Adding a New Certificate

To add a certificate, click Add New Certificate. A dialog will open where you can enter certificate details.

Signotaur supports three certificate types, each accessible via its own tab:

• Hardware: Loaded from a server hardware token or HSM via PKCS#11, a cryptographic token interface standard.
• File: Uploaded PFX (Personal Information Exchange) files containing certificates and private keys.
• Store: Certificates stored in the Windows Certificate Store.

Click each heading for more details on adding each certificate type.

Editing a Certificate

To edit a certificate's alias or label, click the Edit button next to the certificate entry.

In the dialog which opens, you can modify:

• Alias: The descriptive display name for the certificate. Must be unique across all certificates.
• Label: An optional, simple identifier for CLI certificate selection. Multiple certificates can share the same label (useful for certificate renewal workflows).

Label Duplication Warnings

When editing a certificate's label, the dialog displays warnings if other certificates share the same label:

• Orange Warning (⚠️): Multiple non-expired certificates share this label. This may cause ambiguity during CLI certificate selection - the certificate with the latest expiration date will be automatically selected.
• Gray Warning: Only expired certificates share this label (no selection conflict).

Note: Label matching is case-insensitive ("Production" matches "production").

Certificate Selection via Labels

Labels provide a user-friendly way to select certificates in the SignotaurTool CLI without needing to update scripts when renewing certificates.

Benefits:

• Simplified CI/CD: Use --label production instead of updating thumbprints after renewal
• Automatic Selection: When multiple non-expired certificates share a label, the one with the latest expiration is automatically selected
• Seamless Renewal: Assign the same label to your new certificate, and existing scripts continue to work

Example Workflow:

1. Current certificate has label "production", expires 2025-12-31
2. Obtain renewal certificate, expires 2027-12-31
3. Add renewal certificate to Signotaur with label "production"
4. Both certificates are now available (overlap period for testing)
5. After expiration of old certificate, new certificate is automatically used
6. No changes needed to CI/CD scripts using --label production

See Sign Command - Certificate Selection for CLI usage.

Enabling/Disabling a Certificate

To enable or disable a certificate for signing, toggle the checkbox in the Enabled column of the certificates table.

Viewing a Thumbprint

To view a certificate's thumbprint, click the Show Thumbprint button next to its entry. A dialog will open where you can view and copy the thumbprint.

Assigning User Access

To assign certificates to users, click the Assign User Access button next to the certificate entry.

In the dialog which opens, use the dropdown to select one or more non-admin users to assign the certificate to, then click Save.

Note: Only non-admin users can be assigned this way, as admin users automatically have access to all certificates.

Updating the Password

PKCS#11 certificate passwords can expire. To update the registered password for a certificate, click the Update Password button next to the certificate entry.

In the dialog which opens, enter the password and a password confirmation, then click Save.

Note: Passwords can only be updated for PKCS#11 certificates.

Deleting a Certificate

To delete a certificate, click the Delete button next to its entry, then confirm to permanently remove it.