diff --git a/kyra/services/step-ca.nix b/kyra/services/step-ca.nix
new file mode 100644
index 0000000..8d5c7e2
--- /dev/null
+++ b/kyra/services/step-ca.nix
@@ -0,0 +1,28 @@
+{config, ...}: {
+  services = {
+    step-ca = {
+      enable = true;
+      address = "[::]";
+      port = 8443;
+      intermediatePasswordFile = config.sops.secrets."stepPass".path;
+
+      settings = {
+        dnsNames = [
+          "ca.hand7s.org"
+        ];
+
+        authority = {
+          provisioners = [
+            {
+              type = "ACME";
+              name = "cloudflare";
+              claims = {
+                enable_dns_01 = true;
+              };
+            }
+          ];
+        };
+      };
+    };
+  };
+}