diff --git a/src/pages/docs/step-ca/certificate-authority-server-production.mdx b/src/pages/docs/step-ca/certificate-authority-server-production.mdx
index 5f6eaeda..6c5d8ce3 100644
--- a/src/pages/docs/step-ca/certificate-authority-server-production.mdx
+++ b/src/pages/docs/step-ca/certificate-authority-server-production.mdx
@@ -291,13 +291,13 @@ to be able to bind to that port. See [Running `step-ca` as a Daemon](#running-st
## Running `step-ca` as a Daemon
-Note: _This section requires a Linux OS running `systemd` version 245 or greater._
+This section makes the following assumptions:
+- GNU/Linux OS is running systemd version 245 or greater.
+- [CA has been initialized](/docs/step-ca/getting-started#initialize-your-certificate-authority).
1. Add a service user for the CA.
- The service user will only be used by `systemd` to manage the CA. Run:
-
-
+
{`$ sudo useradd --system --home /etc/step-ca --shell /bin/false step`}
@@ -308,7 +308,7 @@ Note: _This section requires a Linux OS running `systemd` version 245 or greater
{`$ sudo setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca)`}
-2. Move your CA configuration into a system-wide location. Run:
+2. Move your CA configuration into a system-wide location.
{`$ sudo mv $(step path) /etc/step-ca`}
@@ -317,81 +317,22 @@ Note: _This section requires a Linux OS running `systemd` version 245 or greater
Make sure your CA password is located in `/etc/step-ca/password.txt`,
so that it can be read upon server startup.
- You'll also need to edit the file `/etc/step-ca/config/defaults.json` to reflect the new path.
+ You'll also need to edit the following files to reflect the new path:
+ - `/etc/step-ca/config/defaults.json`
+ - `/etc/step-ca/config/ca.json`
Set the `step` user as the owner of your CA configuration directory:
-
+
{`$ sudo chown -R step:step /etc/step-ca`}
3. Create a `systemd` unit file.
```shell-session
- $ sudo touch /etc/systemd/system/step-ca.service
- ```
-
- Add the following contents:
-
- ```ini
- [Unit]
- Description=step-ca service
- Documentation=https://smallstep.com/docs/step-ca
- Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
- After=network-online.target
- Wants=network-online.target
- StartLimitIntervalSec=30
- StartLimitBurst=3
- ConditionFileNotEmpty=/etc/step-ca/config/ca.json
- ConditionFileNotEmpty=/etc/step-ca/password.txt
-
- [Service]
- Type=simple
- User=step
- Group=step
- Environment=STEPPATH=/etc/step-ca
- WorkingDirectory=/etc/step-ca
- ExecStart=/usr/bin/step-ca config/ca.json --password-file password.txt
- ExecReload=/bin/kill --signal HUP $MAINPID
- Restart=on-failure
- RestartSec=5
- TimeoutStopSec=30
- StartLimitInterval=30
- StartLimitBurst=3
-
- ; Process capabilities & privileges
- AmbientCapabilities=CAP_NET_BIND_SERVICE
- CapabilityBoundingSet=CAP_NET_BIND_SERVICE
- SecureBits=keep-caps
- NoNewPrivileges=yes
-
- ; Sandboxing
- ProtectSystem=full
- ProtectHome=true
- RestrictNamespaces=true
- RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
- PrivateTmp=true
- PrivateDevices=true
- ProtectClock=true
- ProtectControlGroups=true
- ProtectKernelTunables=true
- ProtectKernelLogs=true
- ProtectKernelModules=true
- LockPersonality=true
- RestrictSUIDSGID=true
- RemoveIPC=true
- RestrictRealtime=true
- SystemCallFilter=@system-service
- SystemCallArchitectures=native
- MemoryDenyWriteExecute=true
- ReadWriteDirectories=/etc/step-ca/db
-
- [Install]
- WantedBy=multi-user.target
+ $ sudo wget https://github.com/smallstep/certificates/blob/master/systemd/step-ca.service -O /etc/systemd/system/step-ca.service
```
- (This file is also hosted [on GitHub](https://github.com/smallstep/certificates/blob/master/systemd/step-ca.service))
-
Here are some notes on the security properties in this file:
* `User` and `Group` cause `step-ca` to run as a non-privileged user.
* `AmbientCapabilities` allows the process to receive ambient capabilities.