Configuration File

The Signotaur configuration file Signotaur.Server.config.json is located in the %ProgramData%\VSoft\Signotaur\Server folder. It stores the core Signotaur settings, including authentication, database connections, email settings, site configurations, logging, and encryption. As such, it should be kept secured and backed up at all times.

  • Always make a backup before editing.
  • This file uses JSON format -- improper syntax will prevent Signotaur from starting.
  • Only edit settings if you know what you are doing or have been asked to do so by technical support. Some settings can be edited via the Admin section of the web interface, which is the recommended approach.

Changes to this file require a service restart to take effect.

Below is a description of each section and setting to help administrators understand and customize the configuration.

Authentication

Google

Note: These settings can and should be edited in the Admin section of the Signotaur website.

  • Enabled: Enables or disables Google authentication. Set to true to allow users to log in using Google credentials.
  • ClientId: Google OAuth Client ID for authentication.
  • ClientSecret: Google OAuth Client Secret for authentication.

GitHub

Note: These settings can and should be edited in the Admin section of the Signotaur website.

  • Enabled: Enables or disables GitHub authentication. Set to true to allow users to log in using GitHub credentials.
  • ClientId: GitHub OAuth Client ID for authentication.
  • ClientSecret: GitHub OAuth Client Secret for authentication.

PasswordPolicy

Defines the password requirements if Signotaur uses a traditional username-password login.

  • RequiredLength: Minimum number of characters required for a valid password.
  • RequireNonAlphanumeric: Requires at least one special character (e.g., !@#$%) in the password if set to true.
  • RequireLowercase: Requires at least one lowercase letter if set to true.
  • RequireUppercase: Requires at least one uppercase letter if set to true.
  • RequireDigit: Requires at least one digit if set to true.

ExpirationPolicy

Defines the expiration periods for various tokens, links and cookies used by Signotaur server.

  • PasswordResetLinkExpiryInMinutes: The time period in minutes before the password reset links sent to users expires. Default is 30 minutes.
  • EmailVerificationLinkExpiryInMinutes: The time period in minutes before the email verification links sent to users expires. Default is 720 minutes or 12 hours.
  • TemporaryPasswordExpiryInMinutes: The time period in minutes before a temporary password expires. Default is 60 minutes or 1 hour.
  • RememberMeExpiryInMinutes: The time period in minutes before the "remember me" authentication cookie expires. Default is 20,160 minutes or 14 regular days.
  • TwoFactorRememberMeExpiryInMinutes: The time period in minutes before the 2FA "remember code" cookie expires. Default is 43,200 minutes or 30 regular days.
  • APIKeyExpirationWarningInterval: The number of days before API key expiry to show warning messages. Default is 3 days.

Database

  • ConnectionString: Path to the SQLite database file used by Signotaur. Change the path if the database is stored in a different location.
  • AutoMigrate: When true, Signotaur automatically applies database migrations on startup, ensuring the database schema is up-to-date.

Changing this setting is not recommended.

Backup

Configuration for scheduled automatic backups. When a backup passphrase is set, each scheduled run produces a full, restorable .sigbak archive (config, database, and all certificates); otherwise it falls back to a database-only copy.

These settings are best managed from the Backup tab of the Admin → Settings page. See Backup Settings for the full description, and the archive command for manual backup, restore, verify, and migration.

  • Enabled: Master switch for scheduled backups. Default: false.
  • Schedules: An array of schedule entries. Each entry has:
    • Days: The days of the week the backup runs (e.g. ["Monday", "Tuesday"]).
    • Time: Time of day to run, 24-hour HH:mm format. Default: 02:00.
  • BackupDirectory: Optional root directory for backups. When omitted, the default %ProgramData%\VSoft\Signotaur\Server\backups is used. Within this root, backups are organised into pools: archives (full .sigbak archives, scheduled and manual), database (database-only fallback copies), cert-rollback (pre-change copies made by certificate operations), and pre-upgrade (installer pre-upgrade snapshots).
  • MaxBackupsToKeep: Number of scheduled backups to retain (0–365, default 14). Counts .sigbak archives and database-only copies together as one pool; the newest N across both are kept. The cert-rollback and pre-upgrade pools are retained separately. Set to 0 to keep all backups.
  • EncryptionPassphrase: Passphrase that encrypts scheduled .sigbak archives. Stored encrypted at rest. When set, scheduled backups are full restorable archives; when unset they are database-only and not portable to another host.

Do not edit EncryptionPassphrase directly; the server expects an encrypted value, and the passphrase cannot be recovered if lost. Set it from the Backup Settings page or supply one per-archive with the archive command.

Email

Settings for the outgoing mail server used to send verification and password reset emails.

Note: These settings can and should be edited in the Admin section of the Signotaur website.

  • MailServer: The SMTP server address used for sending emails.
  • MailPort: Port for the SMTP server (commonly 587 for TLS).
  • SenderName: Display name for the sender of outgoing emails.
  • Sender: Email address of the sender.
  • UserName: SMTP server username for authentication.
  • Password: Encrypted password for the SMTP server.

Do not change this directly as the server expects it to be encrypted.

Site

Settings for the web server hosting Signotaur.

Note: These settings can and should be updated via the Signotaur installer.

  • Port: Port number the Signotaur server listens on (default: 7575).
  • ExternalHostName: Hostname used to access the Signotaur server externally.

Certificate

Settings for the HTTPS (TLS) certificate the Signotaur website presents.

Note: These settings can and should be configured via the Signotaur installer or the Web Certificate admin page.

  • Mode: Selects how the web certificate is sourced. One of:

    • PfxFile: load a .pfx file from disk.
    • CertificateStore: load a certificate from the Windows certificate store.
    • SelfSigned: generate (and reuse) a self-signed certificate.
    • ManagedCa: use a certificate issued and automatically renewed by Signotaur's certificate management infrastructure.

    Each mode reads its settings from the matching sub-block below; the sub-blocks for the other modes are ignored.

The following options apply regardless of the selected mode:

  • AllowInvalid: If true, Signotaur will allow self-signed or otherwise invalid certificates.
  • AllowUntrustedRoot: If true, allows certificates with untrusted root CAs (default: true).
  • RevocationCheckMode: Certificate revocation check mode. Valid values are Online, Offline, or NoCheck (default: Online).

PfxFile

  • Path: Path to the .pfx file containing the SSL/TLS certificate.
  • Password: Encrypted password for the certificate file.

CertificateStore

  • Subject: Subject of the certificate to look up in the Windows certificate store.
  • StoreName: Certificate store name to search (for example, My).
  • StoreLocation: Certificate store location to search (LocalMachine or CurrentUser).

SelfSigned

  • Subject: Subject (common name) for the generated self-signed certificate.
  • FriendlyName: Optional Windows display name for the generated certificate.
  • Password: Encrypted password protecting the generated .pfx file.

ManagedCa

  • SelectedThumbprint: Thumbprint of the managed web-server certificate currently in use. This is set automatically when a certificate is issued or renewed; it should not be edited by hand.
  • AutoIssueAtNextStart: When true, the server issues and pins a managed web certificate from the active issuer at the next start. The installer sets this when the Internal CA or ADCS certificate mode is chosen; it is cleared automatically once issuance succeeds.

Password fields are stored encrypted. Do not edit them directly; the server expects an encrypted value.

CertificateManagement

Configuration for Signotaur's integrated certificate-management system: the Internal CA, the optional external ADCS issuer, and the automatic renewal of the server's web certificate and code-signing certificates.

These settings are best managed from the Managed Certificates admin page rather than by editing this file. See the Certificate Management section for a full description of the feature.

  • RenewalEnabled: Master switch for the renewal background services (web certificate and code-signing). It is checked live, so toggling it takes effect without a restart. When false, certificates can still be issued and renewed manually from the web interface, but no automatic renewal occurs. Retention cleanup runs regardless of this setting. Default: true.
  • RetentionDays: Number of days to retain replaced or revoked managed-certificate records before they are removed. End-entity certificates are measured from their expiry date; CA certificates are measured from the date they were replaced. Default: 365.

RenewalPolicy

Renewal cadence for code-signing certificates and the cleanup policy for replaced (renewed-away) registered certificates.

  • CodeSigningThresholdDays: Days before a code-signing certificate expires that automatic renewal is triggered. Default: 30.
  • CodeSigningCheckIntervalHours: Hours between code-signing renewal checks. Default: 24.
  • AutoUnregisterSupersededEnabled: When true, a code-signing certificate that has been renewed is automatically disabled and later deleted once its grace periods elapse. Default: true.
  • SupersededDisableGraceDays: Days after a renewal before the old certificate is automatically disabled. Default: 7.
  • SupersededDeleteGraceDays: Days after a renewal before the old certificate is permanently deleted (the certificate must also be expired). Default: 30.

WebCertificate

Renewal cadence for the server's web (TLS) certificate. It applies regardless of which issuer signed the certificate.

  • RenewalThresholdDays: Days before the web certificate expires that automatic renewal is triggered. Default: 30.
  • RenewalCheckIntervalHours: Hours between web-certificate renewal checks. Default: 24.

BuiltIn

Configuration for the Internal CA.

  • Enabled: Whether the Internal CA is available for issuing certificates. Default: false. The Internal CA is opt-in. It is set to true automatically when the Internal CA is chosen as the web-certificate source (installer or Web Certificate page), or when it is enabled on the Managed Certificates → Settings tab. When false, the Internal CA settings and the Issue from Internal CA action are hidden, and no Root CA is generated.

BuiltIn.RootCa

  • Subject: Subject common name for the Root CA certificate. Default: Signotaur Root CA.
  • ValidityYears: Validity period of the Root CA certificate, in years. Default: 20.
  • KeySize: RSA key size of the Root CA, in bits. Default: 4096.
  • PfxPath: Optional override path for the Root CA .pfx file. When omitted, a default location under the data directory is used.
  • OfflineMode: When true, the Root CA private key is expected to be kept offline. Intermediate-CA renewal and generation are blocked unless the Root .pfx file is present. Default: false.

BuiltIn.IntermediateCa

  • Subject: Subject common name for the Intermediate CA certificate. Default: Signotaur Intermediate CA.
  • ValidityYears: Validity period of the Intermediate CA certificate, in years. Default: 5.
  • KeySize: RSA key size of the Intermediate CA, in bits. Default: 4096.
  • PfxPath: Optional override path for the Intermediate CA .pfx file.
  • RenewalThresholdDays: Days before the Intermediate CA expires that it is automatically renewed (provided the Root CA is reachable). Default: 180.

BuiltIn.Defaults.WebCertificate

Issuance defaults applied when the Internal CA issues a web certificate.

  • SubjectCommonName: Subject common name for issued web certificates. When omitted, the site's external hostname is used.
  • FriendlyName: Optional Windows display name for issued web certificates.
  • ValidityDays: Validity period of issued web certificates, in days. Default: 90.
  • KeySize: RSA key size of issued web certificates, in bits. Default: 4096.
  • AdditionalSans: Additional Subject Alternative Names to include beyond the primary common name.

BuiltIn.Defaults.CodeSigningCert

Issuance defaults applied when the Internal CA issues a code-signing certificate.

  • SubjectTemplate: Pre-fills the Subject field on the Issue Certificate dialog. Leave empty to type a subject each time.
  • FriendlyName: Optional Windows display name for issued code-signing certificates.
  • ValidityDays: Validity period of issued code-signing certificates, in days. Default: 825.
  • KeySize: RSA key size of issued code-signing certificates, in bits. Default: 4096.

External

Configuration for external Certificate Authority issuers. Currently the only supported external issuer is ADCS (Active Directory Certificate Services).

External.Adcs

  • Enabled: Whether the ADCS issuer is available. When false, the ADCS settings and the Issue from ADCS action are hidden. Changing this setting requires a service restart. Default: false.
  • Endpoint: ADCS endpoint URL. Used by the CertSrv transport; for example, https://ca.example.com/certsrv/.
  • CaConfig: CA configuration string. Used by the DCOM transport, in hostname\CAName format; for example, ca.example.com\Example Issuing CA.
  • Transport: How Signotaur communicates with ADCS. DCOM (Windows-only, uses the ADCS COM API) or CertSrv (HTTPS, uses the ADCS Web Enrollment role). Default: DCOM.
  • AllowUntrustedCertificates: For the CertSrv transport, accept the ADCS server's TLS certificate even if its chain is not trusted on this host. The hostname must still match. Ignored for DCOM. Default: false.
External.Adcs.Credentials
  • Username: Username for explicit authentication. Ignored when UseIntegratedAuth is true.
  • Password: Encrypted password for explicit authentication.
  • UseIntegratedAuth: When true, Signotaur authenticates to ADCS as its own Windows service account. When false, the Username and Password are used. Default: true.
External.Adcs.Defaults.WebCertificate
  • SubjectCommonName: Subject common name for issued web certificates. When omitted, the site's external hostname is used.
  • FriendlyName: Optional Windows display name for issued web certificates.
  • Template: ADCS certificate template name used for web-certificate issuance. Default: WebServer.
  • AdditionalSans: Additional Subject Alternative Names to request.
External.Adcs.Defaults.CodeSigningCert
  • Template: ADCS certificate template name used for code-signing issuance. Default: CodeSigning.
  • SubjectTemplate: Pre-fills the Subject field on the Issue Certificate dialog.
  • FriendlyName: Optional Windows display name for issued code-signing certificates.

The validity period and key size of certificates issued by ADCS are governed by the ADCS certificate template, not by Signotaur.

Logging

Defines logging preferences across different outputs. The following minimum log levels can be used set the LogLevel settings:

  • Inherit: Uses the parent section's log level. This is the default for subsections (e.g., Kestrel subsections inherit the Microsoft log level).
  • Verbose: Captures everything you might want to know about a running block of code. Use for highly detailed logging.
  • Debug: Internal system events that aren't observable externally but can help diagnose issues during development.
  • Information: Tracks general application events that are useful for understanding system behaviour under normal operations.
  • Warning: Indicates that some functionality is not working as expected, but the system is still running normally. This level suggests that while the issue may not be critical, it should be monitored or addressed to prevent further impact.
  • Error: Highlights functionality that is unavailable, broken invariants, or lost data. Typically requires immediate attention.
  • Fatal: Represents critical issues that require immediate response.

File

  • LogLevel: Controls the level of logging for file logs (Error, Warning, Information, etc.).
  • LogFileLocation: Optional. Path to the log file. If null, default location at %ProgramData%\VSoft\Signotaur\Server\Logs is used.
  • LogFileSuffix: Optional. Adds a suffix to log files for organization.
  • MaxLogFileSize: Optional. Maximum size for a log file; when reached, a new file is created. The default is 100Mb.

Console

  • LogLevel: Controls the logging level for console output.

Microsoft

  • LogLevel: Specifies the logging level for Microsoft libraries used within the application.

    Kestrel

    Controls logging for the Kestrel web server. These settings are nested under the Microsoft section.

    • LogLevel: Log level for Kestrel (default: Inherit, uses the Microsoft log level).
    • Https: Log level for HTTPS operations (default: Inherit).
    • Http2: Log level for HTTP/2 operations (default: Inherit).
    • BadRequests: Log level for bad request logging (default: Inherit).
    • Connections: Log level for connection logging (default: Inherit).

WindowsEventLog

  • LogLevel: Sets the logging level for messages sent to Windows Event Log.

Encryption

Used to secure sensitive data such as passwords in the application. The AES master key and vector below encrypt every other server secret (OAuth client secrets, SMTP/ADCS passwords, web-certificate PFX passwords, CA key passwords, and the backup passphrase).

The master key and vector are themselves sealed with DPAPI (machine-scoped) the first time the server starts. Once sealed, the values on disk are bound to this machine and cannot be copied to another host; attempting to do so causes the server to fail closed with a clear error. To move a server to a new or rebuilt machine, use the archive command rather than hand-copying these keys. See At-Rest Encryption for the full model, recovery paths, and the encryption-status badges shown in the website footer.

Do not alter these settings. Do not lose the key and vector; if they are lost, the server cannot read any encrypted data. The values are DPAPI-sealed to this machine; to migrate to another host, take a .sigbak backup with archive create and restore it on the destination (restore re-seals the key under the new machine).

  • Key: Encryption key, base64-encoded, used to encrypt sensitive data. This value is DPAPI-sealed at rest (prefixed DPAPI1:).
  • Vector: Initialization Vector (IV), also base64-encoded, used in encryption algorithms for added security. Also DPAPI-sealed at rest.

Updates

  • CheckForUpdates: When set to true, the server will periodically check for updates. If a new update is available, a link to the latest version will be displayed in the website footer.
  • UpdatesUrl: The URL that the server queries for update information. Do not change this value.
  • ProxyAddress: The address of the proxy server used to forward external requests, if applicable.
  • ShowBetaVersions: When set to true, the server will include new beta versions when checking for updates.
  • TimeoutInSeconds: The number of seconds the server will wait before timing out an update check request.

Events

  • MaxEventsToKeep: The maximum number of events to retain. When this limit is reached, older events will be purged from the database.
  • MaxEventDays: The maximum number of days to retain events. Events older than this threshold will be removed.
  • MinEventsToKeep: The minimum number of events to retain. Even if events exceed the MaxEventDays limit, they will not be removed if doing so would result in fewer than this number of events.

Limits

  • MaxAllowedPKCS11PinFailures: Maximum number of PKCS#11 PIN failures before the certificate is locked to prevent token lockout (default: 2).
  • MaxApiKeyRotationsPerDay: Maximum number of API key rotations allowed per user in a 24-hour period (default: 5).

Notifications

Note: These settings can and should be edited in the Admin section of the Signotaur website.

Each notification block below shares the same three settings:

  • Enabled: Enables expiration notifications for that item type (default: true).
  • WarningDays: An array of days before expiry at which to send warning emails. Omit or leave empty to use the block's default.
  • PostExpiryReminderIntervalDays: Days between reminder emails after the item has expired. 0 disables post-expiry reminders (default: 28).

WebsiteCertificateNotifications

Expiration notifications for the server's web certificate. Default warning days: [30, 14, 7, 3, 1].

CodeSigningCertificateNotifications

Expiration notifications for code-signing certificates. Default warning days: [30, 14, 7, 3, 1].

ApiKeyNotifications

Expiration notifications for API keys. Default warning days: [30, 14, 7, 3, 1].

RootCaNotifications

Expiration notifications for the Internal CA's Root certificate. Because a Root CA is long-lived and regenerating it is a deliberate operation, warnings start much further out. Default warning days: [365, 180, 90, 30, 7].

IntermediateCaNotifications

Expiration notifications for the Internal CA's Intermediate certificate. These act as a backstop in case automatic renewal does not occur. Default warning days: [60, 30, 14, 7, 1].

UI

All page size values are clamped to the range 1–50. Values below 1 are treated as 1; values above 50 are treated as 50.

  • DefaultPageSize: Default number of rows per page in data tables (default: 6).
  • UserTablePageSize: Override page size for the users table. Falls back to DefaultPageSize when omitted.
  • CertificateTablePageSize: Override page size for the certificates table. Falls back to DefaultPageSize when omitted.
  • ApiKeyTablePageSize: Override page size for the API keys table. Falls back to DefaultPageSize when omitted.