Web Certificate Loading

The web certificate is the HTTPS (TLS) certificate the Signotaur website presents to browsers and to the SignotaurTool client. This page explains how the server loads that certificate at startup, and how a renewed certificate is applied to a running server without downtime.

The web certificate is configured on the Web Certificate admin page. Its source (a PFX file, the Windows certificate store, a self-signed certificate, or a managed CA) is recorded as the certificate mode in the configuration file.

Loading at Startup

The web certificate is resolved early in startup, before the web server begins accepting connections, so that the very first request is served over the configured certificate. How it is resolved depends on the mode:

  • PFX file, Windows certificate store, self-signed: the certificate is loaded directly from the configured location.
  • Managed CA: the certificate is loaded from the managed-certificate store, as described below.

Managed CA Mode

When the web certificate is in Managed CA mode, Signotaur owns the certificate's whole lifecycle.

First Start

When the Internal CA or ADCS certificate mode is selected in the installer, the installer records a one-time issue at next start directive. On the next start, Signotaur:

  1. Issues a web certificate from the active issuer (the Internal CA or ADCS).
  2. Stores it in the managed-certificate store and pins it as the selected web certificate.
  3. Clears the directive so the step does not repeat.

If issuance fails (for example, because ADCS is briefly unreachable) the server falls back to a temporary self-signed certificate so the site is still reachable over HTTPS. The directive is left in place so issuance is retried on the next start; it is sticky until it succeeds.

Subsequent Starts

Once a managed web certificate has been issued and pinned, later starts simply load that certificate from the managed-certificate store (%ProgramData%\VSoft\Signotaur\Server\ManagedCerts\, one .pfx file per certificate, named by thumbprint). It is not re-issued on every start.

Applying a Renewed Certificate Without a Restart

Signotaur holds the active web certificate in memory and selects it for each incoming TLS connection. When the certificate is renewed (automatically by the renewal service or manually via Renew Now) the new certificate is swapped in atomically:

  • New connections immediately use the renewed certificate.
  • The previous certificate is kept for a short grace period (about five minutes) so that TLS handshakes already in progress complete cleanly, then it is released.
  • No service restart and no dropped connections.

If applying a renewed certificate fails, the previously active certificate stays in use and the renewal is retried later; a failed renewal never takes the site offline.

Automatic renewal is applied live. Changing the certificate mode (for example switching from a PFX file to Managed CA) is a configuration change and does require a service restart. The Web Certificate Configuration tab shows a restart-pending banner when one is needed.

Delivering the Certificate Chain

When the web certificate is signed by the Internal CA or by ADCS, the server presents the full chain (the web certificate together with the Intermediate CA certificate) during the TLS handshake. This lets clients build a complete path to the Root.

The Root CA certificate is not sent in the handshake, by convention: a client must already trust the Root for validation to succeed. Distribute the Root to client machines as described on the Trust Distribution tab.

Related Pages

  • Web Certificate: the admin page for the server's HTTPS certificate.
  • Configuration tab: selecting the web certificate mode.
  • Renewal and Retention: when renewal happens.