Configure the Office 365 host

To enable Microsoft 365 to use a specified TSS appliance for its default time stamp service, you must:

Install the TSA certificate

  1. Log into the Office 365 host.

  2. Copy the TSE certificate exported in configure-tsop.adoc#fulfill-tsa-csr to a local folder. If you don’t have the certificate, do as follows:

    1. Log into the TSS as the security officer (superuser).

    2. In the left pane, navigate to TSA Management > Operational Status.

    3. Select the TSA Name, then select Cert Info.

    4. Select the certificate and Export it to a .cer file.

  3. In the Office 365 host, double-select the certificate. In the certificate dialog window select Install Certificate…​.

  4. In the Certificate Import Wizard dialog window, select Local Machine. Then select Next.

  5. In the Certificate Store dialog window, select Automatically select the certificate store…​ radio button. Then select Next and Finish.

  6. On the Import was successful pop-up, select OK.

Edit the registry settings

  1. Log into the Office 365 host.

  2. Enter regedit in the Windows search box and select Registry Editor.

  3. In the left pane, navigate to Computer > HKEY_CURRENT_USER.

  4. Export the HKEY_CURRENT_USER registry settings as a backup before you continue.

    For example:

    regedit export

  5. Navigate to the following registry path: Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Signatures.

    If the registry path does not already exist, create it.

  6. Add the following entries.

    Name Type Data

    MinXAdESLevel

    REG_DWORD (32-bit)

    2

    TSALocation

    String Value

    http://<TSS_IP_address>/TSS/HttpTspServer

    XAdESLevel

    REG_DWORD (32-bit)

    5
    <TSS_IP_address> is the IP address of the TSS appliance. You may use a host name instead of an IP address.
    registry values

  7. Close the registry editor.

Make "Microsoft Office" configuration available in Group Policies

  1. Download the administrative template files (ADMX/ADML) for Microsoft Office. Be sure to select your language. For example, the English version is available at Administrative Template files (ADMX/ADML) for Microsoft Office.

  2. Double-select the downloaded file to extract the admx and adml folders locally.

  3. Open the admx folder. Copy all the *.admx files to C:\Windows\PolicyDefinitions\..

  4. In the admx folder, select the folder corresponding to your region. For example en-us. Copy all the *.adml files to C:\Windows\PolicyDefinitions\<your-region>\.. For example C:\Windows\PolicyDefinitions\en-US\..

  5. Enter group policy in the Windows search box and select Edit group policy.

  6. Navigate to User Configuration → Administrative Templates → Microsoft Office 2016 The settings for Microsoft Office should now appear.

    For example:

    configure group policy 1

  7. Navigate further to Security Settings → Digital Signatures. Edit the following policies as shown below.

    Name Value

    Specify timestamp server name

    http://<TSS_IP_address>/TSS/HttpTspServer

    Requested XAdES level for signature generation

    XAdES-X-L

    Specify Minimum XAdES level for digital signature generation

    XAdES-T

  8. Close the group policy editor window.

  9. Upgrade the group policy.

    >gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.