From 73fc350b843aecf5550ec80dadc4deee02cd6364 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Mon, 1 Feb 2021 11:56:24 -0800
Subject: [PATCH] Add note about PKCS#11

---
 systemd/step-ca.service | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/systemd/step-ca.service b/systemd/step-ca.service
index db745c1a..352151f5 100644
--- a/systemd/step-ca.service
+++ b/systemd/step-ca.service
@@ -30,7 +30,8 @@ SecureBits=keep-caps
 NoNewPrivileges=yes
 
 ; Sandboxing
-; This works with YubiKey PIV (via pcscd), and presumably with YubiHSM2 via http connector
+; This sandboxing works with YubiKey PIV (via pcscd HTTP API), but it is likely
+; too restrictive for PKCS#11 HSMs.
 ProtectSystem=full
 ProtectHome=true
 RestrictNamespaces=true