Trust Distribution

Browsers and the CLI client trust the Signotaur server only if its HTTPS certificate chains to a trust anchor they already recognise. A self-signed certificate, or a certificate from a private CA (Signotaur's Internal CA or ADCS) whose root is not in the client's trust store, is not recognised — so browsers show a "Your connection is not private" warning and the CLI reports certificate errors. To remove these warnings, install the trust anchor in each client's trusted root store.

If the server uses Signotaur's Internal CA or ADCS for its web certificate, the Web Certificate → Trust Distribution tab in the admin UI provides the Root CA download and the same installation steps in-product. Trusting the Root once covers every future renewal — intermediate rotations and certificate renewals still chain to the same Root.

The Trust Anchor

The certificate you need to install on clients depends on how the server's web certificate is issued:

  • For a private CA, this is the Root CA certificate. Installing the Root is a one-time operation; future certificate renewals and intermediate rotations are trusted automatically because they still chain to the same Root.
  • For a self-signed certificate, the certificate itself is the trust anchor.

Obtaining the Trust Anchor

  • From the admin UI (managed CA, or any source): open Web Certificate → Trust Distribution and click Download PEM (.crt, Base64 text) or Download DER (.cer, binary).
  • From the browser (for a manually configured self-signed certificate, when no managed-CA download is available), export it from Chrome:
    1. Open Chrome and visit the Signotaur server website.
    2. Click the Not Secure icon in the address bar and select Certificate Details.
    3. In the Certificate Viewer, go to the Details tab and click Export.
    4. Ensure a Base64-encoded ASCII (.pem, .crt) format is selected and enter a filename.
    5. Click Save to export the certificate file.

Installing the Trust Anchor

Once you have the certificate file, install it into the trusted root store on each client using the appropriate method for the platform.

Windows (Group Policy)

Distributes the certificate to every domain-joined machine.

  1. Save the downloaded certificate (root-ca.crt or .cer) to disk.
  2. Open Group Policy Management on a domain controller.
  3. Edit a GPO that targets the machines that should trust this CA (typically Default Domain Policy).
  4. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Trusted Root Certification Authorities.
  5. Right-click → Import… and select the downloaded certificate.
  6. Wait for GPO refresh, or run gpupdate /force on a target machine to test.

Windows (Manual Install)

Installs the certificate on a single machine.

  1. Save the downloaded root-ca.crt to disk and double-click it.
  2. Click Install Certificate…
  3. Choose Local Machine if you have admin rights, otherwise Current User.
  4. Select Place all certificates in the following store → Browse → Trusted Root Certification Authorities.
  5. Finish the wizard and accept the Windows security warning.

Linux

Save root-ca.crt to disk, then add it to the system trust store.

Debian / Ubuntu:

sudo cp root-ca.crt /usr/local/share/ca-certificates/signotaur-root.crt
sudo update-ca-certificates

RHEL / Rocky / Fedora:

sudo cp root-ca.crt /etc/pki/ca-trust/source/anchors/signotaur-root.crt
sudo update-ca-trust

macOS

  1. Save the downloaded certificate to disk and double-click root-ca.crt — Keychain Access opens.
  2. Choose the System keychain (or login for the current user only) and click Add.
  3. Find the certificate in Keychain Access, double-click it, expand Trust, and set When using this certificate to Always Trust.
  4. Close the window and authenticate when prompted.

Firefox

Firefox uses its own trust store on most platforms (not the OS one).

  1. Save the downloaded root-ca.crt to disk.
  2. Open about:preferences#privacy.
  3. Scroll to Certificates and click View Certificates…
  4. On the Authorities tab, click Import… and select root-ca.crt.
  5. Tick Trust this CA to identify websites and click OK.

Enable security.enterprise_roots.enabled in about:config to make Firefox honour the OS trust store instead.

Signotaur CLI Client

SignotaurTool uses the system trust store on whatever OS it runs on. Once the certificate is installed via one of the methods above, the CLI will trust the server with no further action.

After Installing

Fully close and reopen the browser (not just a tab reload) so it picks up the new trusted root. If a page was already loaded over the untrusted certificate, the browser may keep showing a warning for the rest of the session — open the site in a fresh window (or an incognito/InPrivate window) to confirm trust is working.

Chrome sometimes caches the old certificate, so the warning may persist even after the certificate is trusted. Press Ctrl + Shift + Delete, set the time range to All time, check Cached images and files, click Delete data, then restart Chrome.