Smallstep runs as online CA for X.509/SSH; secure CA operations are critical.\n\n## CA Service Hardening\n\n- Protect ca.json and provisioner secrets.\n- Enforce strong provisioner auth and short-lived certificates.\n- Restrict CA API endpoints with network policies.\n\n## Key and Token Operations\n\n- Use HSM/KMS-backed keys where possible.\n- Rotate provisioner and bootstrap tokens.\n- Monitor issuance/revocation audit trails continuously.