Skip to main content

Digitally signed MS-Office documents are valid until the digital certificate used to sign the document expires which typically is for 1, 2 or 3 years. Applying TSA to those digitally signed documents not only adds long term integrity but also extends the nonrepudiation validation for up 10 years, regardless of the validity period, or revocation status, of the signing certificate.

As Microsoft does not have a built-in user interface for a Timestamping Authority, the default timestamp for MS-Office Documents is the local computer’ time. In order to add a Timestamping Authority such IdenTrust TSA, the URL needs to be manually configured one time only on each computer from which the TSA service is required. This configuration requires editing the system registry, a task that should be handled by expert users only as there is a risk to cause system instability with incorrect registry values. Follow these instructions to add the IdenTrust TSA to your computer:

  1. Right click on the Start Menu > Run
  2. Invoke the Registry Editor: Type regedit & Enter – Admin permissions may be required
  3. Navigate to this location: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0*\Common\Signatures *MS-Office path present on the computer such: 15.0 or 16.0
  4. Right click in the white area to the right side and choose New > DWORD Label it XadESLevel. Right click and "modify" to enter a value of 2
  5. Create a String Value and label it TSALocation Right click and "modify" to enter a value of
  6. Close the registry: File>Exit

After adding IdenTrust as TSA, as explained above, every time a Microsoft office document is protected with a digital certificate in the computer where a TSA has been configured, IdenTrust TSA is automatically applied. This can be verified by opening the document, right-clicking on the digital signature and selecting “Signature Details”. The signature type is XAdes-EPES. Other signature types such XAdES-T, XAdES-C XAdESX XAdES-X-L are also valid timestamped values.










Clicking “See the additional signing information that was collected.” does not supply the TSA details as Microsoft currently does not have an automated RFC-3162 standard API to obtain those details.