diff --git a/pkgs/tools/security/step-ca/default.nix b/pkgs/tools/security/step-ca/default.nix
index 584a597d67de..82afc06e1c51 100644
--- a/pkgs/tools/security/step-ca/default.nix
+++ b/pkgs/tools/security/step-ca/default.nix
@@ -6,6 +6,7 @@
 , pcsclite
 , PCSC
 , pkg-config
+, hsmSupport ? true
 }:
 
 buildGoModule rec {
@@ -21,16 +22,20 @@ buildGoModule rec {
 
   vendorSha256 = "f1NdszqYYx6X1HqwqG26jjfjXq1gDXLOrh64ccKRQ90=";
 
-  nativeBuildInputs = [ pkg-config ];
+  nativeBuildInputs = lib.optionals hsmSupport [ pkg-config ];
 
   buildInputs =
-    lib.optionals (stdenv.isLinux) [ pcsclite ]
-    ++ lib.optionals (stdenv.isDarwin) [ PCSC ];
+    lib.optionals (hsmSupport && stdenv.isLinux) [ pcsclite ]
+    ++ lib.optionals (hsmSupport && stdenv.isDarwin) [ PCSC ];
 
   postPatch = ''
     substituteInPlace systemd/step-ca.service --replace "/bin/kill" "${coreutils}/bin/kill"
   '';
 
+  preBuild = ''
+    ${lib.optionalString (!hsmSupport) "export CGO_ENABLED=0"}
+  '';
+
   postInstall = ''
     install -Dm444 -t $out/lib/systemd/system systemd/step-ca.service
   '';