Skip to main content

systemd unit file

Create /etc/systemd/system/certforge.service:
Enable and start:

View logs


Secrets via environment file

Instead of putting database passwords in config.yaml, use an environment file: Create /etc/certforge/environment:
Set permissions:
Uncomment the EnvironmentFile line in the unit, then systemctl daemon-reload && systemctl restart certforge.
The following environment variables override their config.yaml equivalents when set: DATABASE_URL (database connection string), CERTFORGE_STORAGE_KEY (encryption key for stored private keys), and CERTFORGE_PROXY_PASSWORD (proxy auth password). Use the EnvironmentFile approach to keep secrets out of the config file.

Graceful reload

CertForge supports SIGHUP for configuration reload (equivalent to a restart, but connections drain cleanly):

Logrotate

If you write logs to a file instead of the journal: Create /etc/logrotate.d/certforge:

Health check

Add a simple HTTP health check to your monitoring:
For systemd watchdog integration, set WatchdogSec=60s in [Service] — CertForge will automatically notify the watchdog on each successful health tick.