diff --git a/ansible/inventory/group_vars/all.yaml b/ansible/inventory/group_vars/all.yaml
index 10202e2..af04acd 100644
--- a/ansible/inventory/group_vars/all.yaml
+++ b/ansible/inventory/group_vars/all.yaml
@@ -152,7 +152,7 @@ services:
 version:
   packages:
     sops: "3.12.1"
-    step: "0.29.0"
+    step: "0.30.2"
     kopia: "0.22.3"
     blocky: "0.28.2"
     alloy: "1.13.0"
@@ -160,7 +160,7 @@ version:
     # common
     caddy: "2.11.2"
     # infra
-    step: "0.29.0"
+    step: "0.30.2"
     ldap: "v0.6.2"
     x509-exporter: "3.21.0"
     prometheus: "v3.9.1"
diff --git a/config/services/containers/infra/ca/ca.container.j2 b/config/services/containers/infra/ca/ca.container.j2
index 584886b..499166e 100644
--- a/config/services/containers/infra/ca/ca.container.j2
+++ b/config/services/containers/infra/ca/ca.container.j2
@@ -22,14 +22,17 @@ Volume=%h/containers/ca/db:/home/step/db:rw
 Volume=%h/containers/ca/templates:/home/step/templates:rw
 
 Environment="TZ=Asia/Seoul"
-Environment="PWDPATH=/run/secrets/STEP_CA_PASSWORD"
+# Since 0.30.0, Docker CMD no longer expands PWDPATH.
+#Environment="PWDPATH=/run/secrets/STEP_CA_PASSWORD"
 
 Secret=STEP_CA_PASSWORD,target=/run/secrets/STEP_CA_PASSWORD
 
+Exec=/usr/local/bin/step-ca --password-file /run/secrets/STEP_CA_PASSWORD /home/step/config/ca.json
+
 [Service]
 Restart=always
 RestartSec=10s
 TimeoutStopSec=120
 
 [Install]
-WantedBy=default.target
\ No newline at end of file
+WantedBy=default.target