Fill it with this, make sure your directories are correct in the ExecStart line:
[Unit] Description=step-ca After=syslog.target network.target [Service] User=step Group=step ExecStart=/bin/sh -c '/bin/step-ca /home/step/.step/config/ca.json --password-file=/home/step/.step/pwd >> /var/log/step-ca/output.log 2>&1' Type=simple Restart=on-failure RestartSec=10 [Install] WantedBy=multi-user.target
Next, populate the pwd file with the plaintext intermediate CA password. I put mine in /home/step/.step/pwd
Next, configure the /home/step/.step/config/ca.json file with the port and address you want to host the server behind. I’d recommend 127.0.0.1:8443 and then a nginx reverse proxy in front of it.
Last, create the log file directories:
mkdir -p /var/log/step-ca chown -R step:step /var/log/step-ca
Now make damn sure it’s hard to login to that box and hard for anyone to read the pwd file.