Run Step as a Daemon
Table of contents
- Add a service user for the CA
- Give the step-ca binary low port-binding capabilities
- Move your CA configuration into a system-wide location
- Edit your config files to reflect the new steppath.
- Set the step user as the owner of your CA configuration directory:
- Create a /etc/systemd/system/step-ca.service unit file and add the content of this file
- Enable and start the service
Running step as a daemon is a recommended approach for production environments.
Running in foreground is ok for testing and debugging, but once you’re ready to deploy, you should really go the systemd way.
The guys at smallstep already explained everything on the documentation, I will just copy-paste some steps here for convenience.
Add a service user for the CA
useradd --system --home /etc/step-ca --shell /bin/false step
Give the step-ca binary low port-binding capabilities
setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca)
Move your CA configuration into a system-wide location
mv $(step path) /etc/step-ca
Make sure your CA password is located in /etc/step-ca/password.txt, so that it can be read upon server startup.
Edit your config files to reflect the new steppath.
sed -i "s|$(step path)|/etc/step-ca|g" /etc/step-ca/config/ca.json
sed -i "s|$(step path)|/etc/step-ca|g" /etc/step-ca/config/default.json
Set the step user as the owner of your CA configuration directory:
chown -R step:step /etc/step-ca
Create a /etc/systemd/system/step-ca.service unit file and add the content of this file
Enable and start the service
# Rescan the systemd unit files
systemctl daemon-reload
# Check the current status of the step-ca service
systemctl status step-ca
# Enable and start the `step-ca` process
systemctl enable --now step-ca