Step-CA: Run as a systemd service

Create /etc/systemd/system/step-ca.service

Fill it with this, make sure your directories are correct in the ExecStart line:

[Unit]
Description=step-ca
After=syslog.target network.target

[Service]
User=step
Group=step
ExecStart=/bin/sh -c '/bin/step-ca /home/step/.step/config/ca.json --password-file=/home/step/.step/pwd >> /var/log/step-ca/output.log 2>&1'
Type=simple
Restart=on-failure
RestartSec=10

[Install]
WantedBy=multi-user.target

Next, populate the pwd file with the plaintext intermediate CA password. I put mine in /home/step/.step/pwd

Next, configure the /home/step/.step/config/ca.json file with the port and address you want to host the server behind. I’d recommend 127.0.0.1:8443 and then a nginx reverse proxy in front of it.

Last, create the log file directories:

mkdir -p /var/log/step-ca
chown -R step:step /var/log/step-ca

Now make damn sure it’s hard to login to that box and hard for anyone to read the pwd file.



About: Ryan Parker

I'm a former captain of the Cyber Defense team, Current Infrastructure Security Specialist. I also have a side job helping small to medium business with anything technology doing everything imaginable. One of my hobbies is building out infrastructures for myself, friends, and clients. I current maintain a homelab with about 400GB of RAM, 100+ TB of storage, and tons of CPU cores.


Leave a Reply

Your email address will not be published.