[Unit] Description=step-ca Documentation=https://smallstep.com/docs/step-ca Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production After=syslog.target network.target [Service] Type=simple User={{ step_ca_user }} Group={{ step_ca_group }} Environment=STEPPATH={{ step_ca_config_dir }} WorkingDirectory={{ step_ca_config_dir }} ExecStart=/bin/sh -c '{{ step_ca_binary }} {{ step_ca_config_dir }}/config/ca.json --password-file={{ step_ca_config_dir }}/config/password.txt' ExecReload=/bin/kill --signal HUP $MAINPID Restart=on-failure RestartSec=10 TimeoutStopSec=30 StartLimitInterval=30 StartLimitBurst=3 ; Process capabilities & privileges AmbientCapabilities=CAP_NET_BIND_SERVICE CapabilityBoundingSet=CAP_NET_BIND_SERVICE SecureBits=keep-caps NoNewPrivileges=yes ; Sandboxing ProtectSystem=full ProtectHome=true RestrictNamespaces=true RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 PrivateTmp=true PrivateDevices=true ProtectClock=true ProtectControlGroups=true ProtectKernelTunables=true ProtectKernelLogs=true ProtectKernelModules=true LockPersonality=true RestrictSUIDSGID=true RemoveIPC=true RestrictRealtime=true SystemCallFilter=@system-service SystemCallArchitectures=native MemoryDenyWriteExecute=true ReadWriteDirectories=/etc/step-ca/db [Install] WantedBy=multi-user.target