Signotaur is available in two editions, plus a time-limited trial. Your edition is determined by the license installed on the Licenses page, and it controls whether the Managed CA features (certificates issued and renewed by Signotaur's Internal CA or by Microsoft ADCS) are available.
| Edition | How you get it |
|---|---|
| Standard | The default. Pre-2.0 licenses, and any license without an edition field, are read as Standard. |
| Enterprise | An Enterprise license. Unlocks the full Managed CA feature set. |
| 14-day Enterprise trial | Requested from the Licenses page. Grants Enterprise-level access for 14 days. |
The 14-day trial is Enterprise by virtue of the license it issues, not a separate edition. Existing Standard or trial licenses are not upgraded retroactively; to evaluate the Enterprise features, request a new trial or install an Enterprise license.
| Feature | Standard | Enterprise |
|---|---|---|
| Code signing with File, Windows Store, and Hardware (PKCS#11 / HSM) certificates | Yes | Yes |
| Signing Authenticode (EXE, DLL, MSI, CAT, SYS), AppX/MSIX, NuGet, VSIX, ClickOnce/VSTO, RDP, CMS, and detached signatures | Yes | Yes |
| RFC 3161 timestamping with fallback timestamp servers | Yes | Yes |
| Web (TLS) certificate from a PFX file, the Windows store, or self-signed | Yes | Yes |
| Multi-user management with roles and per-user certificate assignment | Yes | Yes |
| API keys with rotation and expiry for unattended CI/CD signing | Yes | Yes |
| Two-factor authentication, external authentication (SSO), and password policies | Yes | Yes |
| Audit event log, email notifications, and encrypted backup & restore | Yes | Yes |
| Issuing and renewing certificates from the Internal CA or Microsoft ADCS | — | Yes |
| Automatic renewal of managed web and managed code-signing certificates | — | Yes |
| Using managed-CA-issued code-signing certificates for signing | — | Yes |
| Web certificate in Use Managed CA mode | — | Yes |
In short: core code signing and the manual web-certificate modes are available in every edition. The Managed CA capability (Signotaur acting as a certificate authority) requires Enterprise.
Signotaur licenses, Standard and Enterprise alike, are perpetual: they never expire. A license is sold with a subscription (12 months by default) that covers updates and support, but the license itself keeps working indefinitely. When the subscription lapses you can keep running the software; the license stays valid for every Signotaur build that was released before your subscription expired, and is rejected only by newer builds released after that date. Renewing the subscription extends coverage to those newer builds.
The single exception is the 14-day Enterprise trial, which is a time-limited license that does expire on its end date.
The Managed CA gate is graceful; it never stops a server or deletes data.
If you select a Managed CA web-certificate mode without an Enterprise license, Signotaur issues a single managed web certificate, valid for up to 90 days and with no automatic renewal. This applies on a fresh install, and on the first v1-to-v2 upgrade that enables Managed CA. When that certificate expires while the server is still unlicensed, Signotaur automatically reverts the web certificate to self-signed; no manual action is needed.
The grace is one-time per server and cannot be reset: once a managed web certificate has ever been issued on a server, reconfiguring a Managed CA mode while unlicensed is blocked. The installer reports an error, the configure command leaves the certificate configuration untouched, and the server refuses to re-issue.
When a valid Enterprise license is no longer present — for example the 14-day trial reached its end date, the Enterprise license was removed, or the server was updated to a build released after the Enterprise license's subscription expired (see Licenses Are Perpetual) — what happens next depends on whether any other valid license remains.
If a valid Standard license is still installed, the server falls back to standard behaviour. Nothing is torn down:
If no valid license of any edition remains, the server is unlicensed. A valid license, of any edition, is required to sign, so an unlicensed server rejects signing and certificate requests from the client tool (responding "Server is not licensed") until a license is installed. The admin web UI stays available so an administrator can add one.
Install, view, and remove licenses (and request a trial) on the Licenses page.