VSoft Technologies Blogs

rss

VSoft Technologies Blogs - posts about our products and software development.

Managing Certificate and API Key Expiry with Signotaur

In this article:
  • Why code signing certificates now expire sooner
  • How certificate labels remove thumbprints from build scripts
  • How to rotate and renew API keys safely
  • How to automate the process in Continua CI

Shorter Certificate Lifetimes Are Coming

Code signing certificates used to last up to three years. As of March 1, 2026, that is no longer the case.

The CA/Browser Forum adopted Ballot CSC-31 on November 17, 2025, reducing the maximum validity period for publicly-trusted code signing certificates from 39 months to 460 days (roughly 15 months). For most teams, that means certificate renewals are now an annual operational task rather than an occasional one.

When a certificate is renewed, it receives a new thumbprint, and build scripts that reference the old thumbprint must be updated. In large CI/CD environments, tracking down every reference can be tedious and error-prone.

Separately, API keys used by CI agents to authenticate with the signing server have their own lifecycle and eventually need to be rotated. Replacing them without interrupting active build pipelines can be challenging.

Signotaur addresses both concerns. Label-based certificate selection decouples build pipelines from individual certificates, while API key rotation with overlap allows credentials to be replaced without downtime. Together they turn what used to be stressful maintenance tasks into routine operations.

Certificate Labels: Automatic Certificate Rotation

The Thumbprint Problem

Traditionally, build scripts reference a code signing certificate by its SHA-1 thumbprint — a 40-character hex string that uniquely identifies the certificate. When you renew, you get a new certificate with a new thumbprint, so every script that signs code needs to be updated. If you sign across multiple CI configurations, that means tracking down and editing each one.

Labels to the Rescue

Signotaur lets you assign a label to each registered certificate — for example, production or nightly. When you request a signing operation by label instead of thumbprint, Signotaur automatically selects the certificate with the latest expiry date among all enabled, non-expired certificates that share that label. This ensures that newly issued certificates automatically take precedence.

The rotation workflow is straightforward:

  1. Register your renewed certificate and assign it the same label as the outgoing one.
  2. Builds automatically pick up the new certificate — no script changes required.
  3. The old certificate expires naturally; remove it from Signotaur when you're ready.

Expiration Monitoring

Signotaur's background monitoring service checks certificate expiration daily and sends email notifications to administrators at configurable intervals. The defaults are 30, 14, 7, 3, and 1 day(s) before expiry, with an additional alert if a certificate has already expired. You can customise these warning thresholds in the server configuration.

During a rotation window — when both the old and new certificates are registered with the same label — the admin UI highlights the duplicate label so you can confirm the overlap is intentional.

Screenshot: Certificate list in the Signotaur admin UI showing two certificates sharing the 'production' label. The older certificate shows an expiry warning badge.

API Key Rotation with Overlap

Why Rotate Keys?

API keys grant access to your signing service. If a key is leaked or reused indefinitely, it becomes a long-lived security risk. Regular rotation limits the impact if a key is compromised, satisfies compliance requirements, and handles natural key expiry gracefully. But naive rotation — revoke old, issue new — creates a window where CI agents holding the old key start failing.

How Signotaur Handles It

The rotate-key command creates a new API key while keeping the old one valid for a configurable overlap period of 0–30 days (default: 7 days). During this window, both keys are accepted, allowing CI agents and environments to transition without interruption.

Once the overlap period expires, the old key is automatically revoked. If you prefer to manage revocation manually, pass --no-auto-revoke and the old key will remain valid until you explicitly revoke it.

Screenshot: API Keys page in the Signotaur admin UI showing a rotated key pair. The old key displays an 'Auto-revoke' date and the new key is marked as active.

Safety Guardrails

  • Role required — users must be assigned the ApiKeyRotator role before they can rotate keys. An administrator can assign this role in the Signotaur admin UI.
  • Rate limiting — a maximum of 5 rotations per user per 24-hour period prevents accidental key sprawl.
  • Linear chain only — a key that has already been rotated cannot be rotated again; you must use the successor key. This prevents branching into multiple active key chains.
  • Proactive expiry checking — the sign command accepts a --fail-if-expiring-within flag (e.g. 14d). If the API key used for signing will expire within that window, the command fails immediately with a clear message — catching the problem in CI before it causes a real signing failure.

Conditional Rotation

The --if-expiring-within flag on rotate-key makes rotation idempotent: the key is only rotated if it expires within the specified duration (e.g. 14d, 1w, 24h). This makes it safe to run rotate-key on every CI build or on a nightly schedule without generating unnecessary keys.

Example scheduled rotation command:

signotaur rotate-key --if-expiring-within 14d

Key Renewal

By default, a rotated key inherits the old key's expiry date. If the old key had 30 days of validity remaining, the new key also expires in 30 days. Over time, repeatedly rotating a key gradually shortens its remaining lifetime — which can be a problem for long-running automation.

The --renew flag gives the new key a fresh validity period starting from the rotation date, rather than inheriting whatever time was left on the old key. Without a value, it uses the server default of 90 days; with a value (e.g. --renew 180d), it sets a specific duration up to a maximum of 365 days.

This pairs naturally with conditional rotation — check whether the key is approaching expiry, and if so, rotate and renew in a single command:

signotaur rotate-key --if-expiring-within 14d --renew
If the renewal duration would be shorter than the old key's remaining validity (for example renewing for 30 days when 60 days remain), the command fails as a safety measure. Pass --allow-validity-reduction to override this check when the shorter duration is intentional.

Putting It Together in Continua CI

Continua CI ships dedicated Signotaur actions for both signing and key rotation, so you can wire up the entire workflow without writing any custom scripts. Before configuring those actions, you'll need to assign a label to your certificates in the Signotaur admin UI.

Assigning a Label to Your Certificates

In the Signotaur admin UI, navigate to Certificates and either add a new certificate or edit an existing one. In the certificate dialog you'll find two name fields:

  • Alias — a unique display name for the certificate (auto-generated by default, e.g. "CodeSigningCert (2027-12-31)").
  • Label — an optional identifier used for CLI and CI/CD certificate selection, e.g. production. Multiple certificates can share the same label. Matching is case-insensitive, so Production and production resolve the same way.

When you renew a certificate, register the new one and assign it the same label as the outgoing certificate. The admin UI will show an orange notice confirming that multiple active certificates share the label and that the one with the latest expiry will be selected automatically. No build script changes needed.

Screenshot: Signotaur certificate edit dialog showing the Alias and Label fields. The Label field is set to 'production'.

For full details, see the Certificates documentation.

Setting Up the Rotate Keys Action

Add the Signotaur Rotate Keys action to a stage — either in a scheduled maintenance configuration or directly in your build configuration. With the If Expiring Within condition the action only rotates the key when expiry is approaching, so it can safely run on every build.

The action is organised into several tabs:

Signotaur Rotate Keys tab — configure Overlap Days (how long the old key remains valid alongside the new one, default 7) and whether to Disable auto-revocation if you prefer to revoke old keys manually.

Screenshot: Continua CI Signotaur Rotate Keys action — Main tab showing Overlap Days and Disable auto-revocation options.

Server tab — set the Server URL for your Signotaur instance and the API Key Source. Select Value (from variable) and reference a server variable (e.g. %SignotaurAPIKey%) to avoid hard-coding keys in the action.

Screenshot: Continua CI Signotaur Rotate Keys action — Server tab showing Server URL and API Key Source set to a server variable.

Conditions tab — set If Expiring Within to make the rotation conditional (e.g. 14d to only rotate if expiry is within two weeks). Enable Ignore already rotated error to safely run the action in concurrent CI builds without failure if the key was already rotated by another build.

Screenshot: Continua CI Signotaur Rotate Keys action — Conditions tab showing If Expiring Within and Ignore already rotated error options.

Renewal tab — enable the Renew checkbox to give the new key a fresh validity period instead of inheriting the old key's remaining lifetime. Set a specific Renew Duration (e.g. 90d), or leave it blank to use the server default. Check Allow validity reduction if the renewal duration may be shorter than the old key's remaining validity.

Screenshot: Continua CI Signotaur Rotate Keys action — Renewal tab showing Renew checkbox, Renew Duration, and Allow validity reduction options.

Output tab — choose Set Variable as the output destination and select a Server variable to store the new key. This way your sign actions automatically pick up the rotated key without any manual updates.

Screenshot: Continua CI Signotaur Rotate Keys action — Output tab with Set Variable selected, storing the new key in a server-scoped variable.

Full documentation: Signotaur Rotate Keys Action

Setting Up the Sign Action with Label Selection

Add the Signotaur Sign action to your build stage, after compilation and before packaging.

Key fields:

  • Files to Sign — glob patterns for your build output, e.g. **/*.exe, **/*.dll.
  • Certificate Selection Mode — set to Label.
  • Label — your shared label, e.g. production. Signotaur will automatically select the certificate with the latest expiry date.
  • API Key Source — point to the server variable populated by the Rotate Keys action, or a securely stored key.
  • Fail If Expiring Within — e.g. 14d. If the API key expires within two weeks, the action fails early so you can rotate before it becomes a blocker.
  • Timestamp Server & Digest — configure your preferred timestamping authority and hash algorithm.

Screenshot: Continua CI Signotaur Sign action — Certificate tab showing Selection Mode set to Label with value 'production'.

Screenshot: Continua CI Signotaur Sign action — Server tab showing Fail If Expiring Within set to '14d'.

Full documentation: Signotaur Sign Action

Typical Rotation Workflow

In practice, certificate and API key rotation can be handled with a small amount of scheduled automation in your CI system.

  1. Register renewed certificates in Signotaur and assign them the same label as the previous certificate.
  2. CI builds continue using the label, automatically selecting the certificate with the latest expiry date.
  3. Schedule periodic API key checks using the rotate-key --if-expiring-within option.
  4. The new key is written to a CI server variable, allowing build pipelines to automatically use the rotated key.
  5. Use --renew so rotated keys receive a fresh validity period rather than inheriting the old key's remaining lifetime.
  6. Retire old certificates and keys once they are no longer needed.

Wrapping Up

With code signing certificate lifetimes dropping to roughly 15 months, the days of "set it and forget it" certificate management are over. Signotaur's label-based signing means your CI/CD pipelines don't need to know — or care — which specific certificate is current. And overlap-based API key rotation ensures you can swap credentials without any signing downtime.

These features are already available in Signotaur. If you're evaluating it, check out the Signotaur documentation to get started.

Related Posts


  • ClickOnce and VSTO Application Signing with Signotaur

    Sign ClickOnce and VSTO applications easily with Signotaur. Automate manifest signing, ensure trusted publishers, and simplify your CI/CD builds.

  • Code Signing with USB Tokens

    Big changes are coming for OV (Organisation Validation) code signing certificates - from (1 June 2023, extended from 15 November 2022), new and reissued publicly trusted organization validation (OV) and individual validation (IV) code signing certificates will have to be issued or stored on preconfigured secure hardware by the issuing certificate authority (CA) and the device must meet FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent security standards.

  • Code Signing with Inno Setup and Signotaur

    Inno Setup has long supported code signing  (since v5.2.4).  Fortunately, the way the authors of Inno Setup implemented this feature makes it really easy to use custom tools to do the code signing. In this post we'll take a look at how to use Signotaur with Inno Setup.

  • Signotaur and Certificate Revocation Lists

    We recently had a report from a customer that code signing using Signotaur was taking a long time - in this case around a minute to sign 1 file. This is obviously far too slow for practical use.

  • Introducing Signotaur - Remote Code Signing Server

    Over the last few years, code signing has changed somewhat. With the requirement that private keys be secured, many developers have run into the issues that USB tokens present, or the limitations and costs associated with cloud-based signing solutions. Gone are the days of sharing a PFX file around the dev team or with the CI server (unless you managed to snag a 3-year renewal just before the new requirements were enforced). Signotaur is a self hosted code signing server (and client) that makes sharing certificates simple, all whilst ensuring the private key never leaves the server.

  • Managing Delphi Version Info with FinalBuilder

    In this post, we'll take a look at the various options for managing and updating Version Info in Delphi projects using FinalBuilder.
API Keys, Build Automation, Certificate Managemen, CI/CD, Code Signing, Code Signing Certificates, Continua CI, Delphi, Key Rotation, Signotaur
Showing 0 Comment
your Comment will be showing after administrator's approval







b i u quote



Save Comment