Once Signotaur manages a certificate, it keeps that certificate current, renewing it before it expires and tidying away the certificates it replaces. This page explains how automatic renewal works, and how replaced certificates are retained and eventually cleaned up.
All of the settings described here are configured on the Settings and Renewal Policy tabs of the Managed Certificates admin page.
Signotaur runs background services that periodically check managed certificates and renew any that are approaching expiry. A certificate is renewed when the number of days until it expires falls below its renewal threshold.
Renewal as a whole is governed by the Renewal Enabled master switch. When it is turned off, the background services stop renewing, but certificates can still be issued and renewed manually from the web interface, and certificate cleanup continues to run. The switch is read live, so changing it takes effect without a service restart.
Automatic renewal of managed certificates requires an Enterprise license. When the server is unlicensed, the renewal services skip managed web and managed code-signing certificates: existing certificates ride to expiry, an unlicensed managed web certificate then reverts to self-signed, and managed code-signing certificates become unavailable for signing. Adding an Enterprise license resumes renewal automatically. See Managed CA Licensing and Editions & Licensing.
Each renewal check runs on a fixed interval with a small amount of random jitter (±10%), so that a fleet of identically configured servers does not contact the issuer all at once. If a renewal attempt fails (for example, because the issuer is temporarily unreachable) the service backs off, retrying with a progressively longer delay (from one hour up to a daily maximum) until it succeeds. It then returns to its normal cadence.
Renewal reissues a certificate without changing what it represents. The renewed certificate keeps the original's subject, key size, friendly name, and Subject Alternative Names; additional SANs are only ever added, never removed. This means trust relationships and existing references to the certificate continue to work across a renewal. Validity period may be supplied as an override on a manual renewal, but is otherwise carried forward.
The server's web (TLS) certificate is renewed automatically when the web certificate is in Managed CA mode.
When the web certificate is renewed, the new certificate is loaded into the running server without a restart; see Web Certificate Loading. If the certificate is signed by the Internal CA and the Intermediate CA is itself near expiry, the Intermediate is renewed first so the new web certificate chains to a fresh Intermediate.
Code-signing certificates issued from the Managed Certificates page are renewed automatically.
If the certificate being renewed was registered for signing (assigned to users on the Certificates page), the renewed certificate is registered automatically in its place, preserving its label and user assignments. Build scripts that select the certificate by label continue to work without changes; see Certificate Selection via Labels.
For the Internal CA, the Intermediate CA is renewed automatically when it comes within its renewal threshold (180 days before expiry by default) provided the Root CA is reachable. The Root CA itself is never renewed automatically. See Renewing the Intermediate CA for details.
When a certificate is renewed, the certificate it replaced is not deleted immediately. It is marked Replaced and kept for a period so that the transition can be audited and so that anything still chained to it continues to validate. A daily cleanup service removes records and key files once they are no longer needed.
The cleanup service:
.pfx files of replaced and revoked certificates once they are safe to delete.The retention period (RetentionDays, 365 days by default) is measured differently for the two kinds of certificate:
When a registered code-signing certificate is renewed, the older certificate is replaced. It is still valid, but the newer certificate should be used for new signing operations. Signotaur can retire replaced registered certificates automatically, in two stages:
SupersededDisableGraceDays, 7 days by default), the replaced certificate is disabled so it is no longer offered for signing. Re-enabling it manually overrides this; Signotaur will not disable it again.SupersededDeleteGraceDays, 30 days by default) and once the certificate has expired, the replaced certificate registration is permanently removed.Both grace periods are measured from the moment of renewal. This whole behaviour is controlled by the Auto-unregister replaced certificates switch; when it is off, replaced certificates are left in place for an administrator to manage manually. Replaced registered certificates are flagged in the Certificates table so you can see what is scheduled.