Merge branch 'master' into herman/scep-provisioner-decrypter

10 months ago · 569a1be12c
parent 1ce80cf740 c07124e374
commit 569a1be12c
24 changed files with 178 additions and 94 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -27,11 +27,30 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.

 ## [Unreleased]

+### Added
+
+- Added support for TPM KMS (smallstep/crypto#253)
+- Added support for disableSmallstepExtensions provisioner claim
+  (smallstep/certificates#1484)
+- Added script to migrate a badger DB to MySQL or PostgreSQL
+  (smallstep/certificates#1477)
+- Added AWS public certificates for me-central-1 and ap-southeast-3
+  (smallstep/certificates#1404)
+- Add namespace field to VaultCAS JSON config (smallstep/certificates#1424)
+
+### Changed
+
+- Changed the Makefile to produce cgo-enabled builds running
+  `make build GO_ENVS="CGO_ENABLED=1"` (smallstep/certificates#1446)
+
 ### Fixed

 - Improved authentication for ACME requests using kid and provisioner name
  (smallstep/certificates#1386).
-
+- Fixed indentation of KMS configuration in helm charts
+  (smallstep/certificates#1405)
+- Fixed simultaneous sign or decrypt operation on a YubiKey
+  (smallstep/certificates#1476, smallstep/crypto#288)

 ## [v0.24.2] - 2023-05-11

--- a/authority/config/config.go
+++ b/authority/config/config.go
@ -35,6 +35,9 @@ var (
 	// DefaultEnableSSHCA enable SSH CA features per provisioner or globally
 	// for all provisioners.
 	DefaultEnableSSHCA = false
+	// DefaultDisableSmallstepExtensions is the default value for the
+	// DisableSmallstepExtensions provisioner claim.
+	DefaultDisableSmallstepExtensions = false
 	// DefaultCRLCacheDuration is the default cache duration for the CRL.
 	DefaultCRLCacheDuration = &provisioner.Duration{Duration: 24 * time.Hour}
 	// DefaultCRLExpiredDuration is the default duration in which expired
@ -43,18 +46,19 @@ var (
 	// GlobalProvisionerClaims is the default duration that expired certificates
 	// remain in the CRL after expiration.
 	GlobalProvisionerClaims = provisioner.Claims{
-		MinTLSDur:               &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs
-		MaxTLSDur:               &provisioner.Duration{Duration: 24 * time.Hour},
-		DefaultTLSDur:           &provisioner.Duration{Duration: 24 * time.Hour},
-		MinUserSSHDur:           &provisioner.Duration{Duration: 5 * time.Minute}, // User SSH certs
-		MaxUserSSHDur:           &provisioner.Duration{Duration: 24 * time.Hour},
-		DefaultUserSSHDur:       &provisioner.Duration{Duration: 16 * time.Hour},
-		MinHostSSHDur:           &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs
-		MaxHostSSHDur:           &provisioner.Duration{Duration: 30 * 24 * time.Hour},
-		DefaultHostSSHDur:       &provisioner.Duration{Duration: 30 * 24 * time.Hour},
-		EnableSSHCA:             &DefaultEnableSSHCA,
-		DisableRenewal:          &DefaultDisableRenewal,
-		AllowRenewalAfterExpiry: &DefaultAllowRenewalAfterExpiry,
+		MinTLSDur:                  &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs
+		MaxTLSDur:                  &provisioner.Duration{Duration: 24 * time.Hour},
+		DefaultTLSDur:              &provisioner.Duration{Duration: 24 * time.Hour},
+		MinUserSSHDur:              &provisioner.Duration{Duration: 5 * time.Minute}, // User SSH certs
+		MaxUserSSHDur:              &provisioner.Duration{Duration: 24 * time.Hour},
+		DefaultUserSSHDur:          &provisioner.Duration{Duration: 16 * time.Hour},
+		MinHostSSHDur:              &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs
+		MaxHostSSHDur:              &provisioner.Duration{Duration: 30 * 24 * time.Hour},
+		DefaultHostSSHDur:          &provisioner.Duration{Duration: 30 * 24 * time.Hour},
+		EnableSSHCA:                &DefaultEnableSSHCA,
+		DisableRenewal:             &DefaultDisableRenewal,
+		AllowRenewalAfterExpiry:    &DefaultAllowRenewalAfterExpiry,
+		DisableSmallstepExtensions: &DefaultDisableSmallstepExtensions,
 	}
 )

--- a/authority/provisioner/acme.go
+++ b/authority/provisioner/acme.go
@ -257,7 +257,7 @@ func (p *ACME) AuthorizeSign(context.Context, string) ([]SignOption, error) {
 	opts := []SignOption{
 		p,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeACME, p.Name, ""),
+		newProvisionerExtensionOption(TypeACME, p.Name, "").WithControllerOptions(p.ctl),
 		newForceCNOption(p.ForceCN),
 		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
--- a/authority/provisioner/aws.go
+++ b/authority/provisioner/aws.go
@ -515,7 +515,7 @@ func (p *AWS) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 		p,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeAWS, p.Name, doc.AccountID, "InstanceID", doc.InstanceID),
+		newProvisionerExtensionOption(TypeAWS, p.Name, doc.AccountID, "InstanceID", doc.InstanceID).WithControllerOptions(p.ctl),
 		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
 		defaultPublicKeyValidator{},
--- a/authority/provisioner/azure.go
+++ b/authority/provisioner/azure.go
@ -398,7 +398,7 @@ func (p *Azure) AuthorizeSign(_ context.Context, token string) ([]SignOption, er
 		p,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeAzure, p.Name, p.TenantID),
+		newProvisionerExtensionOption(TypeAzure, p.Name, p.TenantID).WithControllerOptions(p.ctl),
 		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
 		defaultPublicKeyValidator{},
--- a/authority/provisioner/claims.go
+++ b/authority/provisioner/claims.go
@ -26,6 +26,9 @@ type Claims struct {
 	// Renewal properties
 	DisableRenewal          *bool `json:"disableRenewal,omitempty"`
 	AllowRenewalAfterExpiry *bool `json:"allowRenewalAfterExpiry,omitempty"`
+
+	// Other properties
+	DisableSmallstepExtensions *bool `json:"disableSmallstepExtensions,omitempty"`
 }

 // Claimer is the type that controls claims. It provides an interface around the
@ -47,20 +50,22 @@ func (c *Claimer) Claims() Claims {
 	disableRenewal := c.IsDisableRenewal()
 	allowRenewalAfterExpiry := c.AllowRenewalAfterExpiry()
 	enableSSHCA := c.IsSSHCAEnabled()
+	disableSmallstepExtensions := c.IsDisableSmallstepExtensions()

 	return Claims{
-		MinTLSDur:               &Duration{c.MinTLSCertDuration()},
-		MaxTLSDur:               &Duration{c.MaxTLSCertDuration()},
-		DefaultTLSDur:           &Duration{c.DefaultTLSCertDuration()},
-		MinUserSSHDur:           &Duration{c.MinUserSSHCertDuration()},
-		MaxUserSSHDur:           &Duration{c.MaxUserSSHCertDuration()},
-		DefaultUserSSHDur:       &Duration{c.DefaultUserSSHCertDuration()},
-		MinHostSSHDur:           &Duration{c.MinHostSSHCertDuration()},
-		MaxHostSSHDur:           &Duration{c.MaxHostSSHCertDuration()},
-		DefaultHostSSHDur:       &Duration{c.DefaultHostSSHCertDuration()},
-		EnableSSHCA:             &enableSSHCA,
-		DisableRenewal:          &disableRenewal,
-		AllowRenewalAfterExpiry: &allowRenewalAfterExpiry,
+		MinTLSDur:                  &Duration{c.MinTLSCertDuration()},
+		MaxTLSDur:                  &Duration{c.MaxTLSCertDuration()},
+		DefaultTLSDur:              &Duration{c.DefaultTLSCertDuration()},
+		MinUserSSHDur:              &Duration{c.MinUserSSHCertDuration()},
+		MaxUserSSHDur:              &Duration{c.MaxUserSSHCertDuration()},
+		DefaultUserSSHDur:          &Duration{c.DefaultUserSSHCertDuration()},
+		MinHostSSHDur:              &Duration{c.MinHostSSHCertDuration()},
+		MaxHostSSHDur:              &Duration{c.MaxHostSSHCertDuration()},
+		DefaultHostSSHDur:          &Duration{c.DefaultHostSSHCertDuration()},
+		EnableSSHCA:                &enableSSHCA,
+		DisableRenewal:             &disableRenewal,
+		AllowRenewalAfterExpiry:    &allowRenewalAfterExpiry,
+		DisableSmallstepExtensions: &disableSmallstepExtensions,
 	}
 }

@ -110,6 +115,15 @@ func (c *Claimer) IsDisableRenewal() bool {
 	return *c.claims.DisableRenewal
 }

+// IsDisableSmallstepExtensions returns whether Smallstep extensions, such as
+// the provisioner extension, should be excluded from the certificate.
+func (c *Claimer) IsDisableSmallstepExtensions() bool {
+	if c.claims == nil || c.claims.DisableSmallstepExtensions == nil {
+		return *c.global.DisableSmallstepExtensions
+	}
+	return *c.claims.DisableSmallstepExtensions
+}
+
 // AllowRenewalAfterExpiry returns if the renewal flow is authorized if the
 // certificate is expired. If the property is not set within the provisioner
 // then the global value from the authority configuration will be used.
--- a/authority/provisioner/gcp.go
+++ b/authority/provisioner/gcp.go
@ -270,7 +270,7 @@ func (p *GCP) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 		p,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeGCP, p.Name, claims.Subject, "InstanceID", ce.InstanceID, "InstanceName", ce.InstanceName),
+		newProvisionerExtensionOption(TypeGCP, p.Name, claims.Subject, "InstanceID", ce.InstanceID, "InstanceName", ce.InstanceName).WithControllerOptions(p.ctl),
 		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
 		defaultPublicKeyValidator{},
--- a/authority/provisioner/jwk.go
+++ b/authority/provisioner/jwk.go
@ -187,7 +187,7 @@ func (p *JWK) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 		self,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID),
+		newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID).WithControllerOptions(p.ctl),
 		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
 		commonNameValidator(claims.Subject),
--- a/authority/provisioner/k8sSA.go
+++ b/authority/provisioner/k8sSA.go
@ -238,7 +238,7 @@ func (p *K8sSA) AuthorizeSign(_ context.Context, token string) ([]SignOption, er
 		p,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeK8sSA, p.Name, ""),
+		newProvisionerExtensionOption(TypeK8sSA, p.Name, "").WithControllerOptions(p.ctl),
 		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
 		defaultPublicKeyValidator{},
--- a/authority/provisioner/nebula.go
+++ b/authority/provisioner/nebula.go
@ -150,7 +150,7 @@ func (p *Nebula) AuthorizeSign(_ context.Context, token string) ([]SignOption, e
 		p,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeNebula, p.Name, ""),
+		newProvisionerExtensionOption(TypeNebula, p.Name, "").WithControllerOptions(p.ctl),
 		profileLimitDuration{
 			def:       p.ctl.Claimer.DefaultTLSCertDuration(),
 			notBefore: crt.Details.NotBefore,
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@ -351,7 +351,7 @@ func (o *OIDC) AuthorizeSign(_ context.Context, token string) ([]SignOption, err
 		o,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeOIDC, o.Name, o.ClientID),
+		newProvisionerExtensionOption(TypeOIDC, o.Name, o.ClientID).WithControllerOptions(o.ctl),
 		profileDefaultDuration(o.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
 		defaultPublicKeyValidator{},
--- a/authority/provisioner/options.go
+++ b/authority/provisioner/options.go
@ -6,6 +6,7 @@ import (

 	"github.com/pkg/errors"

+	"go.step.sm/cli-utils/step"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/x509util"

@ -160,7 +161,7 @@ func CustomTemplateOptions(o *Options, data x509util.TemplateData, defaultTempla
 		// Load a template from a file if Template is not defined.
 		if opts.Template == "" && opts.TemplateFile != "" {
 			return []x509util.Option{
-				x509util.WithTemplateFile(opts.TemplateFile, data),
+				x509util.WithTemplateFile(step.Abs(opts.TemplateFile), data),
 			}
 		}

--- a/authority/provisioner/scep.go
+++ b/authority/provisioner/scep.go
@ -280,7 +280,7 @@ func (s *SCEP) AuthorizeSign(context.Context, string) ([]SignOption, error) {
 	return []SignOption{
 		s,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeSCEP, s.Name, ""),
+		newProvisionerExtensionOption(TypeSCEP, s.Name, "").WithControllerOptions(s.ctl),
 		newForceCNOption(s.ForceCN),
 		profileDefaultDuration(s.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
--- a/authority/provisioner/sign_options.go
+++ b/authority/provisioner/sign_options.go
@ -430,6 +430,7 @@ func (o *forceCNOption) Modify(cert *x509.Certificate, _ SignOptions) error {

 type provisionerExtensionOption struct {
 	Extension
+	Disabled bool
 }

 func newProvisionerExtensionOption(typ Type, name, credentialID string, keyValuePairs ...string) *provisionerExtensionOption {
@ -443,7 +444,19 @@ func newProvisionerExtensionOption(typ Type, name, credentialID string, keyValue
 	}
 }

+// WithControllerOptions updates the provisionerExtensionOption with options
+// from the controller. Currently only the DisableSmallstepExtensions
+// provisioner claim is used.
+func (o *provisionerExtensionOption) WithControllerOptions(c *Controller) *provisionerExtensionOption {
+	o.Disabled = c.Claimer.IsDisableSmallstepExtensions()
+	return o
+}
+
 func (o *provisionerExtensionOption) Modify(cert *x509.Certificate, _ SignOptions) error {
+	if o.Disabled {
+		return nil
+	}
+
 	ext, err := o.ToExtension()
 	if err != nil {
 		return errs.NewError(http.StatusInternalServerError, err, "error creating certificate")
--- a/authority/provisioner/sign_options_test.go
+++ b/authority/provisioner/sign_options_test.go
@ -604,14 +604,24 @@ func Test_newProvisionerExtension_Option(t *testing.T) {
 		t.Fatal(err)
 	}

+	// Claims with smallstep extensions disabled.
+	claimer, err := NewClaimer(&Claims{
+		DisableSmallstepExtensions: &trueValue,
+	}, globalProvisionerClaims)
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	type test struct {
-		cert  *x509.Certificate
-		valid func(*x509.Certificate)
+		modifier *provisionerExtensionOption
+		cert     *x509.Certificate
+		valid    func(*x509.Certificate)
 	}
 	tests := map[string]func() test{
 		"ok/one-element": func() test {
 			return test{
-				cert: new(x509.Certificate),
+				modifier: newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value"),
+				cert:     new(x509.Certificate),
 				valid: func(cert *x509.Certificate) {
 					if assert.Len(t, 1, cert.ExtraExtensions) {
 						ext := cert.ExtraExtensions[0]
@ -625,7 +635,8 @@ func Test_newProvisionerExtension_Option(t *testing.T) {
 		},
 		"ok/replace": func() test {
 			return test{
-				cert: &x509.Certificate{ExtraExtensions: []pkix.Extension{{Id: StepOIDProvisioner, Critical: true}, {Id: []int{1, 2, 3}}}},
+				modifier: newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value"),
+				cert:     &x509.Certificate{ExtraExtensions: []pkix.Extension{{Id: StepOIDProvisioner, Critical: true}, {Id: []int{1, 2, 3}}}},
 				valid: func(cert *x509.Certificate) {
 					if assert.Len(t, 2, cert.ExtraExtensions) {
 						ext := cert.ExtraExtensions[0]
@ -636,11 +647,22 @@ func Test_newProvisionerExtension_Option(t *testing.T) {
 				},
 			}
 		},
+		"ok/disabled": func() test {
+			return test{
+				modifier: newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value").WithControllerOptions(&Controller{
+					Claimer: claimer,
+				}),
+				cert: new(x509.Certificate),
+				valid: func(cert *x509.Certificate) {
+					assert.Len(t, 0, cert.ExtraExtensions)
+				},
+			}
+		},
 	}
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
 			tt := run()
-			assert.FatalError(t, newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value").Modify(tt.cert, SignOptions{}))
+			assert.FatalError(t, tt.modifier.Modify(tt.cert, SignOptions{}))
 			tt.valid(tt.cert)
 		})
 	}
--- a/authority/provisioner/ssh_options.go
+++ b/authority/provisioner/ssh_options.go
@ -5,6 +5,7 @@ import (
 	"strings"

 	"github.com/pkg/errors"
+	"go.step.sm/cli-utils/step"
 	"go.step.sm/crypto/sshutil"

 	"github.com/smallstep/certificates/authority/policy"
@ -144,7 +145,7 @@ func CustomSSHTemplateOptions(o *Options, data sshutil.TemplateData, defaultTemp
 		// Load a template from a file if Template is not defined.
 		if opts.Template == "" && opts.TemplateFile != "" {
 			return []sshutil.Option{
-				sshutil.WithTemplateFile(opts.TemplateFile, data),
+				sshutil.WithTemplateFile(step.Abs(opts.TemplateFile), data),
 			}
 		}

--- a/authority/provisioner/utils_test.go
+++ b/authority/provisioner/utils_test.go
@ -24,22 +24,24 @@ import (
 )

 var (
-	defaultDisableRenewal          = false
-	defaultAllowRenewalAfterExpiry = false
-	defaultEnableSSHCA             = true
-	globalProvisionerClaims        = Claims{
-		MinTLSDur:               &Duration{5 * time.Minute},
-		MaxTLSDur:               &Duration{24 * time.Hour},
-		DefaultTLSDur:           &Duration{24 * time.Hour},
-		MinUserSSHDur:           &Duration{Duration: 5 * time.Minute}, // User SSH certs
-		MaxUserSSHDur:           &Duration{Duration: 24 * time.Hour},
-		DefaultUserSSHDur:       &Duration{Duration: 16 * time.Hour},
-		MinHostSSHDur:           &Duration{Duration: 5 * time.Minute}, // Host SSH certs
-		MaxHostSSHDur:           &Duration{Duration: 30 * 24 * time.Hour},
-		DefaultHostSSHDur:       &Duration{Duration: 30 * 24 * time.Hour},
-		EnableSSHCA:             &defaultEnableSSHCA,
-		DisableRenewal:          &defaultDisableRenewal,
-		AllowRenewalAfterExpiry: &defaultAllowRenewalAfterExpiry,
+	defaultDisableRenewal             = false
+	defaultAllowRenewalAfterExpiry    = false
+	defaultEnableSSHCA                = true
+	defaultDisableSmallstepExtensions = false
+	globalProvisionerClaims           = Claims{
+		MinTLSDur:                  &Duration{5 * time.Minute},
+		MaxTLSDur:                  &Duration{24 * time.Hour},
+		DefaultTLSDur:              &Duration{24 * time.Hour},
+		MinUserSSHDur:              &Duration{Duration: 5 * time.Minute}, // User SSH certs
+		MaxUserSSHDur:              &Duration{Duration: 24 * time.Hour},
+		DefaultUserSSHDur:          &Duration{Duration: 16 * time.Hour},
+		MinHostSSHDur:              &Duration{Duration: 5 * time.Minute}, // Host SSH certs
+		MaxHostSSHDur:              &Duration{Duration: 30 * 24 * time.Hour},
+		DefaultHostSSHDur:          &Duration{Duration: 30 * 24 * time.Hour},
+		EnableSSHCA:                &defaultEnableSSHCA,
+		DisableRenewal:             &defaultDisableRenewal,
+		AllowRenewalAfterExpiry:    &defaultAllowRenewalAfterExpiry,
+		DisableSmallstepExtensions: &defaultDisableSmallstepExtensions,
 	}
 	testAudiences = Audiences{
 		Sign:      []string{"https://ca.smallstep.com/1.0/sign", "https://ca.smallstep.com/sign"},
--- a/authority/provisioner/x5c.go
+++ b/authority/provisioner/x5c.go
@ -237,7 +237,7 @@ func (p *X5C) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 		self,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeX5C, p.Name, ""),
+		newProvisionerExtensionOption(TypeX5C, p.Name, "").WithControllerOptions(p.ctl),
 		profileLimitDuration{
 			p.ctl.Claimer.DefaultTLSCertDuration(),
 			x5cLeaf.NotBefore, x5cLeaf.NotAfter,
--- a/authority/provisioners.go
+++ b/authority/provisioners.go
@ -646,8 +646,9 @@ func claimsToCertificates(c *linkedca.Claims) (*provisioner.Claims, error) {
 	}

 	pc := &provisioner.Claims{
-		DisableRenewal:          &c.DisableRenewal,
-		AllowRenewalAfterExpiry: &c.AllowRenewalAfterExpiry,
+		DisableRenewal:             &c.DisableRenewal,
+		AllowRenewalAfterExpiry:    &c.AllowRenewalAfterExpiry,
+		DisableSmallstepExtensions: &c.DisableSmallstepExtensions,
 	}

 	var err error
@ -686,6 +687,7 @@ func claimsToLinkedca(c *provisioner.Claims) *linkedca.Claims {

 	disableRenewal := config.DefaultDisableRenewal
 	allowRenewalAfterExpiry := config.DefaultAllowRenewalAfterExpiry
+	disableSmallstepExtensions := config.DefaultDisableSmallstepExtensions

 	if c.DisableRenewal != nil {
 		disableRenewal = *c.DisableRenewal
@ -693,10 +695,14 @@ func claimsToLinkedca(c *provisioner.Claims) *linkedca.Claims {
 	if c.AllowRenewalAfterExpiry != nil {
 		allowRenewalAfterExpiry = *c.AllowRenewalAfterExpiry
 	}
+	if c.DisableSmallstepExtensions != nil {
+		disableSmallstepExtensions = *c.DisableSmallstepExtensions
+	}

 	lc := &linkedca.Claims{
-		DisableRenewal:          disableRenewal,
-		AllowRenewalAfterExpiry: allowRenewalAfterExpiry,
+		DisableRenewal:             disableRenewal,
+		AllowRenewalAfterExpiry:    allowRenewalAfterExpiry,
+		DisableSmallstepExtensions: disableSmallstepExtensions,
 	}

 	if c.DefaultTLSDur != nil || c.MinTLSDur != nil || c.MaxTLSDur != nil {
--- a/cmd/step-ca/main.go
+++ b/cmd/step-ca/main.go
@ -102,6 +102,12 @@ Please send us a sentence or two, good or bad: **feedback@smallstep.com** or htt
 `

 func main() {
+	// initialize step environment.
+	if err := step.Init(); err != nil {
+		fmt.Fprintln(os.Stderr, err.Error())
+		os.Exit(1)
+	}
+
 	// Initialize windows terminal
 	ui.Init()

--- a/go.mod
+++ b/go.mod
@ -30,14 +30,14 @@ require (
 	github.com/stretchr/testify v1.8.4
 	github.com/urfave/cli v1.22.14
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
-	go.step.sm/cli-utils v0.7.6
-	go.step.sm/crypto v0.32.4
+	go.step.sm/cli-utils v0.8.0
+	go.step.sm/crypto v0.33.0
 	go.step.sm/linkedca v0.20.0
 	golang.org/x/crypto v0.11.0
 	golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0
 	golang.org/x/net v0.12.0
-	google.golang.org/api v0.132.0
-	google.golang.org/grpc v1.56.2
+	google.golang.org/api v0.134.0
+	google.golang.org/grpc v1.57.0
 	google.golang.org/protobuf v1.31.0
 	gopkg.in/square/go-jose.v2 v2.6.0
 )
@ -47,10 +47,10 @@ require (
 	cloud.google.com/go/compute v1.20.1 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	cloud.google.com/go/iam v1.1.0 // indirect
-	cloud.google.com/go/kms v1.13.0 // indirect
+	cloud.google.com/go/kms v1.15.0 // indirect
 	filippo.io/edwards25519 v1.0.0 // indirect
 	github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect
@ -59,7 +59,7 @@ require (
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.2.0 // indirect
 	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
-	github.com/aws/aws-sdk-go v1.44.295 // indirect
+	github.com/aws/aws-sdk-go v1.44.307 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
 	github.com/cespare/xxhash v1.1.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
@ -130,22 +130,17 @@ require (
 	go.etcd.io/bbolt v1.3.7 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	golang.org/x/oauth2 v0.10.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
 	golang.org/x/sys v0.10.0 // indirect
 	golang.org/x/text v0.11.0 // indirect
 	golang.org/x/time v0.1.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230720185612-659f7aaaa771 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

-// replace github.com/smallstep/nosql => ../nosql
-// replace go.step.sm/crypto => ../crypto
-
-// replace go.step.sm/cli-utils => ../cli-utils
-// replace go.step.sm/linkedca => ../linkedca
-
 // use github.com/smallstep/pkcs7 fork with patches applied
 replace go.mozilla.org/pkcs7 => github.com/smallstep/pkcs7 v0.0.0-20230615175518-7ce6486b74eb

--- a/go.sum
+++ b/go.sum
@ -48,8 +48,8 @@ cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
 cloud.google.com/go/iam v1.1.0 h1:67gSqaPukx7O8WLLHMa0PNs3EBGd2eE4d+psbO/CO94=
 cloud.google.com/go/iam v1.1.0/go.mod h1:nxdHjaKfCr7fNYx/HJMM8LgiMugmveWlkatear5gVyk=
-cloud.google.com/go/kms v1.13.0 h1:s+sRhcowXwuLsa2Z8g3Tmh5l0HWNBf//HogCgiuDs/0=
-cloud.google.com/go/kms v1.13.0/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM=
+cloud.google.com/go/kms v1.15.0 h1:xYl5WEaSekKYN5gGRyhjvZKM22GVBBCzegGNVPy+aIs=
+cloud.google.com/go/kms v1.15.0/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM=
 cloud.google.com/go/longrunning v0.5.1 h1:Fr7TXftcqTudoyRJa113hyaqlGdiBQkp0Gq7tErFDWI=
 cloud.google.com/go/longrunning v0.5.1/go.mod h1:spvimkwdz6SPWKEt/XBij79E9fiTkHSQl/fRUUQJYJc=
 cloud.google.com/go/monitoring v0.1.0/go.mod h1:Hpm3XfzJv+UTiXzCG5Ffp0wijzHTC7Cv4eR7o3x/fEE=
@ -88,8 +88,8 @@ github.com/Azure/azure-amqp-common-go/v2 v2.1.0/go.mod h1:R8rea+gJRuJR6QxTir/XuE
 github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4=
 github.com/Azure/azure-sdk-for-go v29.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go v30.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1 h1:SEy2xmstIphdPwNBUi7uhvjyjhVKISfwjfOJmuy7kg4=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0 h1:8q4SaHjFsClSvuVne0ID/5Ka8u3fcIHyqkLjcFpNRHQ=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 h1:vcYCAze6p19qBW7MhZybIsqD8sMV8js0NyQM8JDnVtg=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY=
@ -165,8 +165,8 @@ github.com/aws/aws-sdk-go v1.25.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi
 github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
-github.com/aws/aws-sdk-go v1.44.295 h1:SGjU1+MqttXfRiWHD6WU0DRhaanJgAFY+xIhEaugV8Y=
-github.com/aws/aws-sdk-go v1.44.295/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
+github.com/aws/aws-sdk-go v1.44.307 h1:2R0/EPgpZcFSUwZhYImq/srjaOrOfLv5MNRzrFyAM38=
+github.com/aws/aws-sdk-go v1.44.307/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
@ -1061,10 +1061,10 @@ go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi
 go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE=
 go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
-go.step.sm/cli-utils v0.7.6 h1:YkpLVrepmy2c5+eaz/wduiGxlgrRx3YdAStE37if25g=
-go.step.sm/cli-utils v0.7.6/go.mod h1:j+FxFZ2gbWkAJl0eded/rksuxmNqWpmyxbkXcukGJaY=
-go.step.sm/crypto v0.32.4 h1:jSr5sB6vJCciqFB3BFKgK5ykRtuzKqdl4j9+CYkS8Hc=
-go.step.sm/crypto v0.32.4/go.mod h1:A009Gtqx80nTz/9DreRMflMGgaSWTuhK8En6XycK9yA=
+go.step.sm/cli-utils v0.8.0 h1:b/Tc1/m3YuQq+u3ghTFP7Dz5zUekZj6GUmd5pCvkEXQ=
+go.step.sm/cli-utils v0.8.0/go.mod h1:S77aISrC0pKuflqiDfxxJlUbiXcAanyJ4POOnzFSxD4=
+go.step.sm/crypto v0.33.0 h1:fP8awo6YkZ0/rrLhzbHYA3U8g24VnWEebZRnGwUobRo=
+go.step.sm/crypto v0.33.0/go.mod h1:rMETKeIA1ZsLBiKT6phQ2IIeBH3GL+XqimeobcqUw1g=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
@ -1247,6 +1247,7 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20170728174421-0f826bdd13b5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -1486,8 +1487,8 @@ google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtuk
 google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw=
 google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU=
 google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k=
-google.golang.org/api v0.132.0 h1:8t2/+qZ26kAOGSmOiHwVycqVaDg7q3JDILrNi/Z6rvc=
-google.golang.org/api v0.132.0/go.mod h1:AeTBC6GpJnJSRJjktDcPX0QwtS8pGYZOV6MSuSCusw0=
+google.golang.org/api v0.134.0 h1:ktL4Goua+UBgoP1eL1/60LwZJqa1sIzkLmvoR3hR6Gw=
+google.golang.org/api v0.134.0/go.mod h1:sjRL3UnjTx5UqNQS9EWr9N8p7xbHpy1k0XGRLCf3Spk=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@ -1569,8 +1570,8 @@ google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 h1:Au6te5hbKUV8pIY
 google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:O9kGHb51iE/nOGvQaDUuadVYqovW56s5emA88lQnj6Y=
 google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130 h1:XVeBY8d/FaK4848myy41HBqnDwvxeV3zMZhwN1TvAMU=
 google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:mPBs5jNgx2GuQGvFwUvVKqtn6HsUw9nP64BedgvqEsQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 h1:bVf09lpb+OJbByTj913DRJioFFAjf/ZGxEz7MajTp2U=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230720185612-659f7aaaa771 h1:Z8qdAF9GFsmcUuWQ5KVYIpP3PCKydn/YKORnghIalu4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230720185612-659f7aaaa771/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM=
 google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@ -1606,8 +1607,8 @@ google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD
 google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
-google.golang.org/grpc v1.56.2 h1:fVRFRnXvU+x6C4IlHZewvJOVHoOv1TUuQyoRsYnB4bI=
-google.golang.org/grpc v1.56.2/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
+google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw=
+google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
--- a/pki/testdata/helm/with-ssh-and-acme.yml
+++ b/pki/testdata/helm/with-ssh-and-acme.yml
@ -23,7 +23,7 @@ inject:
        authority:
          enableAdmin: false
          provisioners:
-            - {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false},"options":{"x509":{},"ssh":{}}}
+            - {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false,"disableSmallstepExtensions":false},"options":{"x509":{},"ssh":{}}}
            - {"type":"ACME","name":"acme"}
            - {"type":"SSHPOP","name":"sshpop","claims":{"enableSSHCA":true}}
        tls:
--- a/pki/testdata/helm/with-ssh.yml
+++ b/pki/testdata/helm/with-ssh.yml
@ -23,7 +23,7 @@ inject:
        authority:
          enableAdmin: false
          provisioners:
-            - {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false},"options":{"x509":{},"ssh":{}}}
+            - {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false,"disableSmallstepExtensions":false},"options":{"x509":{},"ssh":{}}}
            - {"type":"SSHPOP","name":"sshpop","claims":{"enableSSHCA":true}}
        tls:
          cipherSuites: