diff --git a/systemd/step-ca.service b/systemd/step-ca.service
index 48dae272..d500ab59 100644
--- a/systemd/step-ca.service
+++ b/systemd/step-ca.service
@@ -32,6 +32,8 @@ NoNewPrivileges=yes
 ; Sandboxing
 ; This sandboxing works with YubiKey PIV (via pcscd HTTP API), but it is likely
 ; too restrictive for PKCS#11 HSMs.
+;
+; NOTE: Comment out the rest of this section for troubleshooting.
 ProtectSystem=full
 ProtectHome=true
 RestrictNamespaces=true