diff --git a/authority/authority_test.go b/authority/authority_test.go
index 1020f808..f952dfe4 100644
--- a/authority/authority_test.go
+++ b/authority/authority_test.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
+	"github.com/smallstep/certificates/authority/provisioner"
 	stepJOSE "github.com/smallstep/cli/jose"
 )
 
@@ -16,25 +17,25 @@ func testAuthority(t *testing.T) *Authority {
 	clijwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_pub.jwk")
 	assert.FatalError(t, err)
 	disableRenewal := true
-	p := []*Provisioner{
-		{
+	p := []*provisioner.Provisioner{
+		provisioner.New(&provisioner.JWK{
 			Name: "Max",
 			Type: "JWK",
 			Key:  maxjwk,
-		},
-		{
+		}),
+		provisioner.New(&provisioner.JWK{
 			Name: "step-cli",
 			Type: "JWK",
 			Key:  clijwk,
-		},
-		{
+		}),
+		provisioner.New(&provisioner.JWK{
 			Name: "dev",
 			Type: "JWK",
 			Key:  maxjwk,
-			Claims: &ProvisionerClaims{
+			Claims: &provisioner.Claims{
 				DisableRenewal: &disableRenewal,
 			},
-		},
+		}),
 	}
 	c := &Config{
 		Address:          "127.0.0.1:443",
@@ -113,11 +114,11 @@ func TestAuthorityNew(t *testing.T) {
 					assert.True(t, auth.initOnce)
 					assert.NotNil(t, auth.intermediateIdentity)
 					for _, p := range tc.config.AuthorityConfig.Provisioners {
-						_p, ok := auth.provisionerIDIndex.Load(p.ID())
+						_p, ok := auth.provisioners.Load(p.ID())
 						assert.True(t, ok)
 						assert.Equals(t, p, _p)
 						if len(p.EncryptedKey) > 0 {
-							key, ok := auth.encryptedKeyIndex.Load(p.Key.KeyID)
+							key, ok := auth.provisioners.LoadEncryptedKey(p.Key.KeyID)
 							assert.True(t, ok)
 							assert.Equals(t, p.EncryptedKey, key)
 						}
diff --git a/authority/provisioner/jwk_test.go b/authority/provisioner/jwk_test.go
index 91f50d28..af1ecdaa 100644
--- a/authority/provisioner/jwk_test.go
+++ b/authority/provisioner/jwk_test.go
@@ -10,31 +10,31 @@ import (
 
 func TestProvisionerInit(t *testing.T) {
 	type ProvisionerValidateTest struct {
-		p   *Provisioner
+		p   *JWK
 		err error
 	}
 	tests := map[string]func(*testing.T) ProvisionerValidateTest{
 		"fail-empty-name": func(t *testing.T) ProvisionerValidateTest {
 			return ProvisionerValidateTest{
-				p:   &Provisioner{},
+				p:   &JWK{},
 				err: errors.New("provisioner name cannot be empty"),
 			}
 		},
 		"fail-empty-type": func(t *testing.T) ProvisionerValidateTest {
 			return ProvisionerValidateTest{
-				p:   &Provisioner{Name: "foo"},
+				p:   &JWK{Name: "foo"},
 				err: errors.New("provisioner type cannot be empty"),
 			}
 		},
 		"fail-empty-key": func(t *testing.T) ProvisionerValidateTest {
 			return ProvisionerValidateTest{
-				p:   &Provisioner{Name: "foo", Type: "bar"},
+				p:   &JWK{Name: "foo", Type: "bar"},
 				err: errors.New("provisioner key cannot be empty"),
 			}
 		},
 		"ok": func(t *testing.T) ProvisionerValidateTest {
 			return ProvisionerValidateTest{
-				p: &Provisioner{Name: "foo", Type: "bar", Key: &jose.JSONWebKey{}},
+				p: &JWK{Name: "foo", Type: "bar", Key: &jose.JSONWebKey{}},
 			}
 		},
 	}
diff --git a/authority/tls.go b/authority/tls.go
index a413f564..c1639a59 100644
--- a/authority/tls.go
+++ b/authority/tls.go
@@ -144,6 +144,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, ext
 			http.StatusInternalServerError, errContext}
 	}
 
+	// FIXME: This should be before creating the certificate.
 	for _, v := range certValidators {
 		if err := v.Valid(serverCert); err != nil {
 			return nil, nil, err