systemd unit file
Create/etc/systemd/system/certforge.service:
View logs
Secrets via environment file
Instead of putting database passwords inconfig.yaml, use an environment file:
Create /etc/certforge/environment:
EnvironmentFile line in the unit, then systemctl daemon-reload && systemctl restart certforge.
The following environment variables override their
config.yaml equivalents when set: DATABASE_URL (database connection string), CERTFORGE_STORAGE_KEY (encryption key for stored private keys), and CERTFORGE_PROXY_PASSWORD (proxy auth password). Use the EnvironmentFile approach to keep secrets out of the config file.Graceful reload
CertForge supportsSIGHUP for configuration reload (equivalent to a restart, but connections drain cleanly):
Logrotate
If you write logs to a file instead of the journal: Create/etc/logrotate.d/certforge:
Health check
Add a simple HTTP health check to your monitoring:WatchdogSec=60s in [Service] — CertForge will automatically notify the watchdog on each successful health tick.