diff --git a/security/step-certificates/Makefile b/security/step-certificates/Makefile
index 41ddcf4e6809..a903de9e8408 100644
--- a/security/step-certificates/Makefile
+++ b/security/step-certificates/Makefile
@@ -1,41 +1,40 @@
 PORTNAME=	step-certificates
 DISTVERSIONPREFIX=	v
-DISTVERSION=	0.25.2
-PORTREVISION=	2
+DISTVERSION=	0.26.0
 CATEGORIES=	security
 
 MAINTAINER=	mw@wipp.bayern
 COMMENT=	Smallstep step-ca certificates server
 WWW=		https://smallstep.com/certificates/
 
 LICENSE=	APACHE20
 LICENSE_FILE=	${WRKSRC}/LICENSE
 
 BUILD_DEPENDS=	pcsc-lite>0:devel/pcsc-lite
 LIB_DEPENDS=	libpcsclite.so:devel/pcsc-lite
 RUN_DEPENDS=	step:security/step-cli
 
 USES=		go:modules
 
-GO_MODULE=	github.com/smallstep/certificates
-
 USE_RC_SUBR=	step-ca
 
+GO_MODULE=	github.com/smallstep/certificates
+
 GO_TARGET=	./cmd/step-ca:${PREFIX}/sbin/step-ca
 
 GO_BUILDFLAGS=	-ldflags "-w -X main.Version=${PORTVERSION}"
 
 USERS=		step
 GROUPS=		step
 
 post-install:
 	${MKDIR} ${STAGEDIR}${PREFIX}/etc/step
 	${MKDIR} ${STAGEDIR}${DOCSDIR}
 	(cd ${WRKSRC}/examples && ${COPYTREE_SHARE} . ${STAGEDIR}${DOCSDIR})
 	${INSTALL_MAN} ${WRKSRC}/LICENSE ${STAGEDIR}${DOCSDIR}
 	${INSTALL_MAN} ${WRKSRC}/CHANGELOG.md ${STAGEDIR}${DOCSDIR}
 	${INSTALL_MAN} ${WRKSRC}/CONTRIBUTING.md ${STAGEDIR}${DOCSDIR}
 	${INSTALL_MAN} ${WRKSRC}/README.md ${STAGEDIR}${DOCSDIR}
 	${INSTALL_MAN} ${WRKSRC}/SECURITY.md ${STAGEDIR}${DOCSDIR}
 
 .include <bsd.port.mk>
diff --git a/security/step-certificates/distinfo b/security/step-certificates/distinfo
index af645bfe812a..2d510b73e2b7 100644
--- a/security/step-certificates/distinfo
+++ b/security/step-certificates/distinfo
@@ -1,5 +1,5 @@
-TIMESTAMP = 1701460797
-SHA256 (go/security_step-certificates/step-certificates-v0.25.2/v0.25.2.mod) = 7b8d9e8b5f35b5467da9bb0b5cb2997217cb6343cf4c707ab76566501d374cfb
-SIZE (go/security_step-certificates/step-certificates-v0.25.2/v0.25.2.mod) = 6667
-SHA256 (go/security_step-certificates/step-certificates-v0.25.2/v0.25.2.zip) = 9bdffcb28b1ec1a03f8f1d3f49fde9ffb77e1e46d904b88bacecaea8adcb9764
-SIZE (go/security_step-certificates/step-certificates-v0.25.2/v0.25.2.zip) = 1049591
+TIMESTAMP = 1711731230
+SHA256 (go/security_step-certificates/step-certificates-v0.26.0/v0.26.0.mod) = 8c6fa479a3353e3388f2d2b22eae55f02fec0c627449eebd547aaf6b3dd6116a
+SIZE (go/security_step-certificates/step-certificates-v0.26.0/v0.26.0.mod) = 8136
+SHA256 (go/security_step-certificates/step-certificates-v0.26.0/v0.26.0.zip) = a630dbbff154f0fb75ae9ced250df488becf2592d1840c44425d06ead197a161
+SIZE (go/security_step-certificates/step-certificates-v0.26.0/v0.26.0.zip) = 1069995
diff --git a/security/step-certificates/files/step-ca.in b/security/step-certificates/files/step-ca.in
index 03946767ff2b..59e8e33c5164 100644
--- a/security/step-certificates/files/step-ca.in
+++ b/security/step-certificates/files/step-ca.in
@@ -1,90 +1,123 @@
 #!/bin/sh
 
 # PROVIDE: step-ca
 # REQUIRE: LOGIN networking
 # KEYWORD: shutdown
 #
 # Add the following lines to /etc/rc.conf.local or /etc/rc.conf
 # to enable or customize this service:
 #
 # step_ca_enable (bool):	Set to NO by default.
 #				Set to YES to enable step_ca.
 # step_ca_user (user):		Set user to run step_ca.
 #				Default is "step"
 # step_ca_group (group):	Set group to run step_ca.
 #				Default is "step"
 # step_ca_stepdir (dir):	Set dir to run step_ca in.
 #				Default is "%%PREFIX%%/etc/step"
 # step_ca_steppath (dir):	Set dir to run hold step_ca CA information in.
 #				Default is "${step_ca_stepdir}/ca"
 # step_ca_password (path):	step_ca CA Password file path
 #				Default is "${step_ca_stepdir}/password.txt"
 
 . /etc/rc.subr
 
 name="step_ca"
 rcvar="step_ca_enable"
 
 load_rc_config $name
 : ${step_ca_enable:=no}
 : ${step_ca_user:=step}
 : ${step_ca_group:=step}
 : ${step_ca_stepdir:=%%PREFIX%%/etc/step}
 : ${step_ca_steppath:=${step_ca_stepdir}/ca}
 : ${step_ca_password:=${step_ca_stepdir}/password.txt}
 
 pidfile="/var/run/${name}.pid"
 step_ca_command="%%PREFIX%%/sbin/step-ca"
 step_ca_config="\
 	${step_ca_steppath}/config/ca.json \
 	--password-file ${step_ca_password}"
 
 command="/usr/sbin/daemon"
 command_args="-S -c \
 		-P $pidfile \
 		-t $name \
 		-T $name \
 		$step_ca_command $step_ca_config"
 
 start_precmd=step_ca_startprecmd
 start_postcmd=step_ca_postcmd
 
+extra_commands="configure"
+configure_cmd="step_ca_configure"
+
 step_ca_startprecmd()
 {
         if [ ! -e ${pidfile} ]; then
                 install -o ${step_ca_user} -g ${step_ca_group} /dev/null ${pidfile};
         fi
 
+	if [ ! -e ${step_ca_steppath} ]; then
+		echo "No configured Step CA found."
+		echo "Please run service step-ca configure"
+		exit 1
+	else
+		export STEPPATH=${step_ca_steppath}
+	fi
+
+	if [ ! -e ${step_ca_password} ]; then
+		echo "Step CA Password file for auto-start not found"
+		echo "Please run service step-ca configure"
+		exit 1
+	fi
+
+	if [ -e ${step_ca_steppath}/config/ca.json ]; then
+		configured_port=$(sed -n -e '/"address"/ s/.*:\(.*\)".*/\1/p' ${step_ca_steppath}/config/ca.json)
+		if [ ${configured_port} -lt 1024 ]; then
+			echo "Privileged Port (${configured_port}) configured: cannot run as ${step_ca_user}"
+			exit 1
+		fi
+	fi
+}
+
+step_ca_postcmd() {
+	sleep 2
+	run_rc_command status
+}
+
+step_ca_configure() {
 	if [ ! -e ${step_ca_steppath} ]; then
 		echo "No configured Step CA found."
 		echo "Creating new one...."
+		install -m 600 -o ${step_ca_user} -g ${step_ca_group} /dev/null ${step_ca_steppath}
 		export STEPPATH=${step_ca_steppath}
 		%%PREFIX%%/bin/step ca init --ssh
-		chown -R ${step_ca_user}:${step_ca_group} ${step_ca_steppath}
+		chown -R ${step_ca_user}:${step_ca_group} ${step_ca_stepdir}
 	else
+		echo "Configured Step CA found at ${step_ca_steppath}."
+		echo "Please remove the directory and its contents manually if you really want to reconfigure."
 		export STEPPATH=${step_ca_steppath}
 	fi
 
 	if [ ! -e ${step_ca_password} ]; then
 		echo "Step CA Password file for auto-start not found"
 		echo "Creating it...."
 		install -m 600 -o ${step_ca_user} -g ${step_ca_group} /dev/null ${step_ca_password}
 		echo "Please enter the Step CA Password:"
 		stty -echo; read passwd; stty echo; echo
 		echo $passwd > ${step_ca_password}
+	else
+		echo "Configured Step CA password file found at ${step_ca_password}."
+		echo "Please remove the file manually if you really want to reconfigure."
 	fi
 
 	if [ -e ${step_ca_steppath}/config/ca.json ]; then
 		configured_port=$(sed -n -e '/"address"/ s/.*:\(.*\)".*/\1/p' ${step_ca_steppath}/config/ca.json)
 		if [ ${configured_port} -lt 1024 ]; then
 			echo "Privileged Port (${configured_port}) configured: cannot run as ${step_ca_user}"
 		fi
 	fi
 }
 
-step_ca_postcmd() {
-	sleep 2
-	run_rc_command status
-}
-
 run_rc_command "$1"
diff --git a/security/step-certificates/pkg-message b/security/step-certificates/pkg-message
index 7b616c50a4bd..2e595b5f19ae 100644
--- a/security/step-certificates/pkg-message
+++ b/security/step-certificates/pkg-message
@@ -1,26 +1,27 @@
 [
 { type: install
   message: <<EOM
 ================================================================================
 Step Certificates requires additional configuration:
 
-The simple way is via the service start script step_ca. 
+The simple way is via the service start script step_ca with:
+service step_ca configure
 When there is no configuration it will be created. User input is required!!!
 
-The hard way would be via the step command.
+The hard way would be manually via the step command.
 
 Ensure to set the STEPPATH environment variable. This makes using the
 commands much simpler.
 
 Following are the defaults for step certificates and can be overridden by rc.conf variables::
 * The service is run under user step customizable by step_ca_user
 * The service is run inder group step customizable by step_ca_group
 * The base directory used for storing CA information is step_ca_stepdir (%%PREFIX%%/etc/step)
 * The CA informations is held under step_ca_steppath (%%PREFIX%%/etc/step/ca)
 * The password required for automatic startup is in step_ca_password (%%PREFIX%%/etc/step/password.txt)
 * By default step certificates logs to syslog with a tag of step_ca
 
 ================================================================================
 EOM
 }
 ]