully, no. Microsoft has not provided a way for us to examine the details or export the signature or timestamp.  But, by observing the verify process in detailed system logs, Office does verify the signatures and timestamps; specifically, as described in the introduction related to when your signing certificate expires.

 Setup: Registry entries to tell MS Office to retrieve a timestamp

Below are instructions to use REGEDIT. This is a little primitive. But, there is no other Windows / GUI interface for the procedure and this is the Microsoft prescribed method. 

  1. Right click on the Start Menu > Run
  2. Type regedit and presss Enter
  3. Navigate to the folders: HKEY_CURRENT_USER > SOFTWARE > Microsoft > Office
    Here, you must select the numbered folder which matches the installed version of Microsoft Office. Office 2016 and Office 365 use the value 16.0. Office 2013 is 15.0. Office 2010 is 14.0.
  4. After selecting the appropriate Office version’s folder, Navigate to the folders: Common > Signatures.
    Summary: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Signatures
  5. Right Click the white-space on the right side and choose New > DWORD
    Name it XadESLevel. Right click and "modify" to enter a value of 2:officeRegeditNew.GIF

    This configures Microsoft Office behavior as "preferring" a timestamp be created with each digital signature.

  6. (Optional) Create another DWORD and this time title it MinXAdESLevel. Right click and "modify" to enter a value of 1 or the more strict 2.

    The value of 1 configures Microsoft Office so that if the timestamp service is not available then proceed with creating a digital signature without a timestamp (that is the default value if you do not create this entry). The value of 2 stops the process until you have timestamp server access. For your initial testing we recommend setting this to 2 so Office will alert you if there are problems with timestamp server access.

  7. Create a String Value and title it TSALocation. Right click and "modify" to enter a value of one of the URLs below.
    • TEST:
    • PRODUCTION:  (currently this will give a mixture of new release and prior release timestamps)

Check that your results look like this: officeRegeditExample.GIF

Setup: Import DigiStamp Root certificates

You have 2 decisions
1. Which of the 3 encryption algorithms are you going to use.  We suggest the use of ECC-NIST. The choice is between the RSA or two elliptic curve options of ECC-NIST (NIST Recommended) or ECC-BP (Brainpool) is nebulous; "USA" versus "EU" preference is a perspective, more information here.  Your DigiStamp account setting were setup to use ECC-NIST and if choose otherwise then you need to make a change to that setting.  Change your DigiStamp account setting here for Test environment and here for Production, at the bottom of the page see "timestamp type". 
2. Are you creating timestamps in our TEST environment or are you creating final quality production timestamps?

Based on the above 2 decisions, find the vertical-column of public key certificates that you will need. Download them so we can install them in the next step.


                 Production       Test / Evaluation    
     Root root.NIST root.BP root.RSA      root.test.NIST root.test.BP root.test.RSA  
  Audit audit.NIST audit.BP audit.RSA   audit.test.NIST audit.test.BP audit.test.RSA  
  Audit audit.NIST audit.BP audit.RSA   audit.test.NIST audit.test.BP audit.test.RSA  
  Audit audit.NIST audit.BP audit.RSA          


Details: about the DigiStamp x.509 certificates and how they are organized. Minor note, it is a quirk of Microsoft Office that we need to install the “audit” certificates. Compared to Adobe products that need only the single root certificate.

Next we install the DigiStamp Public Key Certificates that you downloaded above.

  1. Right click on the Start Menu > Run certmgr.msc
  2. Type certmgr.msc and press Enter
  3. Import root certificate, it will be in a file with a name containing “root” into folder "Trusted Root Certificate Authority": officeImportRoot.GIF
  4. The audit certificates will be in files with a name containing “audit”. They are imported into folder "Intermediate Certificate Authority".officeImportAudit.GIF

Setup: tell DigiStamp your IP address so we know it's you

Microsoft Office timestamping does not include any authentication mechanisms. So, DigiStamp does not know if it is you that is requesting the timestamp. The solution is in your DigiStamp account setup: login to your DigiStamp account and enable DigiStamp's IP-based Authentication option here toward the bottom of the page, it's easy. This records your Internet Global IP address to identify your requests. This IP address will change with different Internet connections, so you may need to return to your account settings to update this value.