[action] keyless cosign for all release artifacts

275 changed files with 10447 additions and 17155 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -9,7 +9,3 @@ updates:
    directory: "/" # Location of package manifests
    schedule:
      interval: "weekly"
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -20,8 +20,7 @@ jobs:
  ci:
    uses: smallstep/workflows/.github/workflows/goCI.yml@main
    with:
-      only-latest-golang: false
-      os-dependencies: 'libpcsclite-dev'
+      os-dependencies: "libpcsclite-dev"
+      run-gitleaks: true
      run-codeql: true
-      test-command: 'V=1 make test'
    secrets: inherit
--- a/.github/workflows/code-scan-cron.yml
+++ b/.github/workflows/code-scan-cron.yml
@ -5,3 +5,5 @@ on:
 jobs:
  code-scan:
    uses: smallstep/workflows/.github/workflows/code-scan.yml@main
+    secrets:
+      GITLEAKS_LICENSE_KEY: ${{ secrets.GITLEAKS_LICENSE_KEY }}
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@ -1,11 +0,0 @@
-name: Dependabot auto-merge
-on: pull_request
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  dependabot-auto-merge:
-    uses: smallstep/workflows/.github/workflows/dependabot-auto-merge.yml@main
-    secrets: inherit
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -15,13 +15,8 @@ jobs:
    name: Create Release
    needs: ci
    runs-on: ubuntu-latest
-    env:
-      DOCKER_IMAGE: smallstep/step-ca
    outputs:
-      version: ${{ steps.extract-tag.outputs.VERSION }}
      is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
-      docker_tags: ${{ env.DOCKER_TAGS }}
-      docker_tags_hsm: ${{ env.DOCKER_TAGS_HSM }}
    steps:
      - name: Is Pre-release
        id: is_prerelease
@ -30,62 +25,77 @@ jobs:
          echo ${{ github.ref }} | grep "\-rc.*"
          OUT=$?
          if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
-          echo "IS_PRERELEASE=${IS_PRERELEASE}" >> "${GITHUB_OUTPUT}"
-      - name: Extract Tag Names
-        id: extract-tag
-        run: |
-          VERSION=${GITHUB_REF#refs/tags/v}
-          echo "VERSION=${VERSION}" >> "${GITHUB_OUTPUT}"
-          echo "DOCKER_TAGS=${{ env.DOCKER_IMAGE }}:${VERSION}" >> "${GITHUB_ENV}"
-          echo "DOCKER_TAGS_HSM=${{ env.DOCKER_IMAGE }}:${VERSION}-hsm" >> "${GITHUB_ENV}"
-      - name: Add Latest Tag
-        if: steps.is_prerelease.outputs.IS_PRERELEASE == 'false'
-        run: |
-          echo "DOCKER_TAGS=${{ env.DOCKER_TAGS }},${{ env.DOCKER_IMAGE }}:latest" >> "${GITHUB_ENV}"
-          echo "DOCKER_TAGS_HSM=${{ env.DOCKER_TAGS_HSM }},${{ env.DOCKER_IMAGE }}:hsm" >> "${GITHUB_ENV}"
+          echo "IS_PRERELEASE=${IS_PRERELEASE}" >> ${GITHUB_OUTPUT}
      - name: Create Release
        id: create_release
-        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
+        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: ${{ github.ref }}
-          name: Release ${{ github.ref }}
+          release_name: Release ${{ github.ref }}
          draft: false
          prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}

  goreleaser:
+    name: Upload Assets To Github w/ goreleaser
+    runs-on: ubuntu-latest
    needs: create_release
    permissions:
      id-token: write
      contents: write
-    uses: smallstep/workflows/.github/workflows/goreleaser.yml@main
-    secrets: inherit
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+          check-latest: true
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v2
+        with:
+          cosign-release: 'v1.13.1'
+      - name: Get Release Date
+        id: release_date
+        run: |
+          RELEASE_DATE=$(date +"%y-%m-%d")
+          echo "RELEASE_DATE=${RELEASE_DATE}" >> ${GITHUB_ENV}
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v3
+        with:
+          version: 'latest'
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
+          RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }}
+          COSIGN_EXPERIMENTAL: 1

  build_upload_docker:
    name: Build & Upload Docker Images
-    needs: create_release
-    permissions:
-      id-token: write
-      contents: write
-    uses: smallstep/workflows/.github/workflows/docker-buildx-push.yml@main
-    with:
-      platforms: linux/amd64,linux/386,linux/arm,linux/arm64
-      tags: ${{ needs.create_release.outputs.docker_tags }}
-      docker_image: smallstep/step-ca
-      docker_file: docker/Dockerfile
-    secrets: inherit
-
-  build_upload_docker_hsm:
-    name: Build & Upload HSM Enabled Docker Images
-    needs: create_release
+    runs-on: ubuntu-latest
+    needs: ci
    permissions:
      id-token: write
      contents: write
-    uses: smallstep/workflows/.github/workflows/docker-buildx-push.yml@main
-    with:
-      platforms: linux/amd64,linux/386,linux/arm,linux/arm64
-      tags: ${{ needs.create_release.outputs.docker_tags_hsm }}
-      docker_image: smallstep/step-ca
-      docker_file: docker/Dockerfile.hsm
-    secrets: inherit
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.19'
+          check-latest: true
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v2
+        with:
+          cosign-release: 'v1.13.1'
+      - name: Build
+        id: build
+        run: |
+          PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
+          make docker-artifacts
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          COSIGN_EXPERIMENTAL: 1
--- a/.gitleaksignore
+++ b/.gitleaksignore
@ -0,0 +1,18 @@
+deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:85
+deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:107
+deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:108
+deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:129
+deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:131
+deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:136
+deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:138
+7c9ab9814fb676cb3c125c3dac4893271f1b7ae5:README.md:generic-api-key:282
+fb7140444ac8f1fa1245a80e49d17e206f7435f3:docs/provisioners.md:generic-api-key:110
+e4de7f07e82118b3f926716666b620db058fa9f7:docs/revocation.md:generic-api-key:73
+e4de7f07e82118b3f926716666b620db058fa9f7:docs/revocation.md:generic-api-key:113
+e4de7f07e82118b3f926716666b620db058fa9f7:docs/revocation.md:generic-api-key:151
+8b2de42e9cf6ce99f53a5049881e1d6077d5d66e:docs/docker.md:generic-api-key:152
+3939e855264117e81531df777a642ea953d325a7:autocert/init/ca/intermediate_ca_key:private-key:1
+e72f08703753facfa05f2d8c68f9f6a3745824b8:README.md:generic-api-key:244
+e70a5dae7de0b6ca40a0393c09c28872d4cfa071:autocert/README.md:generic-api-key:365
+e70a5dae7de0b6ca40a0393c09c28872d4cfa071:autocert/README.md:generic-api-key:366
+c284a2c0ab1c571a46443104be38c873ef0c7c6d:config.json:generic-api-key:10
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -1,6 +1,6 @@
-# Documentation: https://goreleaser.com/customization/
+# This is an example .goreleaser.yml file with some sane defaults.
+# Make sure to check the documentation at http://goreleaser.com
 project_name: step-ca
-version: 2

 before:
  hooks:
@ -31,7 +31,7 @@ builds:
      - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}

 archives:
-  - &ARCHIVE
+  -
    # Can be used to change the archive formats for specific GOOSs.
    # Most common use case is to archive as zip on Windows.
    # Default is empty.
@ -39,16 +39,11 @@ archives:
    format_overrides:
      - goos: windows
        format: zip
+    wrap_in_directory: "{{ .ProjectName }}_{{ .Version }}"
    files:
      - README.md
      - LICENSE
    allow_different_binary_count: true
-  -
-    << : *ARCHIVE
-    id: unversioned
-    name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
-    wrap_in_directory: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
-

 nfpms:
  # Configure nFPM for .deb and .rpm releases
@ -60,7 +55,7 @@ nfpms:
  # List file contents: dpkg -c dist/step_...deb
  # Package metadata: dpkg --info dist/step_....deb
  #
-  - &NFPM
+  -
    builds:
      - step-ca
    package_name: step-ca
@ -80,10 +75,6 @@ nfpms:
    contents:
      - src: debian/copyright
        dst: /usr/share/doc/step-ca/copyright
-  -
-    << : *NFPM
-    id: unversioned
-    file_name_template: "{{ .PackageName }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"

 source:
  enabled: true
@ -98,7 +89,7 @@ signs:
 - cmd: cosign
  signature: "${artifact}.sig"
  certificate: "${artifact}.pem"
-  args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}", "--yes"]
+  args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"]
  artifacts: all

 snapshot:
@ -139,17 +130,17 @@ release:

    #### Linux

-    - 📦 [step-ca_linux_{{ .Version }}_amd64.tar.gz](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_linux_{{ .Version }}_amd64.tar.gz)
-    - 📦 [step-ca_{{ .Version }}_amd64.deb](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_{{ .Version }}_amd64.deb)
+    - 📦 [step-ca_linux_{{ .Version }}_amd64.tar.gz](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_linux_{{ .Version }}_amd64.tar.gz)
+    - 📦 [step-ca_{{ .Version }}_amd64.deb](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_{{ .Version }}_amd64.deb)

    #### OSX Darwin

-    - 📦 [step-ca_darwin_{{ .Version }}_amd64.tar.gz](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_darwin_{{ .Version }}_amd64.tar.gz)
-    - 📦 [step-ca_darwin_{{ .Version }}_arm64.tar.gz](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_darwin_{{ .Version }}_arm64.tar.gz)
+    - 📦 [step-ca_darwin_{{ .Version }}_amd64.tar.gz](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_darwin_{{ .Version }}_amd64.tar.gz)
+    - 📦 [step-ca_darwin_{{ .Version }}_arm64.tar.gz](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_darwin_{{ .Version }}_arm64.tar.gz)

    #### Windows

-    - 📦 [step-ca_windows_{{ .Version }}_amd64.zip](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_windows_{{ .Version }}_amd64.zip)
+    - 📦 [step-ca_windows_{{ .Version }}_arm64.zip](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_windows_{{ .Version }}_amd64.zip)

    For more builds across platforms and architectures, see the `Assets` section below.
    And for packaged versions (Docker, k8s, Homebrew), see our [installation docs](https://smallstep.com/docs/step-ca/installation).
@ -164,11 +155,9 @@ release:

    ```
    cosign verify-blob \
-      --certificate step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \
-      --signature step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \
-      --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \
-      --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-      step-ca_darwin_{{ .Version }}_amd64.tar.gz
+      --certificate ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \
+      --signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \
+      ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz
    ```

    The `checksums.txt` file (in the `Assets` section below) contains a checksum for every artifact in the release.
@ -180,7 +169,7 @@ release:

    Those were the changes on {{ .Tag }}!

-    Come join us on [Discord](https://discord.gg/X2RKGwEbV9) to ask questions, chat about PKI, or get a sneak peek at the freshest PKI memes.
+    Come join us on [Discord](https://discord.gg/X2RKGwEbV9) to ask questions, chat about PKI, or get a sneak peak at the freshest PKI memes.

  # You can disable this pipe in order to not upload any artifacts.
  # Defaults to false.
@ -196,160 +185,3 @@ release:
  #  - glob: ./path/to/file.txt
  #  - glob: ./glob/**/to/**/file/**/*
  #  - glob: ./glob/foo/to/bar/file/foobar/override_from_previous
-
-winget:
-  - 
-    # IDs of the archives to use.
-    # Empty means all IDs.
-    ids: [ default ]
-
-    #
-    # Default: ProjectName
-    # Templates: allowed
-    name: step-ca
-
-    # Publisher name.
-    #
-    # Templates: allowed
-    # Required.
-    publisher: Smallstep
-
-    # Your app's description.
-    #
-    # Templates: allowed
-    # Required.
-    short_description: "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management."
-
-    # License name.
-    #
-    # Templates: allowed
-    # Required.
-    license: "Apache-2.0"
-
-    # Publisher URL.
-    #
-    # Templates: allowed
-    publisher_url: "https://smallstep.com"
-
-    # Publisher support URL.
-    #
-    # Templates: allowed
-    publisher_support_url: "https://github.com/smallstep/certificates/discussions"
-
-    # URL which is determined by the given Token (github, gitlab or gitea).
-    #
-    # Default depends on the client.
-    # Templates: allowed
-    url_template: "https://github.com/smallstep/certificates/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
-
-    # Git author used to commit to the repository.
-    commit_author:
-      name: goreleaserbot
-      email: goreleaser@smallstep.com
-
-    # The project name and current git tag are used in the format string.
-    #
-    # Templates: allowed
-    commit_msg_template: "{{ .PackageIdentifier }}: {{ .Tag }}"
-
-    # Your app's homepage.
-    homepage: "https://github.com/smallstep/certificates"
-
-    # Your app's long description.
-    #
-    # Templates: allowed
-    description: ""
-
-    # License URL.
-    #
-    # Templates: allowed
-    license_url: "https://github.com/smallstep/certificates/blob/master/LICENSE"
-
-    # Release notes URL.
-    #
-    # Templates: allowed
-    release_notes_url: "https://github.com/smallstep/certificates/releases/tag/{{ .Tag }}"
-
-    # Create the PR - for testing
-    skip_upload: auto
-
-    # Tags.
-    tags:
-      - certificates
-      - smallstep
-      - tls
-
-    # Repository to push the generated files to.
-    repository:
-      owner: smallstep
-      name: winget-pkgs
-      branch: "step-ca-{{.Version}}"
-
-      # Optionally a token can be provided, if it differs from the token
-      # provided to GoReleaser
-      # Templates: allowed
-      #token: "{{ .Env.GITHUB_PERSONAL_AUTH_TOKEN }}"
-
-      # Sets up pull request creation instead of just pushing to the given branch.
-      # Make sure the 'branch' property is different from base before enabling
-      # it.
-      #
-      # Since: v1.17
-      pull_request:
-        # Whether to enable it or not.
-        enabled: true
-        check_boxes: true
-        # Whether to open the PR as a draft or not.
-        #
-        # Default: false
-        # Since: v1.19
-        # draft: true
-
-        # Base can also be another repository, in which case the owner and name
-        # above will be used as HEAD, allowing cross-repository pull requests.
-        #
-        # Since: v1.19
-        base:
-          owner: microsoft
-          name: winget-pkgs
-          branch: master
-
-
-scoops:
-  -
-    ids: [ default ]
-    # Template for the url which is determined by the given Token (github or gitlab)
-    # Default for github is "https://github.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
-    # Default for gitlab is "https://gitlab.com/<repo_owner>/<repo_name>/uploads/{{ .ArtifactUploadHash }}/{{ .ArtifactName }}"
-    # Default for gitea is "https://gitea.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
-    url_template: "http://github.com/smallstep/certificates/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
-    # Repository to push the app manifest to.
-    repository:
-      owner: smallstep
-      name: scoop-bucket
-      branch: main
-
-    # Git author used to commit to the repository.
-    # Defaults are shown.
-    commit_author:
-      name: goreleaserbot
-      email: goreleaser@smallstep.com
-
-    # The project name and current git tag are used in the format string.
-    commit_msg_template: "Scoop update for {{ .ProjectName }} version {{ .Tag }}"
-
-    # Your app's homepage.
-    # Default is empty.
-    homepage: "https://smallstep.com/docs/step-ca"
-
-    # Skip uploads for prerelease.
-    skip_upload: auto
-
-    # Your app's description.
-    # Default is empty.
-    description: "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH."
-
-    # Your app's license
-    # Default is empty.
-    license: "Apache-2.0"
-
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,327 +1,40 @@
 # Changelog
-
 All notable changes to this project will be documented in this file.

 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

-## TEMPLATE -- do not alter or remove
-
+### TEMPLATE -- do not alter or remove
 ---
-
 ## [x.y.z] - aaaa-bb-cc
-
 ### Added
-
 ### Changed
-
 ### Deprecated
-
 ### Removed
-
 ### Fixed
-
 ### Security
-
 ---

-## [0.26.2] - 2024-06-13
-
-### Added
-
- Add provisionerID to ACME accounts (smallstep/certificates#1830)
- Enable verifying ACME provisioner using provisionerID if available (smallstep/certificates#1844)
- Add methods to Authority to get intermediate certificates (smallstep/certificates#1848)
- Add GetX509Signer method (smallstep/certificates#1850)
-
-### Changed
-
- Make ISErrNotFound more flexible (smallstep/certificates#1819)
- Log errors using slog.Logger (smallstep/certificates#1849)
- Update hardcoded AWS certificates (smallstep/certificates#1881)
-
-
-## [0.26.1] - 2024-04-22
-
-### Added
-
- Allow configuration of a custom SCEP key manager (smallstep/certificates#1797)
-
-### Fixed
-
- id-scep-failInfoText OID (smallstep/certificates#1794)
- CA startup with Vault RA configuration (smallstep/certificates#1803)
-
-
-## [0.26.0] - 2024-03-28
-
-### Added 
-
- [TPM KMS](https://github.com/smallstep/crypto/tree/master/kms/tpmkms) support for CA keys (smallstep/certificates#1772)
- Propagation of HTTP request identifier using X-Request-Id header (smallstep/certificates#1743, smallstep/certificates#1542)
- Expires header in CRL response (smallstep/certificates#1708)
- Support for providing TLS configuration programmatically (smallstep/certificates#1685)
- Support for providing external CAS implementation (smallstep/certificates#1684)
- AWS `ca-west-1` identity document root certificate (smallstep/certificates#1715)
- [COSE RS1](https://www.rfc-editor.org/rfc/rfc8812.html#section-2) as a supported algorithm with ACME `device-attest-01` challenge (smallstep/certificates#1663)
-
-### Changed 
-
- In an RA setup, let the CA decide the RA certificate lifetime (smallstep/certificates#1764)
- Use Debian Bookworm in Docker containers (smallstep/certificates#1615)
- Error message for CSR validation (smallstep/certificates#1665)
- Updated dependencies
-
-### Fixed
-
- Stop CA when any of the required servers fails to start (smallstep/certificates#1751). Before the fix, the CA would continue running and only log the server failure when stopped.
- Configuration loading errors when not using context were not returned. Fixed in [cli-utils/109](https://github.com/smallstep/cli-utils/pull/109).
- HTTP_PROXY and HTTPS_PROXY support for ACME validation client (smallstep/certificates#1658).
-
-### Security
-
- Upgrade to using cosign v2 for signing artifacts
-
-## [0.25.1] - 2023-11-28
-
-### Added
-
- Provisioner name in SCEP webhook request body in (smallstep/certificates#1617)
- Support for ASN1 boolean encoding in (smallstep/certificates#1590)
-
-### Changed
-
- Generation of first provisioner name on `step ca init` in (smallstep/certificates#1566)
- Processing of SCEP Get PKIOperation requests in (smallstep/certificates#1570)
- Support for signing identity certificate during SSH sign by skipping URI validation in (smallstep/certificates#1572)
- Dependency on `micromdm/scep` and `go.mozilla.org/pkcs7` to use Smallstep forks in (smallstep/certificates#1600)
- Make the Common Name validator for JWK provisioners accept values from SANs too in (smallstep/certificates#1609)
-
-### Fixed
-
- Registration Authority token creation relied on values from CSR. Fixed to rely on template in (smallstep/certificates#1608)
- Use same glibc version for running the CA when built using CGo in (smallstep/certificates#1616)
-
-## [0.25.0] - 2023-09-26
-
-### Added
-
- Added support for configuring SCEP decrypters in the provisioner (smallstep/certificates#1414)
- Added support for TPM KMS (smallstep/crypto#253)
- Added support for disableSmallstepExtensions provisioner claim
-  (smallstep/certificates#1484)
- Added script to migrate a badger DB to MySQL or PostgreSQL
-  (smallstep/certificates#1477)
- Added AWS public certificates for me-central-1 and ap-southeast-3
-  (smallstep/certificates#1404)
- Added namespace field to VaultCAS JSON config (smallstep/certificates#1424)
- Added AWS public certificates for me-central-1 and ap-southeast-3 
-  (smallstep/certificates#1404)
- Added unversioned filenames to Github release assets 
-  (smallstep/certificates#1435)
- Send X5C leaf certificate to webhooks (smallstep/certificates#1485)
- Added support for disableSmallstepExtensions claim (smallstep/certificates#1484)
- Added all AWS Identity Document Certificates (smallstep/certificates#1404, smallstep/certificates#1510)
- Added Winget release automation (smallstep/certificates#1519)
- Added CSR to SCEPCHALLENGE webhook request body (smallstep/certificates#1523)
- Added SCEP issuance notification webhook (smallstep/certificates#1544)
- Added ability to disable color in the log text formatter 
-  (smallstep/certificates(#1559)
-
-### Changed
-
- Changed the Makefile to produce cgo-enabled builds running
-  `make build GO_ENVS="CGO_ENABLED=1"` (smallstep/certificates#1446)
- Return more detailed errors to ACME clients using device-attest-01
-  (smallstep/certificates#1495)
- Change SCEP password type to string (smallstep/certificates#1555)
-
-### Removed
-
- Removed OIDC user regexp check (smallstep/certificates#1481)
- Removed automatic initialization of $STEPPATH (smallstep/certificates#1493)
- Removed db datasource from error msg to prevent leaking of secrets to logs
-  (smallstep/certificates#1528)
-
-### Fixed
-
- Improved authentication for ACME requests using kid and provisioner name
-  (smallstep/certificates#1386).
- Fixed indentation of KMS configuration in helm charts
-  (smallstep/certificates#1405)
- Fixed simultaneous sign or decrypt operation on a YubiKey
-  (smallstep/certificates#1476, smallstep/crypto#288)
- Fixed adding certificate templates with ASN.1 functions
-  (smallstep/certificates#1500, smallstep/crypto#302)
- Fixed a problem when the ca.json is truncated if the encoding of the 
-  configuration fails (e.g., new provisioner with bad template data)
-  (smallstep/cli#994, smallstep/certificates#1501)
- Fixed provisionerOptionsToLinkedCA missing template and templateData
-  (smallstep/certificates#1520)
- Fix calculation of webhook signature (smallstep/certificates#1546)
-
-## [v0.24.2] - 2023-05-11
-
-### Added
-
- Log SSH certificates (smallstep/certificates#1374)
- CRL endpoints on the HTTP server (smallstep/certificates#1372)
- Dynamic SCEP challenge validation using webhooks (smallstep/certificates#1366)
- For Docker deployments, added DOCKER_STEPCA_INIT_PASSWORD_FILE. Useful for pointing to a Docker Secret in the container (smallstep/certificates#1384)
-
-### Changed
-
- Depend on [smallstep/go-attestation](https://github.com/smallstep/go-attestation) instead of [google/go-attestation](https://github.com/google/go-attestation)
- Render CRLs into http.ResponseWriter instead of memory (smallstep/certificates#1373)
- Redaction of SCEP static challenge when listing provisioners (smallstep/certificates#1204)
-
-### Fixed
-
- VaultCAS certificate lifetime (smallstep/certificates#1376)
-
-## [v0.24.1] - 2023-04-14
-
-### Fixed
-
- Docker image name for HSM support (smallstep/certificates#1348)
-
-## [v0.24.0] - 2023-04-12
-
-### Added
-
- Add ACME `device-attest-01` support with TPM 2.0
-  (smallstep/certificates#1063).
- Add support for new Azure SDK, sovereign clouds, and HSM keys on Azure KMS
-  (smallstep/crypto#192, smallstep/crypto#197, smallstep/crypto#198,
-  smallstep/certificates#1323, smallstep/certificates#1309).
- Add support for ASN.1 functions on certificate templates
-  (smallstep/crypto#208, smallstep/certificates#1345)
- Add `DOCKER_STEPCA_INIT_ADDRESS` to configure the address to use in a docker
-  container (smallstep/certificates#1262).
- Make sure that the CSR used matches the attested key when using AME
-  `device-attest-01` challenge (smallstep/certificates#1265).
- Add support for compacting the Badger DB (smallstep/certificates#1298).
- Build and release cleanups (smallstep/certificates#1322,
-  smallstep/certificates#1329, smallstep/certificates#1340).
-
-### Fixed
-
- Fix support for PKCS #7 RSA-OAEP decryption through
-  [smallstep/pkcs7#4](https://github.com/smallstep/pkcs7/pull/4), as used in
-  SCEP.
- Fix RA installation using `scripts/install-step-ra.sh`
-  (smallstep/certificates#1255).
- Clarify error messages on policy errors (smallstep/certificates#1287,
-  smallstep/certificates#1278).
- Clarify error message on OIDC email validation (smallstep/certificates#1290).
- Mark the IDP critical in the generated CRL data (smallstep/certificates#1293).
- Disable database if CA is initialized with the `--no-db` flag
-  (smallstep/certificates#1294).
-
-## [v0.23.2] - 2023-02-02
-
+## [Unreleased]
 ### Added
-
- Added [`step-kms-plugin`](https://github.com/smallstep/step-kms-plugin) to
-  docker images, and a new image, `smallstep/step-ca-hsm`, compiled with cgo
-  (smallstep/certificates#1243).
- Added [`scoop`](https://scoop.sh) packages back to the release
-  (smallstep/certificates#1250).
- Added optional flag `--pidfile` which allows passing a filename where step-ca
-  will write its process id (smallstep/certificates#1251).
- Added helpful message on CA startup when config can't be opened
-  (smallstep/certificates#1252).
- Improved validation and error messages on `device-attest-01` orders
-  (smallstep/certificates#1235).
-
-### Removed
-
- The deprecated CLI utils `step-awskms-init`, `step-cloudkms-init`,
-  `step-pkcs11-init`, `step-yubikey-init` have been removed.
-  [`step`](https://github.com/smallstep/cli) and
-  [`step-kms-plugin`](https://github.com/smallstep/step-kms-plugin) should be
-  used instead (smallstep/certificates#1240).
-
-### Fixed
-
- Fixed remote management flags in docker images (smallstep/certificates#1228).
-
-## [v0.23.1] - 2023-01-10
-
-### Added
-
- Added configuration property `.crl.idpURL`  to be able to set a custom Issuing
-  Distribution Point in the CRL (smallstep/certificates#1178).
- Added WithContext methods to the CA client (smallstep/certificates#1211).
- Docker: Added environment variables for enabling Remote Management and ACME
-  provisioner (smallstep/certificates#1201).
- Docker: The entrypoint script now generates and displays an initial JWK
-  provisioner password by default when the CA is being initialized
-  (smallstep/certificates#1223).
-
-### Changed
-
- Ignore SSH principals validation when using an OIDC provisioner. The
-  provisioner will ignore the principals passed and set the defaults or the ones
-  including using WebHooks or templates (smallstep/certificates#1206).
-
-## [v0.23.0] - 2022-11-11
-
-### Added
-
- Added support for ACME device-attest-01 challenge on iOS, iPadOS, tvOS and
-  YubiKey.
- Ability to disable ACME challenges and attestation formats.
- Added flags to change ACME challenge ports for testing purposes.
+- Added support for ACME device-attest-01 challenge.
 - Added name constraints evaluation and enforcement when issuing or renewing
  X.509 certificates.
- Added provisioner webhooks for augmenting template data and authorizing
-  certificate requests before signing.
- Added automatic migration of provisioners when enabling remote management.
- Added experimental support for CRLs.
- Add certificate renewal support on RA mode. The `step ca renew` command must
-  use the flag `--mtls=false` to use the token renewal flow.
- Added support for initializing remote management using `step ca init`.
- Added support for renewing X.509 certificates on RAs.
- Added support for using SCEP with keys in a KMS.
- Added client support to set the dialer's local address with the environment variable
-  `STEP_CLIENT_ADDR`.
-
-### Changed
-
- Remove the email requirement for issuing SSH certificates with an OIDC
-  provisioner.
- Root files can contain more than one certificate.
+- Added provisioner webhooks for augmenting template data and authorizing certificate requests before signing.
+- Added automatic migration of provisioners when enabling remote managment.

 ### Fixed
-
- Fixed MySQL DSN parsing issues with an upgrade to
-  [smallstep/nosql@v0.5.0](https://github.com/smallstep/nosql/releases/tag/v0.5.0).
- Fixed renewal of certificates with missing subject attributes.
- Fixed ACME support with [ejabberd](https://github.com/processone/ejabberd).
-
-### Deprecated
-
- The CLIs `step-awskms-init`, `step-cloudkms-init`, `step-pkcs11-init`,
-  `step-yubikey-init` are deprecated. Now you can use
-  [`step-kms-plugin`](https://github.com/smallstep/step-kms-plugin) in
-  combination with `step certificates create` to initialize your PKI.
+- MySQL DSN parsing issues fixed with upgrade to [smallstep/nosql@v0.5.0](https://github.com/smallstep/nosql/releases/tag/v0.5.0).

 ## [0.22.1] - 2022-08-31
-
 ### Fixed
-
 - Fixed signature algorithm on EC (root) + RSA (intermediate) PKIs.

 ## [0.22.0] - 2022-08-26
-
 ### Added
-
 - Added automatic configuration of Linked RAs.
 - Send provisioner configuration on Linked RAs.
-
 ### Changed
-
 - Certificates signed by an issuer using an RSA key will be signed using the
  same algorithm used to sign the issuer certificate. The signature will no
  longer default to PKCS #1. For example, if the issuer certificate was signed
@ -333,28 +46,20 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Sanitize TLS options.

 ## [0.20.0] - 2022-05-26
-
 ### Added
-
 - Added Kubernetes auth method for Vault RAs.
 - Added support for reporting provisioners to linkedca.
 - Added support for certificate policies on authority level.
 - Added a Dockerfile with a step-ca build with HSM support.
 - A few new WithXX methods for instantiating authorities
-
 ### Changed
-
 - Context usage in HTTP APIs.
 - Changed authentication for Vault RAs.
 - Error message returned to client when authenticating with expired certificate.
 - Strip padding from ACME CSRs.
-
 ### Deprecated
-
 - HTTP API handler types.
-
 ### Fixed
-
 - Fixed SSH revocation.
 - CA client dial context for js/wasm target.
 - Incomplete `extraNames` support in templates.
@ -362,9 +67,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Large SCEP request handling.

 ## [0.19.0] - 2022-04-19
-
 ### Added
-
 - Added support for certificate renewals after expiry using the claim `allowRenewalAfterExpiry`.
 - Added support for `extraNames` in X.509 templates.
 - Added `armv5` builds.
@ -373,162 +76,110 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Added a new `/roots.pem` endpoint to download the CA roots in PEM format.
 - Added support for Azure `Managed Identity` tokens.
 - Added support for automatic configuration of linked RAs.
- Added support for the `--context` flag. It's now possible to start the
+- Added support for the `--context` flag. It's now possible to start the 
  CA with `step-ca --context=abc` to use the configuration from context `abc`.
  When a context has been configured and no configuration file is provided
  on startup, the configuration for the current context is used.
 - Added startup info logging and option to skip it (`--quiet`).
 - Added support for renaming the CA (Common Name).
-
 ### Changed
-
 - Made SCEP CA URL paths dynamic.
 - Support two latest versions of Go (1.17, 1.18).
 - Upgrade go.step.sm/crypto to v0.16.1.
 - Upgrade go.step.sm/linkedca to v0.15.0.
-
 ### Deprecated
-
 - Go 1.16 support.
-
 ### Removed
-
 ### Fixed
-
 - Fixed admin credentials on RAs.
 - Fixed ACME HTTP-01 challenges for IPv6 identifiers.
 - Various improvements under the hood.
-
 ### Security

 ## [0.18.2] - 2022-03-01
-
 ### Added
-
 - Added `subscriptionIDs` and `objectIDs` filters to the Azure provisioner.
 - [NoSQL](https://github.com/smallstep/nosql/pull/21) package allows filtering
  out database drivers using Go tags. For example, using the Go flag
  `--tags=nobadger,nobbolt,nomysql` will only compile `step-ca` with the pgx
  driver for PostgreSQL.
-
 ### Changed
-
 - IPv6 addresses are normalized as IP addresses instead of hostnames.
 - More descriptive JWK decryption error message.
 - Make the X5C leaf certificate available to the templates using `{{ .AuthorizationCrt }}`.
-
 ### Fixed
-
 - During provisioner add - validate provisioner configuration before storing to DB.

 ## [0.18.1] - 2022-02-03
-
 ### Added
-
 - Support for ACME revocation.
 - Replace hash function with an RSA SSH CA to "rsa-sha2-256".
 - Support Nebula provisioners.
 - Example Ansible configurations.
 - Support PKCS#11 as a decrypter, as used by SCEP.
-
 ### Changed
-
 - Automatically create database directory on `step ca init`.
 - Slightly improve errors reported when a template has invalid content.
 - Error reporting in logs and to clients.
-
 ### Fixed
-
 - SCEP renewal using HTTPS on macOS.

 ## [0.18.0] - 2021-11-17
-
 ### Added
-
 - Support for multiple certificate authority contexts.
 - Support for generating extractable keys and certificates on a pkcs#11 module.
-
 ### Changed
-
 - Support two latest versions of Go (1.16, 1.17)
-
 ### Deprecated
-
 - go 1.15 support

 ## [0.17.6] - 2021-10-20
-
 ### Notes
-
 - 0.17.5 failed in CI/CD

 ## [0.17.5] - 2021-10-20
-
 ### Added
-
 - Support for Azure Key Vault as a KMS.
 - Adapt `pki` package to support key managers.
 - gocritic linter
-
 ### Fixed
-
 - gocritic warnings

 ## [0.17.4] - 2021-09-28
-
 ### Fixed
-
 - Support host-only or user-only SSH CA.

 ## [0.17.3] - 2021-09-24
-
 ### Added
-
 - go 1.17 to github action test matrix
 - Support for CloudKMS RSA-PSS signers without using templates.
 - Add flags to support individual passwords for the intermediate and SSH keys.
 - Global support for group admins in the OIDC provisioner.
-
 ### Changed
-
 - Using go 1.17 for binaries
-
 ### Fixed
-
 - Upgrade go-jose.v2 to fix a bug in the JWK fingerprint of Ed25519 keys.
-
 ### Security
-
 - Use cosign to sign and upload signatures for multi-arch Docker container.
 - Add debian checksum

 ## [0.17.2] - 2021-08-30
-
 ### Added
-
 - Additional way to distinguish Azure IID and Azure OIDC tokens.
-
 ### Security
-
 - Sign over all goreleaser github artifacts using cosign

 ## [0.17.1] - 2021-08-26

 ## [0.17.0] - 2021-08-25
-
 ### Added
-
 - Add support for Linked CAs using protocol buffers and gRPC
 - `step-ca init` adds support for
  - configuring a StepCAS RA
  - configuring a Linked CA
  - congifuring a `step-ca` using Helm
-
 ### Changed
-
 - Update badger driver to use v2 by default
 - Update TLS cipher suites to include 1.3
-
 ### Security
-
 - Fix key version when SHA512WithRSA is used. There was a typo creating RSA keys with SHA256 digests instead of SHA512.
--- a/131
+++ b/131
@ -1,11 +1,21 @@
 PKG?=github.com/smallstep/certificates/cmd/step-ca
 BINNAME?=step-ca
+CLOUDKMS_BINNAME?=step-cloudkms-init
+CLOUDKMS_PKG?=github.com/smallstep/certificates/cmd/step-cloudkms-init
+AWSKMS_BINNAME?=step-awskms-init
+AWSKMS_PKG?=github.com/smallstep/certificates/cmd/step-awskms-init
+YUBIKEY_BINNAME?=step-yubikey-init
+YUBIKEY_PKG?=github.com/smallstep/certificates/cmd/step-yubikey-init
+PKCS11_BINNAME?=step-pkcs11-init
+PKCS11_PKG?=github.com/smallstep/certificates/cmd/step-pkcs11-init

 # Set V to 1 for verbose output from the Makefile
 Q=$(if $V,,@)
 PREFIX?=
 SRC=$(shell find . -type f -name '*.go' -not -path "./vendor/*")
 GOOS_OVERRIDE ?=
+OUTPUT_ROOT=output/
+RELEASE=./.releases

 all: lint test build

@ -21,8 +31,6 @@ bootstra%:
 	$Q curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $$(go env GOPATH)/bin latest
 	$Q go install golang.org/x/vuln/cmd/govulncheck@latest
 	$Q go install gotest.tools/gotestsum@latest
-	$Q go install github.com/goreleaser/goreleaser@latest
-	$Q go install github.com/sigstore/cosign/v2/cmd/cosign@latest

 .PHONY: bootstra%

@ -30,8 +38,17 @@ bootstra%:
 # Determine the type of `push` and `version`
 #################################################

+# If TRAVIS_TAG is set then we know this ref has been tagged.
+ifdef TRAVIS_TAG
+VERSION ?= $(TRAVIS_TAG)
+NOT_RC  := $(shell echo $(VERSION) | grep -v -e -rc)
+	ifeq ($(NOT_RC),)
+PUSHTYPE := release-candidate
+	else
+PUSHTYPE := release
+	endif
 # GITHUB Actions
-ifdef GITHUB_REF
+else ifdef GITHUB_REF
 VERSION ?= $(shell echo $(GITHUB_REF) | sed 's/^refs\/tags\///')
 NOT_RC  := $(shell echo $(VERSION) | grep -v -e -rc)
 	ifeq ($(NOT_RC),)
@ -44,50 +61,59 @@ VERSION ?= $(shell [ -d .git ] && git describe --tags --always --dirty="-dev")
 # If we are not in an active git dir then try reading the version from .VERSION.
 # .VERSION contains a slug populated by `git archive`.
 VERSION := $(or $(VERSION),$(shell ./.version.sh .VERSION))
+	ifeq ($(TRAVIS_BRANCH),master)
+PUSHTYPE := master
+	else
 PUSHTYPE := branch
+	endif
 endif

 VERSION := $(shell echo $(VERSION) | sed 's/^v//')
+DEB_VERSION := $(shell echo $(VERSION) | sed 's/-/./g')

 ifdef V
+$(info    TRAVIS_TAG is $(TRAVIS_TAG))
 $(info    GITHUB_REF is $(GITHUB_REF))
 $(info    VERSION is $(VERSION))
+$(info    DEB_VERSION is $(DEB_VERSION))
 $(info    PUSHTYPE is $(PUSHTYPE))
 endif

+include make/docker.mk
+
 #########################################
 # Build
 #########################################

 DATE    := $(shell date -u '+%Y-%m-%d %H:%M UTC')
 LDFLAGS := -ldflags='-w -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"'
-
-# Always explicitly enable or disable cgo,
-# so that go doesn't silently fall back on
-# non-cgo when gcc is not found.
-ifeq (,$(findstring CGO_ENABLED,$(GO_ENVS)))
-	ifneq ($(origin GOFLAGS),undefined)
-		# This section is for backward compatibility with 
-		# 
-		# $ make build GOFLAGS=""
-		#
-		# which is how we recommended building step-ca with cgo support
-		# until June 2023.
-		GO_ENVS := $(GO_ENVS) CGO_ENABLED=1
-	else
-		GO_ENVS := $(GO_ENVS) CGO_ENABLED=0
-	endif
-endif
+GOFLAGS := CGO_ENABLED=0

 download:
 	$Q go mod download

-build: $(PREFIX)bin/$(BINNAME)
+build: $(PREFIX)bin/$(BINNAME) $(PREFIX)bin/$(CLOUDKMS_BINNAME) $(PREFIX)bin/$(AWSKMS_BINNAME) $(PREFIX)bin/$(YUBIKEY_BINNAME) $(PREFIX)bin/$(PKCS11_BINNAME)
 	@echo "Build Complete!"

 $(PREFIX)bin/$(BINNAME): download $(call rwildcard,*.go)
 	$Q mkdir -p $(@D)
-	$Q $(GOOS_OVERRIDE) GOFLAGS="$(GOFLAGS)" $(GO_ENVS) go build -v -o $(PREFIX)bin/$(BINNAME) $(LDFLAGS) $(PKG)
+	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(BINNAME) $(LDFLAGS) $(PKG)
+
+$(PREFIX)bin/$(CLOUDKMS_BINNAME): download $(call rwildcard,*.go)
+	$Q mkdir -p $(@D)
+	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(CLOUDKMS_BINNAME) $(LDFLAGS) $(CLOUDKMS_PKG)
+
+$(PREFIX)bin/$(AWSKMS_BINNAME): download $(call rwildcard,*.go)
+	$Q mkdir -p $(@D)
+	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(AWSKMS_BINNAME) $(LDFLAGS) $(AWSKMS_PKG)
+
+$(PREFIX)bin/$(YUBIKEY_BINNAME): download $(call rwildcard,*.go)
+	$Q mkdir -p $(@D)
+	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(YUBIKEY_BINNAME) $(LDFLAGS) $(YUBIKEY_PKG)
+
+$(PREFIX)bin/$(PKCS11_BINNAME): download $(call rwildcard,*.go)
+	$Q mkdir -p $(@D)
+	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(PKCS11_BINNAME) $(LDFLAGS) $(PKCS11_PKG)

 # Target to force a build of step-ca without running tests
 simple: build
@ -106,26 +132,19 @@ generate:
 #########################################
 # Test
 #########################################
-test: testdefault testtpmsimulator combinecoverage
-
-testdefault:
-	$Q $(GO_ENVS) gotestsum -- -coverprofile=defaultcoverage.out -short -covermode=atomic ./...
+test:
+	$Q $(GOFLAGS) gotestsum -- -coverprofile=coverage.out -short -covermode=atomic ./...

-testtpmsimulator:
-	$Q CGO_ENABLED=1 gotestsum -- -coverprofile=tpmsimulatorcoverage.out -short -covermode=atomic -tags tpmsimulator ./acme 

 testcgo:
 	$Q gotestsum -- -coverprofile=coverage.out -short -covermode=atomic ./...

-combinecoverage:
-	cat defaultcoverage.out tpmsimulatorcoverage.out > coverage.out
-
-.PHONY: test testdefault testtpmsimulator testcgo combinecoverage
+.PHONY: test testcgo

 integrate: integration

 integration: bin/$(BINNAME)
-	$Q $(GO_ENVS) gotestsum -- -tags=integration ./integration/...
+	$Q $(GOFLAGS) gotestsum -- -tags=integration ./integration/...

 .PHONY: integrate integration

@ -149,11 +168,15 @@ lint:

 INSTALL_PREFIX?=/usr/

-install: $(PREFIX)bin/$(BINNAME)
+install: $(PREFIX)bin/$(BINNAME) $(PREFIX)bin/$(CLOUDKMS_BINNAME) $(PREFIX)bin/$(AWSKMS_BINNAME)
 	$Q install -D $(PREFIX)bin/$(BINNAME) $(DESTDIR)$(INSTALL_PREFIX)bin/$(BINNAME)
+	$Q install -D $(PREFIX)bin/$(CLOUDKMS_BINNAME) $(DESTDIR)$(INSTALL_PREFIX)bin/$(CLOUDKMS_BINNAME)
+	$Q install -D $(PREFIX)bin/$(AWSKMS_BINNAME) $(DESTDIR)$(INSTALL_PREFIX)bin/$(AWSKMS_BINNAME)

 uninstall:
 	$Q rm -f $(DESTDIR)$(INSTALL_PREFIX)/bin/$(BINNAME)
+	$Q rm -f $(DESTDIR)$(INSTALL_PREFIX)/bin/$(CLOUDKMS_BINNAME)
+	$Q rm -f $(DESTDIR)$(INSTALL_PREFIX)/bin/$(AWSKMS_BINNAME)

 .PHONY: install uninstall

@ -165,6 +188,18 @@ clean:
 ifneq ($(BINNAME),"")
 	$Q rm -f bin/$(BINNAME)
 endif
+ifneq ($(CLOUDKMS_BINNAME),"")
+	$Q rm -f bin/$(CLOUDKMS_BINNAME)
+endif
+ifneq ($(AWSKMS_BINNAME),"")
+	$Q rm -f bin/$(AWSKMS_BINNAME)
+endif
+ifneq ($(YUBIKEY_BINNAME),"")
+	$Q rm -f bin/$(YUBIKEY_BINNAME)
+endif
+ifneq ($(PKCS11_BINNAME),"")
+	$Q rm -f bin/$(PKCS11_BINNAME)
+endif

 .PHONY: clean

@ -177,3 +212,31 @@ run:

 .PHONY: run

+#########################################
+# Debian
+#########################################
+
+changelog:
+	$Q echo "step-ca ($(DEB_VERSION)) unstable; urgency=medium" > debian/changelog
+	$Q echo >> debian/changelog
+	$Q echo "  * See https://github.com/smallstep/certificates/releases" >> debian/changelog
+	$Q echo >> debian/changelog
+	$Q echo " -- Smallstep Labs, Inc. <techadmin@smallstep.com>  $(shell date -uR)" >> debian/changelog
+
+debian: changelog
+	$Q mkdir -p $(RELEASE); \
+	OUTPUT=../step-ca*.deb; \
+	rm $$OUTPUT; \
+	dpkg-buildpackage -b -rfakeroot -us -uc && cp $$OUTPUT $(RELEASE)/
+
+distclean: clean
+
+.PHONY: changelog debian distclean
+
+#################################################
+# Targets for creating step artifacts
+#################################################
+
+docker-artifacts: docker-$(PUSHTYPE)
+
+.PHONY: docker-artifacts
--- a/README.md
+++ b/README.md
@ -1,61 +1,48 @@
-# step-ca
+# Step Certificates

-[![GitHub release](https://img.shields.io/github/release/smallstep/certificates.svg)](https://github.com/smallstep/certificates/releases/latest)
-[![Go Report Card](https://goreportcard.com/badge/github.com/smallstep/certificates)](https://goreportcard.com/report/github.com/smallstep/certificates)
-[![Build Status](https://github.com/smallstep/certificates/actions/workflows/test.yml/badge.svg)](https://github.com/smallstep/certificates)
-[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
-[![CLA assistant](https://cla-assistant.io/readme/badge/smallstep/certificates)](https://cla-assistant.io/smallstep/certificates)
-
-`step-ca` is an online certificate authority for secure, automated certificate management for DevOps.
-It's the server counterpart to the [`step` CLI tool](https://github.com/smallstep/cli) for working with certificates and keys.
-Both projects are maintained by [Smallstep Labs](https://smallstep.com).
+`step-ca` is an online certificate authority for secure, automated certificate management. It's the server counterpart to the [`step` CLI tool](https://github.com/smallstep/cli).

-You can use `step-ca` to:
- Issue HTTPS server and client certificates that [work in browsers](https://smallstep.com/blog/step-v0-8-6-valid-HTTPS-certificates-for-dev-pre-prod.html) ([RFC5280](https://tools.ietf.org/html/rfc5280) and [CA/Browser Forum](https://cabforum.org/baseline-requirements-documents/) compliance)
- Issue TLS certificates for DevOps: VMs, containers, APIs, database connections, Kubernetes pods...
+You can use it to:
+- Issue X.509 certificates for your internal infrastructure:
+  - HTTPS certificates that [work in browsers](https://smallstep.com/blog/step-v0-8-6-valid-HTTPS-certificates-for-dev-pre-prod.html) ([RFC5280](https://tools.ietf.org/html/rfc5280) and [CA/Browser Forum](https://cabforum.org/baseline-requirements-documents/) compliance)
+  - TLS certificates for VMs, containers, APIs, mobile clients, database connections, printers, wifi networks, toaster ovens...
+  - Client certificates to [enable mutual TLS (mTLS)](https://smallstep.com/hello-mtls) in your infra. mTLS is an optional feature in TLS where both client and server authenticate each other. Why add the complexity of a VPN when you can safely use mTLS over the public internet?
 - Issue SSH certificates:
-  - For people, in exchange for single sign-on identity tokens
+  - For people, in exchange for single sign-on ID tokens
  - For hosts, in exchange for cloud instance identity documents
 - Easily automate certificate management:
-  - It's an [ACME server](https://smallstep.com/docs/step-ca/acme-basics/) that supports all [popular ACME challenge types](https://smallstep.com/docs/step-ca/acme-basics/#acme-challenge-types)
+  - It's an ACME v2 server
+  - It has a JSON API
  - It comes with a [Go wrapper](./examples#user-content-basic-client-usage)
  - ... and there's a [command-line client](https://github.com/smallstep/cli) you can use in scripts!

---
-
-### Comparison with Smallstep's commercial product
-
-`step-ca` is optimized for a two-tier PKI serving common DevOps use cases.
+Whatever your use case, `step-ca` is easy to use and hard to misuse, thanks to [safe, sane defaults](https://smallstep.com/docs/step-ca/certificate-authority-server-production#sane-cryptographic-defaults).

-As you design your PKI, if you need any of the following, [consider our commerical CA](http://smallstep.com):
- Multiple certificate authorities
- Active revocation (CRL, OSCP)
- Turnkey high-volume, high availability CA
- An API for seamless IaC management of your PKI
- Integrated support for SCEP & NDES, for migrating from legacy Active Directory Certificate Services deployments
- Device identity — cross-platform device inventory and attestation using Secure Enclave & TPM 2.0
- Highly automated PKI — managed certificate renewal, monitoring, TPM-based attested enrollment
- Seamless client deployments of EAP-TLS Wi-Fi, VPN, SSH, and browser certificates
- Jamf, Intune, or other MDM for root distribution and client enrollment
- Web Admin UI — history, issuance, and metrics
- ACME External Account Binding (EAB)
- Deep integration with an identity provider
- Fine-grained, role-based access control
- FIPS-compliant software
- HSM-bound private keys
-
-See our [full feature comparison](https://smallstep.com/step-ca-vs-smallstep-certificate-manager/) for more.
+---

-You can [start a free trial](https://smallstep.com/signup) or [set up a call with us](https://go.smallstep.com/request-demo) to learn more.
+**Don't want to run your own CA?**
+To get up and running quickly, or as an alternative to running your own `step-ca` server, consider creating a [free hosted smallstep Certificate Manager authority](https://info.smallstep.com/certificate-manager-early-access-mvp/).

 ---

 **Questions? Find us in [Discussions](https://github.com/smallstep/certificates/discussions) or [Join our Discord](https://u.step.sm/discord).**

 [Website](https://smallstep.com/certificates) |
-[Documentation](https://smallstep.com/docs/step-ca) |
+[Documentation](https://smallstep.com/docs) |
 [Installation](https://smallstep.com/docs/step-ca/installation) |
-[Contributor's Guide](./CONTRIBUTING.md)
+[Getting Started](https://smallstep.com/docs/step-ca/getting-started) |
+[Contributor's Guide](./docs/CONTRIBUTING.md)
+
+[![GitHub release](https://img.shields.io/github/release/smallstep/certificates.svg)](https://github.com/smallstep/certificates/releases/latest)
+[![Go Report Card](https://goreportcard.com/badge/github.com/smallstep/certificates)](https://goreportcard.com/report/github.com/smallstep/certificates)
+[![Build Status](https://github.com/smallstep/certificates/actions/workflows/test.yml/badge.svg)](https://github.com/smallstep/certificates)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+[![CLA assistant](https://cla-assistant.io/readme/badge/smallstep/certificates)](https://cla-assistant.io/smallstep/certificates)
+
+[![GitHub stars](https://img.shields.io/github/stars/smallstep/certificates.svg?style=social)](https://github.com/smallstep/certificates/stargazers)
+[![Twitter followers](https://img.shields.io/twitter/follow/smallsteplabs.svg?label=Follow&style=social)](https://twitter.com/intent/follow?screen_name=smallsteplabs)
+
+![star us](https://github.com/smallstep/certificates/raw/master/docs/images/star.gif)

 ## Features

@ -65,6 +52,7 @@ Setting up a *public key infrastructure* (PKI) is out of reach for many small te

 - Choose key types (RSA, ECDSA, EdDSA) and lifetimes to suit your needs
 - [Short-lived certificates](https://smallstep.com/blog/passive-revocation.html) with automated enrollment, renewal, and passive revocation
+- Capable of high availability (HA) deployment using [root federation](https://smallstep.com/blog/step-v0.8.3-federation-root-rotation.html) and/or multiple intermediaries
 - Can operate as [an online intermediate CA for an existing root CA](https://smallstep.com/docs/tutorials/intermediate-ca-new-ca)
 - [Badger, BoltDB, Postgres, and MySQL database backends](https://smallstep.com/docs/step-ca/configuration#databases)

@ -131,13 +119,19 @@ See our installation docs [here](https://smallstep.com/docs/step-ca/installation

 ## Documentation

-* [Official documentation](https://smallstep.com/docs/step-ca) is on smallstep.com
-* The `step` command reference is available via `step help`,
-[on smallstep.com](https://smallstep.com/docs/step-cli/reference/),
-or by running `step help --http=:8080` from the command line
+Documentation can be found in a handful of different places:
+
+1. On the web at https://smallstep.com/docs/step-ca.
+
+2. On the command line with `step help ca xxx` where `xxx` is the subcommand
+you are interested in. Ex: `step help ca provisioner list`.
+
+3. In your browser, by running `step help --http=:8080 ca` from the command line
 and visiting http://localhost:8080.

+4. The [docs](./docs/README.md) folder is being deprecated, but it still has some documentation and tutorials.
+
 ## Feedback?

-* Tell us what you like and don't like about managing your PKI - we're eager to help solve problems in this space. [Join our Discord](https://u.step.sm/discord) or [GitHub Discussions](https://github.com/smallstep/certificates/discussions)
-* Tell us about a feature you'd like to see! [Request a Feature](https://github.com/smallstep/certificates/issues/new?assignees=&labels=enhancement%2C+needs+triage&template=enhancement.md&title=)
+* Tell us what you like and don't like about managing your PKI - we're eager to help solve problems in this space.
+* Tell us about a feature you'd like to see! [Add a feature request Issue](https://github.com/smallstep/certificates/issues/new?assignees=&labels=enhancement%2C+needs+triage&template=enhancement.md&title=), [ask on Discussions](https://github.com/smallstep/certificates/discussions), or hit us up on [Twitter](https://twitter.com/smallsteplabs).
--- a/acme/account.go
+++ b/acme/account.go
@ -20,17 +20,6 @@ type Account struct {
 	Status                 Status           `json:"status"`
 	OrdersURL              string           `json:"orders"`
 	ExternalAccountBinding interface{}      `json:"externalAccountBinding,omitempty"`
-	LocationPrefix         string           `json:"-"`
-	ProvisionerID          string           `json:"-"`
-	ProvisionerName        string           `json:"-"`
-}
-
-// GetLocation returns the URL location of the given account.
-func (a *Account) GetLocation() string {
-	if a.LocationPrefix == "" {
-		return ""
-	}
-	return a.LocationPrefix + a.ID
 }

 // ToLog enables response logging.
@ -83,7 +72,6 @@ func (p *Policy) GetAllowedNameOptions() *policy.X509NameOptions {
 		IPRanges:   p.X509.Allowed.IPRanges,
 	}
 }
-
 func (p *Policy) GetDeniedNameOptions() *policy.X509NameOptions {
 	if p == nil {
 		return nil
--- a/acme/account_test.go
+++ b/acme/account_test.go
@ -25,7 +25,7 @@ func TestKeyToID(t *testing.T) {
 			jwk.Key = "foo"
 			return test{
 				jwk: jwk,
-				err: NewErrorISE("error generating jwk thumbprint: go-jose/go-jose: unknown key type 'string'"),
+				err: NewErrorISE("error generating jwk thumbprint: square/go-jose: unknown key type 'string'"),
 			}
 		},
 		"ok": func(t *testing.T) test {
@ -66,23 +66,6 @@ func TestKeyToID(t *testing.T) {
 	}
 }

-func TestAccount_GetLocation(t *testing.T) {
-	locationPrefix := "https://test.ca.smallstep.com/acme/foo/account/"
-	type test struct {
-		acc *Account
-		exp string
-	}
-	tests := map[string]test{
-		"empty":     {acc: &Account{LocationPrefix: ""}, exp: ""},
-		"not-empty": {acc: &Account{ID: "bar", LocationPrefix: locationPrefix}, exp: locationPrefix + "bar"},
-	}
-	for name, tc := range tests {
-		t.Run(name, func(t *testing.T) {
-			assert.Equals(t, tc.acc.GetLocation(), tc.exp)
-		})
-	}
-}
-
 func TestAccount_IsValid(t *testing.T) {
 	type test struct {
 		acc *Account
@ -152,6 +135,7 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
 				if assert.True(t, errors.As(err, &ae)) {
 					assert.Equals(t, ae.Type, tt.err.Type)
 					assert.Equals(t, ae.Detail, tt.err.Detail)
+					assert.Equals(t, ae.Identifier, tt.err.Identifier)
 					assert.Equals(t, ae.Subproblems, tt.err.Subproblems)
 				}
 			} else {
--- a/acme/api/account.go
+++ b/acme/api/account.go
@ -1,12 +1,11 @@
 package api

 import (
-	"context"
 	"encoding/json"
 	"errors"
 	"net/http"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"

 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/certificates/api/render"
@ -68,12 +67,6 @@ func (u *UpdateAccountRequest) Validate() error {
 	}
 }

-// getAccountLocationPath returns the current account URL location.
-// Returned location will be of the form: https://<ca-url>/acme/<provisioner>/account/<accID>
-func getAccountLocationPath(ctx context.Context, linker acme.Linker, accID string) string {
-	return linker.GetLink(ctx, acme.AccountLinkType, accID)
-}
-
 // NewAccount is the handler resource for creating new ACME accounts.
 func NewAccount(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
@ -82,23 +75,23 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {

 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	var nar NewAccountRequest
 	if err := json.Unmarshal(payload.value, &nar); err != nil {
-		render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err,
+		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err,
 			"failed to unmarshal new-account request payload"))
 		return
 	}
 	if err := nar.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	prov, err := acmeProvisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -108,49 +101,46 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {
 		var acmeErr *acme.Error
 		if !errors.As(err, &acmeErr) || acmeErr.Status != http.StatusBadRequest {
 			// Something went wrong ...
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

 		// Account does not exist //
 		if nar.OnlyReturnExisting {
-			render.Error(w, r, acme.NewError(acme.ErrorAccountDoesNotExistType,
+			render.Error(w, acme.NewError(acme.ErrorAccountDoesNotExistType,
 				"account does not exist"))
 			return
 		}

 		jwk, err := jwkFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

 		eak, err := validateExternalAccountBinding(ctx, &nar)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

 		acc = &acme.Account{
-			Key:             jwk,
-			Contact:         nar.Contact,
-			Status:          acme.StatusValid,
-			LocationPrefix:  getAccountLocationPath(ctx, linker, ""),
-			ProvisionerID:   prov.ID,
-			ProvisionerName: prov.Name,
+			Key:     jwk,
+			Contact: nar.Contact,
+			Status:  acme.StatusValid,
 		}
 		if err := db.CreateAccount(ctx, acc); err != nil {
-			render.Error(w, r, acme.WrapErrorISE(err, "error creating account"))
+			render.Error(w, acme.WrapErrorISE(err, "error creating account"))
 			return
 		}

 		if eak != nil { // means that we have a (valid) External Account Binding key that should be bound, updated and sent in the response
 			if err := eak.BindTo(acc); err != nil {
-				render.Error(w, r, err)
+				render.Error(w, err)
 				return
 			}
 			if err := db.UpdateExternalAccountKey(ctx, prov.ID, eak); err != nil {
-				render.Error(w, r, acme.WrapErrorISE(err, "error updating external account binding key"))
+				render.Error(w, acme.WrapErrorISE(err, "error updating external account binding key"))
 				return
 			}
 			acc.ExternalAccountBinding = nar.ExternalAccountBinding
@ -162,8 +152,8 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {

 	linker.LinkAccount(ctx, acc)

-	w.Header().Set("Location", getAccountLocationPath(ctx, linker, acc.ID))
-	render.JSONStatus(w, r, acc, httpStatus)
+	w.Header().Set("Location", linker.GetLink(r.Context(), acme.AccountLinkType, acc.ID))
+	render.JSONStatus(w, acc, httpStatus)
 }

 // GetOrUpdateAccount is the api for updating an ACME account.
@ -174,12 +164,12 @@ func GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {

 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -188,12 +178,12 @@ func GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {
 	if !payload.isPostAsGet {
 		var uar UpdateAccountRequest
 		if err := json.Unmarshal(payload.value, &uar); err != nil {
-			render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err,
+			render.Error(w, acme.WrapError(acme.ErrorMalformedType, err,
 				"failed to unmarshal new-account request payload"))
 			return
 		}
 		if err := uar.Validate(); err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		if len(uar.Status) > 0 || len(uar.Contact) > 0 {
@ -204,7 +194,7 @@ func GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {
 			}

 			if err := db.UpdateAccount(ctx, acc); err != nil {
-				render.Error(w, r, acme.WrapErrorISE(err, "error updating account"))
+				render.Error(w, acme.WrapErrorISE(err, "error updating account"))
 				return
 			}
 		}
@ -213,7 +203,7 @@ func GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {
 	linker.LinkAccount(ctx, acc)

 	w.Header().Set("Location", linker.GetLink(ctx, acme.AccountLinkType, acc.ID))
-	render.JSON(w, r, acc)
+	render.JSON(w, acc)
 }

 func logOrdersByAccount(w http.ResponseWriter, oids []string) {
@ -233,23 +223,23 @@ func GetOrdersByAccountID(w http.ResponseWriter, r *http.Request) {

 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	accID := chi.URLParam(r, "accID")
 	if acc.ID != accID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType, "account ID '%s' does not match url param '%s'", acc.ID, accID))
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType, "account ID '%s' does not match url param '%s'", acc.ID, accID))
 		return
 	}

 	orders, err := db.GetOrdersByAccountID(ctx, acc.ID)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	linker.LinkOrdersByAccountID(ctx, orders)

-	render.JSON(w, r, orders)
+	render.JSON(w, orders)
 	logOrdersByAccount(w, orders)
 }
--- a/acme/api/account_test.go
+++ b/acme/api/account_test.go
@ -7,14 +7,12 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"testing"
 	"time"

-	"github.com/go-chi/chi/v5"
-	"github.com/google/uuid"
+	"github.com/go-chi/chi"
 	"github.com/pkg/errors"

 	"go.step.sm/crypto/jose"
@ -36,41 +34,35 @@ var (

 type fakeProvisioner struct{}

-func (*fakeProvisioner) AuthorizeOrderIdentifier(context.Context, provisioner.ACMEIdentifier) error {
+func (*fakeProvisioner) AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error {
 	return nil
 }
-func (*fakeProvisioner) AuthorizeSign(context.Context, string) ([]provisioner.SignOption, error) {
+
+func (*fakeProvisioner) AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error) {
 	return nil, nil
 }
-func (*fakeProvisioner) IsChallengeEnabled(context.Context, provisioner.ACMEChallenge) bool {
+
+func (*fakeProvisioner) IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool {
 	return true
 }
-func (*fakeProvisioner) IsAttestationFormatEnabled(context.Context, provisioner.ACMEAttestationFormat) bool {
+
+func (*fakeProvisioner) IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool {
 	return true
 }
-func (*fakeProvisioner) GetAttestationRoots() (*x509.CertPool, bool)   { return nil, false }
-func (*fakeProvisioner) AuthorizeRevoke(context.Context, string) error { return nil }
-func (*fakeProvisioner) GetID() string                                 { return "" }
-func (*fakeProvisioner) GetName() string                               { return "" }
-func (*fakeProvisioner) DefaultTLSCertDuration() time.Duration         { return 0 }
-func (*fakeProvisioner) GetOptions() *provisioner.Options              { return nil }

-func newProv() acme.Provisioner {
-	// Initialize provisioners
-	p := &provisioner.ACME{
-		Type: "ACME",
-		Name: "test@acme-<test>provisioner.com",
-	}
-	if err := p.Init(provisioner.Config{Claims: globalProvisionerClaims}); err != nil {
-		fmt.Printf("%v", err)
-	}
-	return p
+func (*fakeProvisioner) GetAttestationRoots() (*x509.CertPool, bool) {
+	return nil, false
 }

-func newProvWithID() acme.Provisioner {
+func (*fakeProvisioner) AuthorizeRevoke(ctx context.Context, token string) error { return nil }
+func (*fakeProvisioner) GetID() string                                           { return "" }
+func (*fakeProvisioner) GetName() string                                         { return "" }
+func (*fakeProvisioner) DefaultTLSCertDuration() time.Duration                   { return 0 }
+func (*fakeProvisioner) GetOptions() *provisioner.Options                        { return nil }
+
+func newProv() acme.Provisioner {
 	// Initialize provisioners
 	p := &provisioner.ACME{
-		ID:   uuid.NewString(),
 		Type: "ACME",
 		Name: "test@acme-<test>provisioner.com",
 	}
@ -328,7 +320,7 @@ func TestHandler_GetOrdersByAccountID(t *testing.T) {
 		"fail/nil-account": func(t *testing.T) test {
 			return test{
 				db:         &acme.MockDB{},
-				ctx:        context.WithValue(context.Background(), accContextKey, http.NoBody),
+				ctx:        context.WithValue(context.Background(), accContextKey, nil),
 				statusCode: 400,
 				err:        acme.NewError(acme.ErrorAccountDoesNotExistType, "account does not exist"),
 			}
@ -378,7 +370,7 @@ func TestHandler_GetOrdersByAccountID(t *testing.T) {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := acme.NewContext(tc.ctx, tc.db, nil, acme.NewLinker("test.ca.smallstep.com", "acme"), nil)
-			req := httptest.NewRequest("GET", u, http.NoBody)
+			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			GetOrdersByAccountID(w, req)
@ -396,6 +388,7 @@ func TestHandler_GetOrdersByAccountID(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -817,7 +810,7 @@ func TestHandler_NewAccount(t *testing.T) {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := acme.NewContext(tc.ctx, tc.db, nil, acme.NewLinker("test.ca.smallstep.com", "acme"), nil)
-			req := httptest.NewRequest("GET", "/foo/bar", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo/bar", nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			NewAccount(w, req)
@ -835,6 +828,7 @@ func TestHandler_NewAccount(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -1020,7 +1014,7 @@ func TestHandler_GetOrUpdateAccount(t *testing.T) {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := acme.NewContext(tc.ctx, tc.db, nil, acme.NewLinker("test.ca.smallstep.com", "acme"), nil)
-			req := httptest.NewRequest("GET", "/foo/bar", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo/bar", nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			GetOrUpdateAccount(w, req)
@ -1038,6 +1032,7 @@ func TestHandler_GetOrUpdateAccount(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
--- a/acme/api/eab_test.go
+++ b/acme/api/eab_test.go
@ -866,6 +866,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
 					assert.Equals(t, ae.Status, tc.err.Status)
 					assert.HasPrefix(t, ae.Err.Error(), tc.err.Err.Error())
 					assert.Equals(t, ae.Detail, tc.err.Detail)
+					assert.Equals(t, ae.Identifier, tc.err.Identifier)
 					assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				}
 			} else {
@ -1144,6 +1145,7 @@ func Test_validateEABJWS(t *testing.T) {
 				assert.Equals(t, tc.err.Status, err.Status)
 				assert.HasPrefix(t, err.Err.Error(), tc.err.Err.Error())
 				assert.Equals(t, tc.err.Detail, err.Detail)
+				assert.Equals(t, tc.err.Identifier, err.Identifier)
 				assert.Equals(t, tc.err.Subproblems, err.Subproblems)
 			} else {
 				assert.Nil(t, err)
--- a/acme/api/handler.go
+++ b/acme/api/handler.go
@ -9,7 +9,7 @@ import (
 	"net/http"
 	"time"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"

 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/certificates/api"
@ -205,7 +205,7 @@ type Directory struct {
 	NewOrder   string `json:"newOrder"`
 	RevokeCert string `json:"revokeCert"`
 	KeyChange  string `json:"keyChange"`
-	Meta       *Meta  `json:"meta,omitempty"`
+	Meta       Meta   `json:"meta"`
 }

 // ToLog enables response logging for the Directory type.
@ -223,58 +223,27 @@ func GetDirectory(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	acmeProv, err := acmeProvisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	linker := acme.MustLinkerFromContext(ctx)
-
-	render.JSON(w, r, &Directory{
+	render.JSON(w, &Directory{
 		NewNonce:   linker.GetLink(ctx, acme.NewNonceLinkType),
 		NewAccount: linker.GetLink(ctx, acme.NewAccountLinkType),
 		NewOrder:   linker.GetLink(ctx, acme.NewOrderLinkType),
 		RevokeCert: linker.GetLink(ctx, acme.RevokeCertLinkType),
 		KeyChange:  linker.GetLink(ctx, acme.KeyChangeLinkType),
-		Meta:       createMetaObject(acmeProv),
+		Meta: Meta{
+			ExternalAccountRequired: acmeProv.RequireEAB,
+		},
 	})
 }

-// createMetaObject creates a Meta object if the ACME provisioner
-// has one or more properties that are written in the ACME directory output.
-// It returns nil if none of the properties are set.
-func createMetaObject(p *provisioner.ACME) *Meta {
-	if shouldAddMetaObject(p) {
-		return &Meta{
-			TermsOfService:          p.TermsOfService,
-			Website:                 p.Website,
-			CaaIdentities:           p.CaaIdentities,
-			ExternalAccountRequired: p.RequireEAB,
-		}
-	}
-	return nil
-}
-
-// shouldAddMetaObject returns whether or not the ACME provisioner
-// has properties configured that must be added to the ACME directory object.
-func shouldAddMetaObject(p *provisioner.ACME) bool {
-	switch {
-	case p.TermsOfService != "":
-		return true
-	case p.Website != "":
-		return true
-	case len(p.CaaIdentities) > 0:
-		return true
-	case p.RequireEAB:
-		return true
-	default:
-		return false
-	}
-}
-
 // NotImplemented returns a 501 and is generally a placeholder for functionality which
 // MAY be added at some point in the future but is not in any way a guarantee of such.
 func NotImplemented(w http.ResponseWriter, r *http.Request) {
-	render.Error(w, r, acme.NewError(acme.ErrorNotImplementedType, "this API is not implemented"))
+	render.Error(w, acme.NewError(acme.ErrorNotImplementedType, "this API is not implemented"))
 }

 // GetAuthorization ACME api for retrieving an Authz.
@ -285,28 +254,28 @@ func GetAuthorization(w http.ResponseWriter, r *http.Request) {

 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	az, err := db.GetAuthorization(ctx, chi.URLParam(r, "authzID"))
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving authorization"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving authorization"))
 		return
 	}
 	if acc.ID != az.AccountID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own authorization '%s'", acc.ID, az.ID))
 		return
 	}
 	if err = az.UpdateStatus(ctx, db); err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error updating authorization status"))
+		render.Error(w, acme.WrapErrorISE(err, "error updating authorization status"))
 		return
 	}

 	linker.LinkAuthorization(ctx, az)

 	w.Header().Set("Location", linker.GetLink(ctx, acme.AuthzLinkType, az.ID))
-	render.JSON(w, r, az)
+	render.JSON(w, az)
 }

 // GetChallenge ACME api for retrieving a Challenge.
@ -317,13 +286,13 @@ func GetChallenge(w http.ResponseWriter, r *http.Request) {

 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -336,22 +305,22 @@ func GetChallenge(w http.ResponseWriter, r *http.Request) {
 	azID := chi.URLParam(r, "authzID")
 	ch, err := db.GetChallenge(ctx, chi.URLParam(r, "chID"), azID)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving challenge"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving challenge"))
 		return
 	}
 	ch.AuthorizationID = azID
 	if acc.ID != ch.AccountID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own challenge '%s'", acc.ID, ch.ID))
 		return
 	}
 	jwk, err := jwkFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	if err = ch.Validate(ctx, db, jwk, payload.value); err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error validating challenge"))
+		render.Error(w, acme.WrapErrorISE(err, "error validating challenge"))
 		return
 	}

@ -359,7 +328,7 @@ func GetChallenge(w http.ResponseWriter, r *http.Request) {

 	w.Header().Add("Link", link(linker.GetLink(ctx, acme.AuthzLinkType, azID), "up"))
 	w.Header().Set("Location", linker.GetLink(ctx, acme.ChallengeLinkType, azID, ch.ID))
-	render.JSON(w, r, ch)
+	render.JSON(w, ch)
 }

 // GetCertificate ACME api for retrieving a Certificate.
@ -369,18 +338,18 @@ func GetCertificate(w http.ResponseWriter, r *http.Request) {

 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	certID := chi.URLParam(r, "certID")
 	cert, err := db.GetCertificate(ctx, certID)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving certificate"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving certificate"))
 		return
 	}
 	if cert.AccountID != acc.ID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own certificate '%s'", acc.ID, certID))
 		return
 	}
@ -394,6 +363,6 @@ func GetCertificate(w http.ResponseWriter, r *http.Request) {
 	}

 	api.LogCertificate(w, cert.Leaf)
-	w.Header().Set("Content-Type", "application/pem-certificate-chain")
+	w.Header().Set("Content-Type", "application/pem-certificate-chain; charset=utf-8")
 	w.Write(certBytes)
 }
--- a/acme/api/handler_test.go
+++ b/acme/api/handler_test.go
@ -15,16 +15,13 @@ import (
 	"testing"
 	"time"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"
 	"github.com/google/go-cmp/cmp"
 	"github.com/pkg/errors"
-
-	"go.step.sm/crypto/jose"
-	"go.step.sm/crypto/pemutil"
-
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/acme"
-	"github.com/smallstep/certificates/authority/provisioner"
+	"go.step.sm/crypto/jose"
+	"go.step.sm/crypto/pemutil"
 )

 type mockClient struct {
@ -60,7 +57,7 @@ func TestHandler_GetNonce(t *testing.T) {
 	}

 	// Request with chi context
-	req := httptest.NewRequest("GET", "http://ca.smallstep.com/nonce", http.NoBody)
+	req := httptest.NewRequest("GET", "http://ca.smallstep.com/nonce", nil)

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@ -132,35 +129,7 @@ func TestHandler_GetDirectory(t *testing.T) {
 				NewOrder:   fmt.Sprintf("%s/acme/%s/new-order", baseURL.String(), provName),
 				RevokeCert: fmt.Sprintf("%s/acme/%s/revoke-cert", baseURL.String(), provName),
 				KeyChange:  fmt.Sprintf("%s/acme/%s/key-change", baseURL.String(), provName),
-				Meta: &Meta{
-					ExternalAccountRequired: true,
-				},
-			}
-			return test{
-				ctx:        ctx,
-				dir:        expDir,
-				statusCode: 200,
-			}
-		},
-		"ok/full-meta": func(t *testing.T) test {
-			prov := newACMEProv(t)
-			prov.TermsOfService = "https://terms.ca.local/"
-			prov.Website = "https://ca.local/"
-			prov.CaaIdentities = []string{"ca.local"}
-			prov.RequireEAB = true
-			provName := url.PathEscape(prov.GetName())
-			baseURL := &url.URL{Scheme: "https", Host: "test.ca.smallstep.com"}
-			ctx := acme.NewProvisionerContext(context.Background(), prov)
-			expDir := Directory{
-				NewNonce:   fmt.Sprintf("%s/acme/%s/new-nonce", baseURL.String(), provName),
-				NewAccount: fmt.Sprintf("%s/acme/%s/new-account", baseURL.String(), provName),
-				NewOrder:   fmt.Sprintf("%s/acme/%s/new-order", baseURL.String(), provName),
-				RevokeCert: fmt.Sprintf("%s/acme/%s/revoke-cert", baseURL.String(), provName),
-				KeyChange:  fmt.Sprintf("%s/acme/%s/key-change", baseURL.String(), provName),
-				Meta: &Meta{
-					TermsOfService:          "https://terms.ca.local/",
-					Website:                 "https://ca.local/",
-					CaaIdentities:           []string{"ca.local"},
+				Meta: Meta{
 					ExternalAccountRequired: true,
 				},
 			}
@ -175,7 +144,7 @@ func TestHandler_GetDirectory(t *testing.T) {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := acme.NewLinkerContext(tc.ctx, acme.NewLinker("test.ca.smallstep.com", "acme"))
-			req := httptest.NewRequest("GET", "/foo/bar", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo/bar", nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			GetDirectory(w, req)
@ -193,6 +162,7 @@ func TestHandler_GetDirectory(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -347,7 +317,7 @@ func TestHandler_GetAuthorization(t *testing.T) {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := acme.NewContext(tc.ctx, tc.db, nil, acme.NewLinker("test.ca.smallstep.com", "acme"), nil)
-			req := httptest.NewRequest("GET", "/foo/bar", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo/bar", nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			GetAuthorization(w, req)
@ -365,6 +335,7 @@ func TestHandler_GetAuthorization(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -489,7 +460,7 @@ func TestHandler_GetCertificate(t *testing.T) {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := acme.NewDatabaseContext(tc.ctx, tc.db)
-			req := httptest.NewRequest("GET", u, http.NoBody)
+			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			GetCertificate(w, req)
@ -507,11 +478,12 @@ func TestHandler_GetCertificate(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.HasPrefix(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
 				assert.Equals(t, bytes.TrimSpace(body), bytes.TrimSpace(certBytes))
-				assert.Equals(t, res.Header["Content-Type"], []string{"application/pem-certificate-chain"})
+				assert.Equals(t, res.Header["Content-Type"], []string{"application/pem-certificate-chain; charset=utf-8"})
 			}
 		})
 	}
@ -747,7 +719,7 @@ func TestHandler_GetChallenge(t *testing.T) {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := acme.NewContext(tc.ctx, tc.db, nil, acme.NewLinker("test.ca.smallstep.com", "acme"), nil)
-			req := httptest.NewRequest("GET", u, http.NoBody)
+			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			GetChallenge(w, req)
@ -765,6 +737,7 @@ func TestHandler_GetChallenge(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -778,89 +751,3 @@ func TestHandler_GetChallenge(t *testing.T) {
 		})
 	}
 }
-
-func Test_createMetaObject(t *testing.T) {
-	tests := []struct {
-		name string
-		p    *provisioner.ACME
-		want *Meta
-	}{
-		{
-			name: "no-meta",
-			p: &provisioner.ACME{
-				Type: "ACME",
-				Name: "acme",
-			},
-			want: nil,
-		},
-		{
-			name: "terms-of-service",
-			p: &provisioner.ACME{
-				Type:           "ACME",
-				Name:           "acme",
-				TermsOfService: "https://terms.ca.local",
-			},
-			want: &Meta{
-				TermsOfService: "https://terms.ca.local",
-			},
-		},
-		{
-			name: "website",
-			p: &provisioner.ACME{
-				Type:    "ACME",
-				Name:    "acme",
-				Website: "https://ca.local",
-			},
-			want: &Meta{
-				Website: "https://ca.local",
-			},
-		},
-		{
-			name: "caa",
-			p: &provisioner.ACME{
-				Type:          "ACME",
-				Name:          "acme",
-				CaaIdentities: []string{"ca.local", "ca.remote"},
-			},
-			want: &Meta{
-				CaaIdentities: []string{"ca.local", "ca.remote"},
-			},
-		},
-		{
-			name: "require-eab",
-			p: &provisioner.ACME{
-				Type:       "ACME",
-				Name:       "acme",
-				RequireEAB: true,
-			},
-			want: &Meta{
-				ExternalAccountRequired: true,
-			},
-		},
-		{
-			name: "full-meta",
-			p: &provisioner.ACME{
-				Type:           "ACME",
-				Name:           "acme",
-				TermsOfService: "https://terms.ca.local",
-				Website:        "https://ca.local",
-				CaaIdentities:  []string{"ca.local", "ca.remote"},
-				RequireEAB:     true,
-			},
-			want: &Meta{
-				TermsOfService:          "https://terms.ca.local",
-				Website:                 "https://ca.local",
-				CaaIdentities:           []string{"ca.local", "ca.remote"},
-				ExternalAccountRequired: true,
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got := createMetaObject(tt.p)
-			if !cmp.Equal(tt.want, got) {
-				t.Errorf("createMetaObject() diff =\n%s", cmp.Diff(tt.want, got))
-			}
-		})
-	}
-}
--- a/acme/api/middleware.go
+++ b/acme/api/middleware.go
@ -7,7 +7,6 @@ import (
 	"io"
 	"net/http"
 	"net/url"
-	"path"
 	"strings"

 	"go.step.sm/crypto/jose"
@ -17,6 +16,7 @@ import (
 	"github.com/smallstep/certificates/api/render"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/logging"
+	"github.com/smallstep/nosql"
 )

 type nextHTTP = func(http.ResponseWriter, *http.Request)
@ -36,7 +36,7 @@ func addNonce(next nextHTTP) nextHTTP {
 		db := acme.MustDatabaseFromContext(r.Context())
 		nonce, err := db.CreateNonce(r.Context())
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		w.Header().Set("Replay-Nonce", string(nonce))
@ -64,7 +64,7 @@ func verifyContentType(next nextHTTP) nextHTTP {
 	return func(w http.ResponseWriter, r *http.Request) {
 		p, err := provisionerFromContext(r.Context())
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

@ -88,7 +88,7 @@ func verifyContentType(next nextHTTP) nextHTTP {
 				return
 			}
 		}
-		render.Error(w, r, acme.NewError(acme.ErrorMalformedType,
+		render.Error(w, acme.NewError(acme.ErrorMalformedType,
 			"expected content-type to be in %s, but got %s", expected, ct))
 	}
 }
@ -98,12 +98,12 @@ func parseJWS(next nextHTTP) nextHTTP {
 	return func(w http.ResponseWriter, r *http.Request) {
 		body, err := io.ReadAll(r.Body)
 		if err != nil {
-			render.Error(w, r, acme.WrapErrorISE(err, "failed to read request body"))
+			render.Error(w, acme.WrapErrorISE(err, "failed to read request body"))
 			return
 		}
 		jws, err := jose.ParseJWS(string(body))
 		if err != nil {
-			render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err, "failed to parse JWS from request body"))
+			render.Error(w, acme.WrapError(acme.ErrorMalformedType, err, "failed to parse JWS from request body"))
 			return
 		}
 		ctx := context.WithValue(r.Context(), jwsContextKey, jws)
@ -133,26 +133,26 @@ func validateJWS(next nextHTTP) nextHTTP {

 		jws, err := jwsFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		if len(jws.Signatures) == 0 {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "request body does not contain a signature"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "request body does not contain a signature"))
 			return
 		}
 		if len(jws.Signatures) > 1 {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "request body contains more than one signature"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "request body contains more than one signature"))
 			return
 		}

 		sig := jws.Signatures[0]
 		uh := sig.Unprotected
-		if uh.KeyID != "" ||
+		if len(uh.KeyID) > 0 ||
 			uh.JSONWebKey != nil ||
-			uh.Algorithm != "" ||
-			uh.Nonce != "" ||
+			len(uh.Algorithm) > 0 ||
+			len(uh.Nonce) > 0 ||
 			len(uh.ExtraHeaders) > 0 {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "unprotected header must not be used"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "unprotected header must not be used"))
 			return
 		}
 		hdr := sig.Protected
@ -162,13 +162,13 @@ func validateJWS(next nextHTTP) nextHTTP {
 				switch k := hdr.JSONWebKey.Key.(type) {
 				case *rsa.PublicKey:
 					if k.Size() < keyutil.MinRSAKeyBytes {
-						render.Error(w, r, acme.NewError(acme.ErrorMalformedType,
+						render.Error(w, acme.NewError(acme.ErrorMalformedType,
 							"rsa keys must be at least %d bits (%d bytes) in size",
 							8*keyutil.MinRSAKeyBytes, keyutil.MinRSAKeyBytes))
 						return
 					}
 				default:
-					render.Error(w, r, acme.NewError(acme.ErrorMalformedType,
+					render.Error(w, acme.NewError(acme.ErrorMalformedType,
 						"jws key type and algorithm do not match"))
 					return
 				}
@ -176,35 +176,35 @@ func validateJWS(next nextHTTP) nextHTTP {
 		case jose.ES256, jose.ES384, jose.ES512, jose.EdDSA:
 			// we good
 		default:
-			render.Error(w, r, acme.NewError(acme.ErrorBadSignatureAlgorithmType, "unsuitable algorithm: %s", hdr.Algorithm))
+			render.Error(w, acme.NewError(acme.ErrorBadSignatureAlgorithmType, "unsuitable algorithm: %s", hdr.Algorithm))
 			return
 		}

 		// Check the validity/freshness of the Nonce.
 		if err := db.DeleteNonce(ctx, acme.Nonce(hdr.Nonce)); err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

 		// Check that the JWS url matches the requested url.
 		jwsURL, ok := hdr.ExtraHeaders["url"].(string)
 		if !ok {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "jws missing url protected header"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "jws missing url protected header"))
 			return
 		}
 		reqURL := &url.URL{Scheme: "https", Host: r.Host, Path: r.URL.Path}
 		if jwsURL != reqURL.String() {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType,
+			render.Error(w, acme.NewError(acme.ErrorMalformedType,
 				"url header in JWS (%s) does not match request url (%s)", jwsURL, reqURL))
 			return
 		}

-		if hdr.JSONWebKey != nil && hdr.KeyID != "" {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "jwk and kid are mutually exclusive"))
+		if hdr.JSONWebKey != nil && len(hdr.KeyID) > 0 {
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "jwk and kid are mutually exclusive"))
 			return
 		}
 		if hdr.JSONWebKey == nil && hdr.KeyID == "" {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "either jwk or kid must be defined in jws protected header"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "either jwk or kid must be defined in jws protected header"))
 			return
 		}
 		next(w, r)
@ -221,23 +221,23 @@ func extractJWK(next nextHTTP) nextHTTP {

 		jws, err := jwsFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		jwk := jws.Signatures[0].Protected.JSONWebKey
 		if jwk == nil {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "jwk expected in protected header"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "jwk expected in protected header"))
 			return
 		}
 		if !jwk.Valid() {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "invalid jwk in protected header"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "invalid jwk in protected header"))
 			return
 		}

 		// Overwrite KeyID with the JWK thumbprint.
 		jwk.KeyID, err = acme.KeyToID(jwk)
 		if err != nil {
-			render.Error(w, r, acme.WrapErrorISE(err, "error getting KeyID from JWK"))
+			render.Error(w, acme.WrapErrorISE(err, "error getting KeyID from JWK"))
 			return
 		}

@ -247,15 +247,15 @@ func extractJWK(next nextHTTP) nextHTTP {
 		// Get Account OR continue to generate a new one OR continue Revoke with certificate private key
 		acc, err := db.GetAccountByKeyID(ctx, jwk.KeyID)
 		switch {
-		case acme.IsErrNotFound(err):
+		case errors.Is(err, acme.ErrNotFound):
 			// For NewAccount and Revoke requests ...
 			break
 		case err != nil:
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		default:
 			if !acc.IsValid() {
-				render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType, "account is not active"))
+				render.Error(w, acme.NewError(acme.ErrorUnauthorizedType, "account is not active"))
 				return
 			}
 			ctx = context.WithValue(ctx, accContextKey, acc)
@ -274,11 +274,11 @@ func checkPrerequisites(next nextHTTP) nextHTTP {
 		if ok {
 			ok, err := checkFunc(ctx)
 			if err != nil {
-				render.Error(w, r, acme.WrapErrorISE(err, "error checking acme provisioner prerequisites"))
+				render.Error(w, acme.WrapErrorISE(err, "error checking acme provisioner prerequisites"))
 				return
 			}
 			if !ok {
-				render.Error(w, r, acme.NewError(acme.ErrorNotImplementedType, "acme provisioner configuration lacks prerequisites"))
+				render.Error(w, acme.NewError(acme.ErrorNotImplementedType, "acme provisioner configuration lacks prerequisites"))
 				return
 			}
 		}
@ -293,74 +293,37 @@ func lookupJWK(next nextHTTP) nextHTTP {
 	return func(w http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
 		db := acme.MustDatabaseFromContext(ctx)
+		linker := acme.MustLinkerFromContext(ctx)

 		jws, err := jwsFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

+		kidPrefix := linker.GetLink(ctx, acme.AccountLinkType, "")
 		kid := jws.Signatures[0].Protected.KeyID
-		if kid == "" {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "signature missing 'kid'"))
+		if !strings.HasPrefix(kid, kidPrefix) {
+			render.Error(w, acme.NewError(acme.ErrorMalformedType,
+				"kid does not have required prefix; expected %s, but got %s",
+				kidPrefix, kid))
 			return
 		}

-		accID := path.Base(kid)
+		accID := strings.TrimPrefix(kid, kidPrefix)
 		acc, err := db.GetAccount(ctx, accID)
 		switch {
-		case acme.IsErrNotFound(err):
-			render.Error(w, r, acme.NewError(acme.ErrorAccountDoesNotExistType, "account with ID '%s' not found", accID))
+		case nosql.IsErrNotFound(err):
+			render.Error(w, acme.NewError(acme.ErrorAccountDoesNotExistType, "account with ID '%s' not found", accID))
 			return
 		case err != nil:
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		default:
 			if !acc.IsValid() {
-				render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType, "account is not active"))
+				render.Error(w, acme.NewError(acme.ErrorUnauthorizedType, "account is not active"))
 				return
 			}
-
-			if storedLocation := acc.GetLocation(); storedLocation != "" {
-				if kid != storedLocation {
-					// ACME accounts should have a stored location equivalent to the
-					// kid in the ACME request.
-					render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
-						"kid does not match stored account location; expected %s, but got %s",
-						storedLocation, kid))
-					return
-				}
-
-				// Verify that the provisioner with which the account was created
-				// matches the provisioner in the request URL.
-				reqProv := acme.MustProvisionerFromContext(ctx)
-				switch {
-				case acc.ProvisionerID == "" && acc.ProvisionerName != reqProv.GetName():
-					render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
-						"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
-						acc.ProvisionerName, reqProv.GetName()))
-					return
-				case acc.ProvisionerID != "" && acc.ProvisionerID != reqProv.GetID():
-					render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
-						"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
-						acc.ProvisionerID, reqProv.GetID()))
-					return
-				}
-			} else {
-				// This code will only execute for old ACME accounts that do
-				// not have a cached location. The following validation was
-				// the original implementation of the `kid` check which has
-				// since been deprecated. However, the code will remain to
-				// ensure consistent behavior for old ACME accounts.
-				linker := acme.MustLinkerFromContext(ctx)
-				kidPrefix := linker.GetLink(ctx, acme.AccountLinkType, "")
-				if !strings.HasPrefix(kid, kidPrefix) {
-					render.Error(w, r, acme.NewError(acme.ErrorMalformedType,
-						"kid does not have required prefix; expected %s, but got %s",
-						kidPrefix, kid))
-					return
-				}
-			}
 			ctx = context.WithValue(ctx, accContextKey, acc)
 			ctx = context.WithValue(ctx, jwkContextKey, acc.Key)
 			next(w, r.WithContext(ctx))
@ -376,7 +339,7 @@ func extractOrLookupJWK(next nextHTTP) nextHTTP {
 		ctx := r.Context()
 		jws, err := jwsFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

@ -412,32 +375,23 @@ func verifyAndExtractJWSPayload(next nextHTTP) nextHTTP {
 		ctx := r.Context()
 		jws, err := jwsFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		jwk, err := jwkFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		if jwk.Algorithm != "" && jwk.Algorithm != jws.Signatures[0].Protected.Algorithm {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "verifier and signature algorithm do not match"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "verifier and signature algorithm do not match"))
 			return
 		}
-
 		payload, err := jws.Verify(jwk)
-		switch {
-		case errors.Is(err, jose.ErrCryptoFailure):
-			payload, err = retryVerificationWithPatchedSignatures(jws, jwk)
-			if err != nil {
-				render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err, "error verifying jws with patched signature(s)"))
-				return
-			}
-		case err != nil:
-			render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err, "error verifying jws"))
+		if err != nil {
+			render.Error(w, acme.WrapError(acme.ErrorMalformedType, err, "error verifying jws"))
 			return
 		}
-
 		ctx = context.WithValue(ctx, payloadContextKey, &payloadInfo{
 			value:       payload,
 			isPostAsGet: len(payload) == 0,
@ -447,115 +401,16 @@ func verifyAndExtractJWSPayload(next nextHTTP) nextHTTP {
 	}
 }

-// retryVerificationWithPatchedSignatures retries verification of the JWS using
-// the JWK by patching the JWS signatures if they're determined to be too short.
-//
-// Generally this shouldn't happen, but we've observed this to be the case with
-// the macOS ACME client, which seems to omit (at least one) leading null
-// byte(s). The error returned is `go-jose/go-jose: error in cryptographic
-// primitive`, which is a sentinel error that hides the details of the actual
-// underlying error, which is as follows: `go-jose/go-jose: invalid signature
-// size, have 63 bytes, wanted 64`, for ES256.
-func retryVerificationWithPatchedSignatures(jws *jose.JSONWebSignature, jwk *jose.JSONWebKey) (data []byte, err error) {
-	originalSignatureValues := make([][]byte, len(jws.Signatures))
-	patched := false
-	defer func() {
-		if patched && err != nil {
-			for i, sig := range jws.Signatures {
-				sig.Signature = originalSignatureValues[i]
-				jws.Signatures[i] = sig
-			}
-		}
-	}()
-	for i, sig := range jws.Signatures {
-		var expectedSize int
-		alg := strings.ToUpper(sig.Header.Algorithm)
-		switch alg {
-		case jose.ES256:
-			expectedSize = 64
-		case jose.ES384:
-			expectedSize = 96
-		case jose.ES512:
-			expectedSize = 132
-		default:
-			// other cases are (currently) ignored
-			continue
-		}
-
-		switch diff := expectedSize - len(sig.Signature); diff {
-		case 0:
-			// expected length; nothing to do; will result in just doing the
-			// same verification (as done before calling this function) again,
-			// and thus an error will be returned.
-			continue
-		case 1:
-			patched = true
-			original := make([]byte, expectedSize-diff)
-			copy(original, sig.Signature)
-			originalSignatureValues[i] = original
-
-			patchedR := make([]byte, expectedSize)
-			copy(patchedR[1:], original) // [0x00, R.0:31, S.0:32], for expectedSize 64
-			sig.Signature = patchedR
-			jws.Signatures[i] = sig
-
-			// verify it with a patched R; return early if successful; continue
-			// with patching S if not.
-			data, err = jws.Verify(jwk)
-			if err == nil {
-				return
-			}
-
-			patchedS := make([]byte, expectedSize)
-			halfSize := expectedSize / 2
-			copy(patchedS, original[:halfSize])              // [R.0:32], for expectedSize 64
-			copy(patchedS[halfSize+1:], original[halfSize:]) // [R.0:32, 0x00, S.0:31]
-			sig.Signature = patchedS
-			jws.Signatures[i] = sig
-		case 2:
-			// assumption is currently the Apple case, in which only the
-			// first null byte of R and/or S are removed, and thus not a case in
-			// which two first bytes of either R or S are removed.
-			patched = true
-			original := make([]byte, expectedSize-diff)
-			copy(original, sig.Signature)
-			originalSignatureValues[i] = original
-
-			patchedRS := make([]byte, expectedSize)
-			halfSize := expectedSize / 2
-			copy(patchedRS[1:], original[:halfSize-1])          // [0x00, R.0:31], for expectedSize 64
-			copy(patchedRS[halfSize+1:], original[halfSize-1:]) // [0x00, R.0:31, 0x00, S.0:31]
-			sig.Signature = patchedRS
-			jws.Signatures[i] = sig
-		default:
-			// Technically, there can be multiple null bytes in either R or S,
-			// so when the difference is larger than 2, there is more than one
-			// option to pick. Apple's ACME client seems to only cut off the
-			// first null byte of either R or S, so we don't do anything in this
-			// case. Will result in just doing the same verification (as done
-			// before calling this function) again, and thus an error will be
-			// returned.
-			// TODO(hs): log this specific case? It might mean some other ACME
-			// client is doing weird things.
-			continue
-		}
-	}
-
-	data, err = jws.Verify(jwk)
-
-	return
-}
-
 // isPostAsGet asserts that the request is a PostAsGet (empty JWS payload).
 func isPostAsGet(next nextHTTP) nextHTTP {
 	return func(w http.ResponseWriter, r *http.Request) {
 		payload, err := payloadFromContext(r.Context())
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		if !payload.isPostAsGet {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "expected POST-as-GET"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "expected POST-as-GET"))
 			return
 		}
 		next(w, r)
--- a/acme/api/middleware_test.go
+++ b/acme/api/middleware_test.go
@ -6,7 +6,6 @@ import (
 	"crypto"
 	"encoding/base64"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"net/http"
@ -15,18 +14,17 @@ import (
 	"strings"
 	"testing"

-	"github.com/google/uuid"
+	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/acme"
-	tassert "github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
+	"github.com/smallstep/nosql/database"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 )

 var testBody = []byte("foo")

-func testNext(w http.ResponseWriter, _ *http.Request) {
+func testNext(w http.ResponseWriter, r *http.Request) {
 	w.Write(testBody)
 }

@ -78,7 +76,7 @@ func TestHandler_addNonce(t *testing.T) {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := newBaseContext(context.Background(), tc.db)
-			req := httptest.NewRequest("GET", u, http.NoBody).WithContext(ctx)
+			req := httptest.NewRequest("GET", u, nil).WithContext(ctx)
 			w := httptest.NewRecorder()
 			addNonce(testNext)(w, req)
 			res := w.Result()
@ -95,6 +93,7 @@ func TestHandler_addNonce(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -130,7 +129,7 @@ func TestHandler_addDirLink(t *testing.T) {
 	for name, run := range tests {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
-			req := httptest.NewRequest("GET", "/foo", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo", nil)
 			req = req.WithContext(tc.ctx)
 			w := httptest.NewRecorder()
 			addDirLink(testNext)(w, req)
@ -148,6 +147,7 @@ func TestHandler_addDirLink(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -233,7 +233,7 @@ func TestHandler_verifyContentType(t *testing.T) {
 			if tc.url != "" {
 				_u = tc.url
 			}
-			req := httptest.NewRequest("GET", _u, http.NoBody)
+			req := httptest.NewRequest("GET", _u, nil)
 			req = req.WithContext(tc.ctx)
 			req.Header.Add("Content-Type", tc.contentType)
 			w := httptest.NewRecorder()
@ -252,6 +252,7 @@ func TestHandler_verifyContentType(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -301,7 +302,7 @@ func TestHandler_isPostAsGet(t *testing.T) {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
 			// h := &Handler{}
-			req := httptest.NewRequest("GET", u, http.NoBody)
+			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(tc.ctx)
 			w := httptest.NewRecorder()
 			isPostAsGet(testNext)(w, req)
@ -319,6 +320,7 @@ func TestHandler_isPostAsGet(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -330,7 +332,7 @@ func TestHandler_isPostAsGet(t *testing.T) {

 type errReader int

-func (errReader) Read([]byte) (int, error) {
+func (errReader) Read(p []byte) (n int, err error) {
 	return 0, errors.New("force")
 }
 func (errReader) Close() error {
@ -357,7 +359,7 @@ func TestHandler_parseJWS(t *testing.T) {
 			return test{
 				body:       strings.NewReader("foo"),
 				statusCode: 400,
-				err:        acme.NewError(acme.ErrorMalformedType, "failed to parse JWS from request body: go-jose/go-jose: compact JWS format must have three parts"),
+				err:        acme.NewError(acme.ErrorMalformedType, "failed to parse JWS from request body: square/go-jose: compact JWS format must have three parts"),
 			}
 		},
 		"ok": func(t *testing.T) test {
@ -408,6 +410,7 @@ func TestHandler_parseJWS(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -472,7 +475,7 @@ func TestHandler_verifyAndExtractJWSPayload(t *testing.T) {
 				err:        acme.NewErrorISE("jwk expected in request context"),
 			}
 		},
-		"fail/verify-jws-failure-wrong-jwk": func(t *testing.T) test {
+		"fail/verify-jws-failure": func(t *testing.T) test {
 			_jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 			assert.FatalError(t, err)
 			_pub := _jwk.Public()
@ -481,34 +484,7 @@ func TestHandler_verifyAndExtractJWSPayload(t *testing.T) {
 			return test{
 				ctx:        ctx,
 				statusCode: 400,
-				err:        acme.NewError(acme.ErrorMalformedType, "error verifying jws: go-jose/go-jose: error in cryptographic primitive"),
-			}
-		},
-		"fail/verify-jws-failure-too-many-signatures": func(t *testing.T) test {
-			newParsedJWS, err := jose.ParseJWS(raw)
-			assert.FatalError(t, err)
-			newParsedJWS.Signatures = append(newParsedJWS.Signatures, newParsedJWS.Signatures...)
-			ctx := context.WithValue(context.Background(), jwsContextKey, newParsedJWS)
-			ctx = context.WithValue(ctx, jwkContextKey, pub)
-			return test{
-				ctx:        ctx,
-				statusCode: 400,
-				err:        acme.NewError(acme.ErrorMalformedType, "error verifying jws: go-jose/go-jose: too many signatures in payload; expecting only one"),
-			}
-		},
-		"fail/apple-acmeclient-omitting-leading-null-byte-in-signature-with-wrong-jwk": func(t *testing.T) test {
-			_jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
-			assert.FatalError(t, err)
-			_pub := _jwk.Public()
-			appleNullByteCaseBody := `{"payload":"dGVzdC0xMTA1","protected":"eyJhbGciOiJFUzI1NiJ9","signature":"rQPYKYflfKnlgBKqDeWsJH2TJ6iHAnou7sFzXlmYD4ArXqLfYuqotWERKrna2wfzh0pu7USWO2gzlOqRK9qq"}`
-			appleNullByteCaseJWS, err := jose.ParseJWS(appleNullByteCaseBody)
-			require.NoError(t, err)
-			ctx := context.WithValue(context.Background(), jwsContextKey, appleNullByteCaseJWS)
-			ctx = context.WithValue(ctx, jwkContextKey, &_pub)
-			return test{
-				ctx:        ctx,
-				statusCode: 400,
-				err:        acme.NewError(acme.ErrorMalformedType, "error verifying jws: go-jose/go-jose: error in cryptographic primitive"),
+				err:        acme.NewError(acme.ErrorMalformedType, "error verifying jws: square/go-jose: error in cryptographic primitive"),
 			}
 		},
 		"fail/algorithm-mismatch": func(t *testing.T) test {
@ -607,44 +583,12 @@ func TestHandler_verifyAndExtractJWSPayload(t *testing.T) {
 				},
 			}
 		},
-		"ok/apple-acmeclient-omitting-leading-null-byte-in-signature": func(t *testing.T) test {
-			appleNullByteCaseKey := []byte(`{
-				"kid": "uioinbiTlJICL0MYsb6ar1totfRA2tiPqWgntF8xUdo",
-				"crv": "P-256",
-				"alg": "ES256",
-				"kty": "EC",
-				"x": "wlz-Kv9X0h32fzLq-cogls9HxoZQqV-GuWxdb2MCeUY",
-				"y": "xzP6zRrg_jynYljZTxfJuql_QWtdQR6lpJ52q_6Vavg"
-			}`)
-			appleNullByteCaseJWK := &jose.JSONWebKey{}
-			err = json.Unmarshal(appleNullByteCaseKey, appleNullByteCaseJWK)
-			require.NoError(t, err)
-			appleNullByteCaseBody := `{"payload":"dGVzdC0xMTA1","protected":"eyJhbGciOiJFUzI1NiJ9","signature":"rQPYKYflfKnlgBKqDeWsJH2TJ6iHAnou7sFzXlmYD4ArXqLfYuqotWERKrna2wfzh0pu7USWO2gzlOqRK9qq"}`
-			appleNullByteCaseJWS, err := jose.ParseJWS(appleNullByteCaseBody)
-			require.NoError(t, err)
-			ctx := context.WithValue(context.Background(), jwsContextKey, appleNullByteCaseJWS)
-			ctx = context.WithValue(ctx, jwkContextKey, appleNullByteCaseJWK)
-			return test{
-				ctx:        ctx,
-				statusCode: 200,
-				next: func(w http.ResponseWriter, r *http.Request) {
-					p, err := payloadFromContext(r.Context())
-					tassert.NoError(t, err)
-					if tassert.NotNil(t, p) {
-						tassert.Equal(t, []byte(`test-1105`), p.value)
-						tassert.False(t, p.isPostAsGet)
-						tassert.False(t, p.isEmptyJSON)
-					}
-					w.Write(testBody)
-				},
-			}
-		},
 	}
 	for name, run := range tests {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
 			// h := &Handler{}
-			req := httptest.NewRequest("GET", u, http.NoBody)
+			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(tc.ctx)
 			w := httptest.NewRecorder()
 			verifyAndExtractJWSPayload(tc.next)(w, req)
@ -662,6 +606,7 @@ func TestHandler_verifyAndExtractJWSPayload(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -739,7 +684,31 @@ func TestHandler_lookupJWK(t *testing.T) {
 				linker:     acme.NewLinker("test.ca.smallstep.com", "acme"),
 				ctx:        ctx,
 				statusCode: 400,
-				err:        acme.NewError(acme.ErrorMalformedType, "signature missing 'kid'"),
+				err:        acme.NewError(acme.ErrorMalformedType, "kid does not have required prefix; expected %s, but got ", prefix),
+			}
+		},
+		"fail/bad-kid-prefix": func(t *testing.T) test {
+			_so := new(jose.SignerOptions)
+			_so.WithHeader("kid", "foo")
+			_signer, err := jose.NewSigner(jose.SigningKey{
+				Algorithm: jose.SignatureAlgorithm(jwk.Algorithm),
+				Key:       jwk.Key,
+			}, _so)
+			assert.FatalError(t, err)
+			_jws, err := _signer.Sign([]byte("baz"))
+			assert.FatalError(t, err)
+			_raw, err := _jws.CompactSerialize()
+			assert.FatalError(t, err)
+			_parsed, err := jose.ParseJWS(_raw)
+			assert.FatalError(t, err)
+			ctx := acme.NewProvisionerContext(context.Background(), prov)
+			ctx = context.WithValue(ctx, jwsContextKey, _parsed)
+			return test{
+				db:         &acme.MockDB{},
+				linker:     acme.NewLinker("test.ca.smallstep.com", "acme"),
+				ctx:        ctx,
+				statusCode: 400,
+				err:        acme.NewError(acme.ErrorMalformedType, "kid does not have required prefix; expected %s, but got foo", prefix),
 			}
 		},
 		"fail/account-not-found": func(t *testing.T) test {
@ -750,7 +719,7 @@ func TestHandler_lookupJWK(t *testing.T) {
 				db: &acme.MockDB{
 					MockGetAccount: func(ctx context.Context, accID string) (*acme.Account, error) {
 						assert.Equals(t, accID, accID)
-						return nil, acme.ErrNotFound
+						return nil, database.ErrNotFound
 					},
 				},
 				ctx:        ctx,
@ -791,106 +760,7 @@ func TestHandler_lookupJWK(t *testing.T) {
 				err:        acme.NewError(acme.ErrorUnauthorizedType, "account is not active"),
 			}
 		},
-		"fail/account-with-location-prefix/bad-kid": func(t *testing.T) test {
-			acc := &acme.Account{LocationPrefix: "foobar", Status: "valid"}
-			ctx := acme.NewProvisionerContext(context.Background(), prov)
-			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
-			return test{
-				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
-				db: &acme.MockDB{
-					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
-						assert.Equals(t, id, accID)
-						return acc, nil
-					},
-				},
-				ctx:        ctx,
-				statusCode: http.StatusUnauthorized,
-				err:        acme.NewError(acme.ErrorUnauthorizedType, "kid does not match stored account location; expected foobar, but %q", prefix+accID),
-			}
-		},
-		"fail/account-with-location-prefix/bad-provisioner": func(t *testing.T) test {
-			acc := &acme.Account{LocationPrefix: prefix + accID, Status: "valid", Key: jwk, ProvisionerName: "other"}
-			ctx := acme.NewProvisionerContext(context.Background(), prov)
-			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
-			return test{
-				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
-				db: &acme.MockDB{
-					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
-						assert.Equals(t, id, accID)
-						return acc, nil
-					},
-				},
-				ctx: ctx,
-				next: func(w http.ResponseWriter, r *http.Request) {
-					_acc, err := accountFromContext(r.Context())
-					assert.FatalError(t, err)
-					assert.Equals(t, _acc, acc)
-					_jwk, err := jwkFromContext(r.Context())
-					assert.FatalError(t, err)
-					assert.Equals(t, _jwk, jwk)
-					w.Write(testBody)
-				},
-				statusCode: http.StatusUnauthorized,
-				err: acme.NewError(acme.ErrorUnauthorizedType,
-					"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
-					"other", prov.GetName()),
-			}
-		},
-		"fail/account-with-location-prefix/bad-provisioner-id": func(t *testing.T) test {
-			p := newProvWithID()
-			acc := &acme.Account{LocationPrefix: prefix + accID, Status: "valid", Key: jwk, ProvisionerID: uuid.NewString()}
-			ctx := acme.NewProvisionerContext(context.Background(), p)
-			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
-			return test{
-				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
-				db: &acme.MockDB{
-					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
-						assert.Equals(t, id, accID)
-						return acc, nil
-					},
-				},
-				ctx: ctx,
-				next: func(w http.ResponseWriter, r *http.Request) {
-					_acc, err := accountFromContext(r.Context())
-					assert.FatalError(t, err)
-					assert.Equals(t, _acc, acc)
-					_jwk, err := jwkFromContext(r.Context())
-					assert.FatalError(t, err)
-					assert.Equals(t, _jwk, jwk)
-					w.Write(testBody)
-				},
-				statusCode: http.StatusUnauthorized,
-				err: acme.NewError(acme.ErrorUnauthorizedType,
-					"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
-					acc.ProvisionerID, p.GetID()),
-			}
-		},
-		"ok/account-with-location-prefix": func(t *testing.T) test {
-			acc := &acme.Account{LocationPrefix: prefix + accID, Status: "valid", Key: jwk, ProvisionerName: prov.GetName()}
-			ctx := acme.NewProvisionerContext(context.Background(), prov)
-			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
-			return test{
-				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
-				db: &acme.MockDB{
-					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
-						assert.Equals(t, id, accID)
-						return acc, nil
-					},
-				},
-				ctx: ctx,
-				next: func(w http.ResponseWriter, r *http.Request) {
-					_acc, err := accountFromContext(r.Context())
-					assert.FatalError(t, err)
-					assert.Equals(t, _acc, acc)
-					_jwk, err := jwkFromContext(r.Context())
-					assert.FatalError(t, err)
-					assert.Equals(t, _jwk, jwk)
-					w.Write(testBody)
-				},
-				statusCode: http.StatusOK,
-			}
-		},
-		"ok/account-without-location-prefix": func(t *testing.T) test {
+		"ok": func(t *testing.T) test {
 			acc := &acme.Account{Status: "valid", Key: jwk}
 			ctx := acme.NewProvisionerContext(context.Background(), prov)
 			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
@ -915,38 +785,12 @@ func TestHandler_lookupJWK(t *testing.T) {
 				statusCode: 200,
 			}
 		},
-		"ok/account-with-provisioner-id": func(t *testing.T) test {
-			p := newProvWithID()
-			acc := &acme.Account{LocationPrefix: prefix + accID, Status: "valid", Key: jwk, ProvisionerID: p.GetID()}
-			ctx := acme.NewProvisionerContext(context.Background(), p)
-			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
-			return test{
-				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
-				db: &acme.MockDB{
-					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
-						assert.Equals(t, id, accID)
-						return acc, nil
-					},
-				},
-				ctx: ctx,
-				next: func(w http.ResponseWriter, r *http.Request) {
-					_acc, err := accountFromContext(r.Context())
-					assert.FatalError(t, err)
-					assert.Equals(t, _acc, acc)
-					_jwk, err := jwkFromContext(r.Context())
-					assert.FatalError(t, err)
-					assert.Equals(t, _jwk, jwk)
-					w.Write(testBody)
-				},
-				statusCode: 200,
-			}
-		},
 	}
 	for name, run := range tests {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := newBaseContext(tc.ctx, tc.db, tc.linker)
-			req := httptest.NewRequest("GET", u, http.NoBody)
+			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			lookupJWK(tc.next)(w, req)
@ -964,6 +808,7 @@ func TestHandler_lookupJWK(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -1145,7 +990,7 @@ func TestHandler_extractJWK(t *testing.T) {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := newBaseContext(tc.ctx, tc.db)
-			req := httptest.NewRequest("GET", u, http.NoBody)
+			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			extractJWK(tc.next)(w, req)
@ -1163,6 +1008,7 @@ func TestHandler_extractJWK(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -1520,7 +1366,7 @@ func TestHandler_validateJWS(t *testing.T) {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := newBaseContext(tc.ctx, tc.db)
-			req := httptest.NewRequest("GET", u, http.NoBody)
+			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			validateJWS(tc.next)(w, req)
@ -1538,6 +1384,7 @@ func TestHandler_validateJWS(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -1702,7 +1549,7 @@ func TestHandler_extractOrLookupJWK(t *testing.T) {
 		tc := prep(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := newBaseContext(tc.ctx, tc.db, tc.linker)
-			req := httptest.NewRequest("GET", u, http.NoBody)
+			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			extractOrLookupJWK(tc.next)(w, req)
@ -1720,6 +1567,7 @@ func TestHandler_extractOrLookupJWK(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -1787,7 +1635,7 @@ func TestHandler_checkPrerequisites(t *testing.T) {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := acme.NewPrerequisitesCheckerContext(tc.ctx, tc.prerequisitesChecker)
-			req := httptest.NewRequest("GET", u, http.NoBody)
+			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			checkPrerequisites(tc.next)(w, req)
@ -1804,6 +1652,7 @@ func TestHandler_checkPrerequisites(t *testing.T) {
 				assert.FatalError(t, json.Unmarshal(bytes.TrimSpace(body), &ae))
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -1812,86 +1661,3 @@ func TestHandler_checkPrerequisites(t *testing.T) {
 		})
 	}
 }
-
-func Test_retryVerificationWithPatchedSignatures(t *testing.T) {
-	patchedRKey := []byte(`{
-		"kid": "uioinbiTlJICL0MYsb6ar1totfRA2tiPqWgntF8xUdo",
-		"crv": "P-256",
-		"alg": "ES256",
-		"kty": "EC",
-		"x": "wlz-Kv9X0h32fzLq-cogls9HxoZQqV-GuWxdb2MCeUY",
-		"y": "xzP6zRrg_jynYljZTxfJuql_QWtdQR6lpJ52q_6Vavg"
-	}`)
-	patchedRJWK := &jose.JSONWebKey{}
-	err := json.Unmarshal(patchedRKey, patchedRJWK)
-	require.NoError(t, err)
-	patchedRBody := `{"payload":"dGVzdC0xMTA1","protected":"eyJhbGciOiJFUzI1NiJ9","signature":"rQPYKYflfKnlgBKqDeWsJH2TJ6iHAnou7sFzXlmYD4ArXqLfYuqotWERKrna2wfzh0pu7USWO2gzlOqRK9qq"}`
-	patchedR, err := jose.ParseJWS(patchedRBody)
-	require.NoError(t, err)
-
-	patchedSKey := []byte(`{
-		"kid": "PblXsnK59uTiF5k3mmAN2B6HDPPxqBL_4UGhEG8ZO6g",
-		"crv": "P-256",
-		"alg": "ES256",
-		"kty": "EC",
-		"x": "T5aM_TOSattXNeUkH1VHZXh8URzdjZTI2zLvVgI0cy0",
-		"y": "Lf8h8qZnURXIxm6OnQ69kxGC91YtTZRD2GAroEf1UA8"
-	}`)
-	patchedSJWK := &jose.JSONWebKey{}
-	err = json.Unmarshal(patchedSKey, patchedSJWK)
-	require.NoError(t, err)
-	patchedSBody := `{"payload":"dGVzdC02Ng","protected":"eyJhbGciOiJFUzI1NiJ9","signature":"krtSKSgVB04oqx6i9QLeal_wZSnjV1_PSIM3AubT0WRIxnhl_yYbVpa3i53p3dUW56TtP6_SUZboH6SvLHMz"}`
-	patchedS, err := jose.ParseJWS(patchedSBody)
-	require.NoError(t, err)
-
-	patchedRSKey := []byte(`{
-		"kid": "U8BmBVbZsNUawvhOomJQPa6uYj1rdxCPQWF_nOLVsc4",
-		"crv": "P-256",
-		"alg": "ES256",
-		"kty": "EC",
-		"x": "Ym0l3GMS6aHBLo-xe73Kub4kafnOBu_QAfOsx5y-bV0",
-		"y": "wKijX9Cu67HbK94StPcI18WulgRfIMbP2ZU7gQuf3-M"
-	}`)
-	patchedRSJWK := &jose.JSONWebKey{}
-	err = json.Unmarshal(patchedRSKey, patchedRSJWK)
-	require.NoError(t, err)
-	patchedRSBody := `{"payload":"dGVzdC05MDY3","protected":"eyJhbGciOiJFUzI1NiJ9","signature":"2r_My19oRg7mWf9I5JTkNYp8otfEMz-yXRA8ltZTAKZxyJLurpVEgicmNItu7lfcCrGrTgI3Obye_gSaIyc"}`
-	patchedRS, err := jose.ParseJWS(patchedRSBody)
-	require.NoError(t, err)
-
-	patchedRWithWrongJWK, err := jose.ParseJWS(patchedRBody)
-	require.NoError(t, err)
-
-	tests := []struct {
-		name              string
-		jws               *jose.JSONWebSignature
-		jwk               *jose.JSONWebKey
-		expectedData      []byte
-		expectedSignature string
-		expectedError     error
-	}{
-		{"ok/patched-r", patchedR, patchedRJWK, []byte(`test-1105`), `AK0D2CmH5Xyp5YASqg3lrCR9kyeohwJ6Lu7Bc15ZmA-AK16i32LqqLVhESq52tsH84dKbu1EljtoM5TqkSvaqg`, nil},
-		{"ok/patched-s", patchedS, patchedSJWK, []byte(`test-66`), `krtSKSgVB04oqx6i9QLeal_wZSnjV1_PSIM3AubT0WQASMZ4Zf8mG1aWt4ud6d3VFuek7T-v0lGW6B-kryxzMw`, nil},
-		{"ok/patched-rs", patchedRS, patchedRSJWK, []byte(`test-9067`), `ANq_zMtfaEYO5ln_SOSU5DWKfKLXxDM_sl0QPJbWUwAApnHIku6ulUSCJyY0i27uV9wKsatOAjc5vJ7-BJojJw`, nil},
-		{"fail/patched-r-wrong-jwk", patchedRWithWrongJWK, patchedRSJWK, nil, `rQPYKYflfKnlgBKqDeWsJH2TJ6iHAnou7sFzXlmYD4ArXqLfYuqotWERKrna2wfzh0pu7USWO2gzlOqRK9qq`, errors.New("go-jose/go-jose: error in cryptographic primitive")},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			expectedSignature, decodeErr := base64.RawURLEncoding.DecodeString(tt.expectedSignature)
-			require.NoError(t, decodeErr)
-
-			data, err := retryVerificationWithPatchedSignatures(tt.jws, tt.jwk)
-			if tt.expectedError != nil {
-				tassert.EqualError(t, err, tt.expectedError.Error())
-				tassert.Equal(t, expectedSignature, tt.jws.Signatures[0].Signature)
-				tassert.Empty(t, data)
-				return
-			}
-
-			tassert.NoError(t, err)
-			tassert.Len(t, tt.jws.Signatures[0].Signature, 64)
-			tassert.Equal(t, expectedSignature, tt.jws.Signatures[0].Signature)
-			tassert.Equal(t, tt.expectedData, data)
-		})
-	}
-}
--- a/acme/api/order.go
+++ b/acme/api/order.go
@ -10,7 +10,7 @@ import (
 	"strings"
 	"time"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"

 	"go.step.sm/crypto/randutil"
 	"go.step.sm/crypto/x509util"
@ -99,29 +99,29 @@ func NewOrder(w http.ResponseWriter, r *http.Request) {

 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	prov, err := provisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	var nor NewOrderRequest
 	if err := json.Unmarshal(payload.value, &nor); err != nil {
-		render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err,
+		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err,
 			"failed to unmarshal new-order request payload"))
 		return
 	}

 	if err := nor.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -130,39 +130,39 @@ func NewOrder(w http.ResponseWriter, r *http.Request) {

 	acmeProv, err := acmeProvisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	var eak *acme.ExternalAccountKey
 	if acmeProv.RequireEAB {
 		if eak, err = db.GetExternalAccountKeyByAccountID(ctx, prov.GetID(), acc.ID); err != nil {
-			render.Error(w, r, acme.WrapErrorISE(err, "error retrieving external account binding key"))
+			render.Error(w, acme.WrapErrorISE(err, "error retrieving external account binding key"))
 			return
 		}
 	}

 	acmePolicy, err := newACMEPolicyEngine(eak)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error creating ACME policy engine"))
+		render.Error(w, acme.WrapErrorISE(err, "error creating ACME policy engine"))
 		return
 	}

 	for _, identifier := range nor.Identifiers {
 		// evaluate the ACME account level policy
 		if err = isIdentifierAllowed(acmePolicy, identifier); err != nil {
-			render.Error(w, r, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
+			render.Error(w, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
 			return
 		}
 		// evaluate the provisioner level policy
 		orderIdentifier := provisioner.ACMEIdentifier{Type: provisioner.ACMEIdentifierType(identifier.Type), Value: identifier.Value}
 		if err = prov.AuthorizeOrderIdentifier(ctx, orderIdentifier); err != nil {
-			render.Error(w, r, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
+			render.Error(w, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
 			return
 		}
 		// evaluate the authority level policy
 		if err = ca.AreSANsAllowed(ctx, []string{identifier.Value}); err != nil {
-			render.Error(w, r, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
+			render.Error(w, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
 			return
 		}
 	}
@ -188,7 +188,7 @@ func NewOrder(w http.ResponseWriter, r *http.Request) {
 			Status:     acme.StatusPending,
 		}
 		if err := newAuthorization(ctx, az); err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		o.AuthorizationIDs[i] = az.ID
@ -207,14 +207,14 @@ func NewOrder(w http.ResponseWriter, r *http.Request) {
 	}

 	if err := db.CreateOrder(ctx, o); err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error creating order"))
+		render.Error(w, acme.WrapErrorISE(err, "error creating order"))
 		return
 	}

 	linker.LinkOrder(ctx, o)

 	w.Header().Set("Location", linker.GetLink(ctx, acme.OrderLinkType, o.ID))
-	render.JSONStatus(w, r, o, http.StatusCreated)
+	render.JSONStatus(w, o, http.StatusCreated)
 }

 func isIdentifierAllowed(acmePolicy policy.X509Policy, identifier acme.Identifier) error {
@ -226,7 +226,6 @@ func isIdentifierAllowed(acmePolicy policy.X509Policy, identifier acme.Identifie

 func newACMEPolicyEngine(eak *acme.ExternalAccountKey) (policy.X509Policy, error) {
 	if eak == nil {
-		//nolint:nilnil,nolintlint // expected values
 		return nil, nil
 	}
 	return policy.NewX509PolicyEngine(eak.Policy)
@ -289,39 +288,39 @@ func GetOrder(w http.ResponseWriter, r *http.Request) {

 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	prov, err := provisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	o, err := db.GetOrder(ctx, chi.URLParam(r, "ordID"))
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving order"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving order"))
 		return
 	}
 	if acc.ID != o.AccountID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own order '%s'", acc.ID, o.ID))
 		return
 	}
 	if prov.GetID() != o.ProvisionerID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"provisioner '%s' does not own order '%s'", prov.GetID(), o.ID))
 		return
 	}
 	if err = o.UpdateStatus(ctx, db); err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error updating order status"))
+		render.Error(w, acme.WrapErrorISE(err, "error updating order status"))
 		return
 	}

 	linker.LinkOrder(ctx, o)

 	w.Header().Set("Location", linker.GetLink(ctx, acme.OrderLinkType, o.ID))
-	render.JSON(w, r, o)
+	render.JSON(w, o)
 }

 // FinalizeOrder attempts to finalize an order and create a certificate.
@ -332,56 +331,56 @@ func FinalizeOrder(w http.ResponseWriter, r *http.Request) {

 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	prov, err := provisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	var fr FinalizeRequest
 	if err := json.Unmarshal(payload.value, &fr); err != nil {
-		render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err,
+		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err,
 			"failed to unmarshal finalize-order request payload"))
 		return
 	}
 	if err := fr.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	o, err := db.GetOrder(ctx, chi.URLParam(r, "ordID"))
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving order"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving order"))
 		return
 	}
 	if acc.ID != o.AccountID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own order '%s'", acc.ID, o.ID))
 		return
 	}
 	if prov.GetID() != o.ProvisionerID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"provisioner '%s' does not own order '%s'", prov.GetID(), o.ID))
 		return
 	}

 	ca := mustAuthority(ctx)
 	if err = o.Finalize(ctx, db, fr.csr, ca, prov); err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error finalizing order"))
+		render.Error(w, acme.WrapErrorISE(err, "error finalizing order"))
 		return
 	}

 	linker.LinkOrder(ctx, o)

 	w.Header().Set("Location", linker.GetLink(ctx, acme.OrderLinkType, o.ID))
-	render.JSON(w, r, o)
+	render.JSON(w, o)
 }

 // challengeTypes determines the types of challenges that should be used
--- a/acme/api/order_test.go
+++ b/acme/api/order_test.go
@ -8,14 +8,13 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"reflect"
 	"testing"
 	"time"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"
 	"github.com/pkg/errors"

 	"go.step.sm/crypto/pemutil"
@ -469,7 +468,7 @@ func TestHandler_GetOrder(t *testing.T) {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := newBaseContext(tc.ctx, tc.db, acme.NewLinker("test.ca.smallstep.com", "acme"))
-			req := httptest.NewRequest("GET", u, http.NoBody)
+			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			GetOrder(w, req)
@ -487,6 +486,7 @@ func TestHandler_GetOrder(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -1828,7 +1828,7 @@ func TestHandler_NewOrder(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			mockMustAuthority(t, tc.ca)
 			ctx := newBaseContext(tc.ctx, tc.db, acme.NewLinker("test.ca.smallstep.com", "acme"))
-			req := httptest.NewRequest("GET", u, http.NoBody)
+			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			NewOrder(w, req)
@ -1846,6 +1846,7 @@ func TestHandler_NewOrder(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -2125,7 +2126,7 @@ func TestHandler_FinalizeOrder(t *testing.T) {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := newBaseContext(tc.ctx, tc.db, acme.NewLinker("test.ca.smallstep.com", "acme"))
-			req := httptest.NewRequest("GET", u, http.NoBody)
+			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			FinalizeOrder(w, req)
@ -2143,6 +2144,7 @@ func TestHandler_FinalizeOrder(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
--- a/acme/api/revoke.go
+++ b/acme/api/revoke.go
@ -33,65 +33,65 @@ func RevokeCert(w http.ResponseWriter, r *http.Request) {

 	jws, err := jwsFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	prov, err := provisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	var p revokePayload
 	err = json.Unmarshal(payload.value, &p)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error unmarshaling payload"))
+		render.Error(w, acme.WrapErrorISE(err, "error unmarshaling payload"))
 		return
 	}

 	certBytes, err := base64.RawURLEncoding.DecodeString(p.Certificate)
 	if err != nil {
 		// in this case the most likely cause is a client that didn't properly encode the certificate
-		render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err, "error base64url decoding payload certificate property"))
+		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err, "error base64url decoding payload certificate property"))
 		return
 	}

 	certToBeRevoked, err := x509.ParseCertificate(certBytes)
 	if err != nil {
 		// in this case a client may have encoded something different than a certificate
-		render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err, "error parsing certificate"))
+		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err, "error parsing certificate"))
 		return
 	}

 	serial := certToBeRevoked.SerialNumber.String()
 	dbCert, err := db.GetCertificateBySerial(ctx, serial)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving certificate by serial"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving certificate by serial"))
 		return
 	}

 	if !bytes.Equal(dbCert.Leaf.Raw, certToBeRevoked.Raw) {
 		// this should never happen
-		render.Error(w, r, acme.NewErrorISE("certificate raw bytes are not equal"))
+		render.Error(w, acme.NewErrorISE("certificate raw bytes are not equal"))
 		return
 	}

 	if shouldCheckAccountFrom(jws) {
 		account, err := accountFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		acmeErr := isAccountAuthorized(ctx, dbCert, certToBeRevoked, account)
 		if acmeErr != nil {
-			render.Error(w, r, acmeErr)
+			render.Error(w, acmeErr)
 			return
 		}
 	} else {
@ -100,7 +100,7 @@ func RevokeCert(w http.ResponseWriter, r *http.Request) {
 		_, err := jws.Verify(certToBeRevoked.PublicKey)
 		if err != nil {
 			// TODO(hs): possible to determine an error vs. unauthorized and thus provide an ISE vs. Unauthorized?
-			render.Error(w, r, wrapUnauthorizedError(certToBeRevoked, nil, "verification of jws using certificate public key failed", err))
+			render.Error(w, wrapUnauthorizedError(certToBeRevoked, nil, "verification of jws using certificate public key failed", err))
 			return
 		}
 	}
@ -108,19 +108,19 @@ func RevokeCert(w http.ResponseWriter, r *http.Request) {
 	ca := mustAuthority(ctx)
 	hasBeenRevokedBefore, err := ca.IsRevoked(serial)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving revocation status of certificate"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving revocation status of certificate"))
 		return
 	}

 	if hasBeenRevokedBefore {
-		render.Error(w, r, acme.NewError(acme.ErrorAlreadyRevokedType, "certificate was already revoked"))
+		render.Error(w, acme.NewError(acme.ErrorAlreadyRevokedType, "certificate was already revoked"))
 		return
 	}

 	reasonCode := p.ReasonCode
 	acmeErr := validateReasonCode(reasonCode)
 	if acmeErr != nil {
-		render.Error(w, r, acmeErr)
+		render.Error(w, acmeErr)
 		return
 	}

@ -128,14 +128,14 @@ func RevokeCert(w http.ResponseWriter, r *http.Request) {
 	ctx = provisioner.NewContextWithMethod(ctx, provisioner.RevokeMethod)
 	err = prov.AuthorizeRevoke(ctx, "")
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error authorizing revocation on provisioner"))
+		render.Error(w, acme.WrapErrorISE(err, "error authorizing revocation on provisioner"))
 		return
 	}

 	options := revokeOptions(serial, certToBeRevoked, reasonCode)
 	err = ca.Revoke(ctx, options)
 	if err != nil {
-		render.Error(w, r, wrapRevokeErr(err))
+		render.Error(w, wrapRevokeErr(err))
 		return
 	}

@ -151,7 +151,7 @@ func RevokeCert(w http.ResponseWriter, r *http.Request) {
 // the identifiers in the certificate are extracted and compared against the (valid) Authorizations
 // that are stored for the ACME Account. If these sets match, the Account is considered authorized
 // to revoke the certificate. If this check fails, the client will receive an unauthorized error.
-func isAccountAuthorized(_ context.Context, dbCert *acme.Certificate, certToBeRevoked *x509.Certificate, account *acme.Account) *acme.Error {
+func isAccountAuthorized(ctx context.Context, dbCert *acme.Certificate, certToBeRevoked *x509.Certificate, account *acme.Account) *acme.Error {
 	if !account.IsValid() {
 		return wrapUnauthorizedError(certToBeRevoked, nil, fmt.Sprintf("account '%s' has status '%s'", account.ID, account.Status), nil)
 	}
--- a/acme/api/revoke_test.go
+++ b/acme/api/revoke_test.go
@ -21,7 +21,7 @@ import (
 	"testing"
 	"time"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"
 	"github.com/google/go-cmp/cmp"
 	"github.com/pkg/errors"
 	"golang.org/x/crypto/ocsp"
@ -258,7 +258,7 @@ func jwkEncode(pub crypto.PublicKey) (string, error) {
 // jwsFinal constructs the final JWS object.
 // Implementation taken from github.com/mholt/acmez, which seems to be based on
 // https://github.com/golang/crypto/blob/master/acme/jws.go.
-func jwsFinal(_ crypto.Hash, sig []byte, phead, payload string) ([]byte, error) {
+func jwsFinal(sha crypto.Hash, sig []byte, phead, payload string) ([]byte, error) {
 	enc := struct {
 		Protected string `json:"protected"`
 		Payload   string `json:"payload"`
@ -281,7 +281,7 @@ type mockCA struct {
 	MockAreSANsallowed func(ctx context.Context, sans []string) error
 }

-func (m *mockCA) SignWithContext(context.Context, *x509.CertificateRequest, provisioner.SignOptions, ...provisioner.SignOption) ([]*x509.Certificate, error) {
+func (m *mockCA) Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 	return nil, nil
 }

@ -1072,7 +1072,7 @@ func TestHandler_RevokeCert(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			ctx := newBaseContext(tc.ctx, tc.db, acme.NewLinker("test.ca.smallstep.com", "acme"))
 			mockMustAuthority(t, tc.ca)
-			req := httptest.NewRequest("POST", revokeURL, http.NoBody)
+			req := httptest.NewRequest("POST", revokeURL, nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			RevokeCert(w, req)
@ -1090,11 +1090,12 @@ func TestHandler_RevokeCert(t *testing.T) {

 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
+				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
 				assert.True(t, bytes.Equal(bytes.TrimSpace(body), []byte{}))
-				assert.Equals(t, int64(-1), req.ContentLength)
+				assert.Equals(t, int64(0), req.ContentLength)
 				assert.Equals(t, []string{fmt.Sprintf("<%s/acme/%s/directory>;rel=\"index\"", baseURL.String(), escProvName)}, res.Header["Link"])
 			}
 		})
@ -1229,6 +1230,7 @@ func TestHandler_isAccountAuthorized(t *testing.T) {
 			assert.Equals(t, acmeErr.Type, tc.err.Type)
 			assert.Equals(t, acmeErr.Status, tc.err.Status)
 			assert.Equals(t, acmeErr.Detail, tc.err.Detail)
+			assert.Equals(t, acmeErr.Identifier, tc.err.Identifier)
 			assert.Equals(t, acmeErr.Subproblems, tc.err.Subproblems)

 		})
@ -1279,7 +1281,7 @@ func Test_wrapUnauthorizedError(t *testing.T) {
 			}
 		},
 		"wrap-subject": func(t *testing.T) test {
-			acmeErr := acme.NewError(acme.ErrorUnauthorizedType, "verification of jws using certificate public key failed: go-jose/go-jose: error in cryptographic primitive")
+			acmeErr := acme.NewError(acme.ErrorUnauthorizedType, "verification of jws using certificate public key failed: square/go-jose: error in cryptographic primitive")
 			acmeErr.Status = http.StatusForbidden
 			acmeErr.Detail = "No authorization provided for name test.example.com"
 			cert := &x509.Certificate{
@ -1288,7 +1290,7 @@ func Test_wrapUnauthorizedError(t *testing.T) {
 				},
 			}
 			return test{
-				err:                     errors.New("go-jose/go-jose: error in cryptographic primitive"),
+				err:                     errors.New("square/go-jose: error in cryptographic primitive"),
 				cert:                    cert,
 				unauthorizedIdentifiers: []acme.Identifier{},
 				msg:                     "verification of jws using certificate public key failed",
@ -1321,6 +1323,7 @@ func Test_wrapUnauthorizedError(t *testing.T) {
 			assert.Equals(t, acmeErr.Type, tc.want.Type)
 			assert.Equals(t, acmeErr.Status, tc.want.Status)
 			assert.Equals(t, acmeErr.Detail, tc.want.Detail)
+			assert.Equals(t, acmeErr.Identifier, tc.want.Identifier)
 			assert.Equals(t, acmeErr.Subproblems, tc.want.Subproblems)
 		})
 	}
--- a/acme/authorization.go
+++ b/acme/authorization.go
@ -8,16 +8,15 @@ import (

 // Authorization representst an ACME Authorization.
 type Authorization struct {
-	ID          string       `json:"-"`
-	AccountID   string       `json:"-"`
-	Token       string       `json:"-"`
-	Fingerprint string       `json:"-"`
-	Identifier  Identifier   `json:"identifier"`
-	Status      Status       `json:"status"`
-	Challenges  []*Challenge `json:"challenges"`
-	Wildcard    bool         `json:"wildcard"`
-	ExpiresAt   time.Time    `json:"expires"`
-	Error       *Error       `json:"error,omitempty"`
+	ID         string       `json:"-"`
+	AccountID  string       `json:"-"`
+	Token      string       `json:"-"`
+	Identifier Identifier   `json:"identifier"`
+	Status     Status       `json:"status"`
+	Challenges []*Challenge `json:"challenges"`
+	Wildcard   bool         `json:"wildcard"`
+	ExpiresAt  time.Time    `json:"expires"`
+	Error      *Error       `json:"error,omitempty"`
 }

 // ToLog enables response logging.
--- a/acme/challenge.go
+++ b/acme/challenge.go
@ -26,17 +26,9 @@ import (
 	"time"

 	"github.com/fxamacker/cbor/v2"
-	"github.com/google/go-tpm/legacy/tpm2"
-	"golang.org/x/exp/slices"
-
-	"github.com/smallstep/go-attestation/attest"
-
+	"github.com/smallstep/certificates/authority/provisioner"
 	"go.step.sm/crypto/jose"
-	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/pemutil"
-	"go.step.sm/crypto/x509util"
-
-	"github.com/smallstep/certificates/authority/provisioner"
 )

 type ChallengeType string
@ -52,18 +44,6 @@ const (
 	DEVICEATTEST01 ChallengeType = "device-attest-01"
 )

-var (
-	// InsecurePortHTTP01 is the port used to verify http-01 challenges. If not set it
-	// defaults to 80.
-	InsecurePortHTTP01 int
-
-	// InsecurePortTLSALPN01 is the port used to verify tls-alpn-01 challenges. If not
-	// set it defaults to 443.
-	//
-	// This variable can be used for testing purposes.
-	InsecurePortTLSALPN01 int
-)
-
 // Challenge represents an ACME response Challenge type.
 type Challenge struct {
 	ID              string        `json:"-"`
@ -87,9 +67,10 @@ func (ch *Challenge) ToLog() (interface{}, error) {
 	return string(b), nil
 }

-// Validate attempts to validate the Challenge. Stores changes to the Challenge
-// type using the DB interface. If the Challenge is validated, the 'status' and
-// 'validated' attributes are updated.
+// Validate attempts to validate the challenge. Stores changes to the Challenge
+// type using the DB interface.
+// satisfactorily validated, the 'status' and 'validated' attributes are
+// updated.
 func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey, payload []byte) error {
 	// If already valid or invalid then return without performing validation.
 	if ch.Status != StatusPending {
@ -112,12 +93,6 @@ func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey,
 func http01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey) error {
 	u := &url.URL{Scheme: "http", Host: http01ChallengeHost(ch.Value), Path: fmt.Sprintf("/.well-known/acme-challenge/%s", ch.Token)}

-	// Append insecure port if set.
-	// Only used for testing purposes.
-	if InsecurePortHTTP01 != 0 {
-		u.Host += ":" + strconv.Itoa(InsecurePortHTTP01)
-	}
-
 	vc := MustClientFromContext(ctx)
 	resp, err := vc.Get(u.String())
 	if err != nil {
@ -190,14 +165,7 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON
 		InsecureSkipVerify: true, //nolint:gosec // we expect a self-signed challenge certificate
 	}

-	var hostPort string
-
-	// Allow to change TLS port for testing purposes.
-	if port := InsecurePortTLSALPN01; port == 0 {
-		hostPort = net.JoinHostPort(ch.Value, "443")
-	} else {
-		hostPort = net.JoinHostPort(ch.Value, strconv.Itoa(port))
-	}
+	hostPort := net.JoinHostPort(ch.Value, "443")

 	vc := MustClientFromContext(ctx)
 	conn, err := vc.TLSDial("tcp", hostPort, config)
@ -342,26 +310,20 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK
 	return nil
 }

-type payloadType struct {
+type Payload struct {
 	AttObj string `json:"attObj"`
 	Error  string `json:"error"`
 }

-type attestationObject struct {
+type AttestationObject struct {
 	Format       string                 `json:"fmt"`
 	AttStatement map[string]interface{} `json:"attStmt,omitempty"`
 }

 // TODO(bweeks): move attestation verification to a shared package.
+// TODO(bweeks): define new error type for failed attestation validation.
 func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, payload []byte) error {
-	// Load authorization to store the key fingerprint.
-	az, err := db.GetAuthorization(ctx, ch.AuthorizationID)
-	if err != nil {
-		return WrapErrorISE(err, "error loading authorization")
-	}
-
-	// Parse payload.
-	var p payloadType
+	var p Payload
 	if err := json.Unmarshal(payload, &p); err != nil {
 		return WrapErrorISE(err, "error unmarshalling JSON")
 	}
@ -375,23 +337,18 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 		return WrapErrorISE(err, "error base64 decoding attObj")
 	}

-	att := attestationObject{}
+	att := AttestationObject{}
 	if err := cbor.Unmarshal(attObj, &att); err != nil {
 		return WrapErrorISE(err, "error unmarshalling CBOR")
 	}

-	format := att.Format
 	prov := MustProvisionerFromContext(ctx)
-	if !prov.IsAttestationFormatEnabled(ctx, provisioner.ACMEAttestationFormat(format)) {
-		if format != "apple" && format != "step" && format != "tpm" {
-			return storeError(ctx, db, ch, true, NewDetailedError(ErrorBadAttestationStatementType, "unsupported attestation object format %q", format))
-		}
-
+	if !prov.IsAttestationFormatEnabled(ctx, provisioner.ACMEAttestationFormat(att.Format)) {
 		return storeError(ctx, db, ch, true,
-			NewError(ErrorBadAttestationStatementType, "attestation format %q is not enabled", format))
+			NewError(ErrorBadAttestationStatementType, "attestation format %q is not enabled", att.Format))
 	}

-	switch format {
+	switch att.Format {
 	case "apple":
 		data, err := doAppleAttestationFormat(ctx, prov, ch, &att)
 		if err != nil {
@ -409,7 +366,7 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 		if len(data.Nonce) != 0 {
 			sum := sha256.Sum256([]byte(ch.Token))
 			if subtle.ConstantTimeCompare(data.Nonce, sum[:]) != 1 {
-				return storeError(ctx, db, ch, true, NewDetailedError(ErrorBadAttestationStatementType, "challenge token does not match"))
+				return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "challenge token does not match"))
 			}
 		}

@ -418,16 +375,8 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 		//
 		// Note: We might want to use an external service for this.
 		if data.UDID != ch.Value && data.SerialNumber != ch.Value {
-			subproblem := NewSubproblemWithIdentifier(
-				ErrorRejectedIdentifierType,
-				Identifier{Type: "permanent-identifier", Value: ch.Value},
-				"challenge identifier %q doesn't match any of the attested hardware identifiers %q", ch.Value, []string{data.UDID, data.SerialNumber},
-			)
-			return storeError(ctx, db, ch, true, NewDetailedError(ErrorBadAttestationStatementType, "permanent identifier does not match").AddSubproblems(subproblem))
+			return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "permanent identifier does not match"))
 		}
-
-		// Update attestation key fingerprint to compare against the CSR
-		az.Fingerprint = data.Fingerprint
 	case "step":
 		data, err := doStepAttestationFormat(ctx, prov, ch, jwk, &att)
 		if err != nil {
@ -441,53 +390,15 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 			return WrapErrorISE(err, "error validating attestation")
 		}

-		// Validate the YubiKey serial number from the attestation
-		// certificate with the challenged Order value.
+		// Validate Apple's ClientIdentifier (Identifier.Value) with device
+		// identifiers.
 		//
 		// Note: We might want to use an external service for this.
 		if data.SerialNumber != ch.Value {
-			subproblem := NewSubproblemWithIdentifier(
-				ErrorRejectedIdentifierType,
-				Identifier{Type: "permanent-identifier", Value: ch.Value},
-				"challenge identifier %q doesn't match the attested hardware identifier %q", ch.Value, data.SerialNumber,
-			)
-			return storeError(ctx, db, ch, true, NewDetailedError(ErrorBadAttestationStatementType, "permanent identifier does not match").AddSubproblems(subproblem))
+			return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "permanent identifier does not match"))
 		}
-
-		// Update attestation key fingerprint to compare against the CSR
-		az.Fingerprint = data.Fingerprint
-
-	case "tpm":
-		data, err := doTPMAttestationFormat(ctx, prov, ch, jwk, &att)
-		if err != nil {
-			var acmeError *Error
-			if errors.As(err, &acmeError) {
-				if acmeError.Status == 500 {
-					return acmeError
-				}
-				return storeError(ctx, db, ch, true, acmeError)
-			}
-			return WrapErrorISE(err, "error validating attestation")
-		}
-
-		// TODO(hs): currently this will allow a request for which no PermanentIdentifiers have been
-		// extracted from the AK certificate. This is currently the case for AK certs from the CLI, as we
-		// haven't implemented a way for AK certs requested by the CLI to always contain the requested
-		// PermanentIdentifier. Omitting the check below doesn't allow just any request, as the Order can
-		// still fail if the challenge value isn't equal to the CSR subject.
-		if len(data.PermanentIdentifiers) > 0 && !slices.Contains(data.PermanentIdentifiers, ch.Value) { // TODO(hs): add support for HardwareModuleName
-			subproblem := NewSubproblemWithIdentifier(
-				ErrorRejectedIdentifierType,
-				Identifier{Type: "permanent-identifier", Value: ch.Value},
-				"challenge identifier %q doesn't match any of the attested hardware identifiers %q", ch.Value, data.PermanentIdentifiers,
-			)
-			return storeError(ctx, db, ch, true, NewDetailedError(ErrorBadAttestationStatementType, "permanent identifier does not match").AddSubproblems(subproblem))
-		}
-
-		// Update attestation key fingerprint to compare against the CSR
-		az.Fingerprint = data.Fingerprint
 	default:
-		return storeError(ctx, db, ch, true, NewDetailedError(ErrorBadAttestationStatementType, "unsupported attestation object format %q", format))
+		return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "unexpected attestation object format"))
 	}

 	// Update and store the challenge.
@ -495,314 +406,12 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 	ch.Error = nil
 	ch.ValidatedAt = clock.Now().Format(time.RFC3339)

-	// Store the fingerprint in the authorization.
-	//
-	// TODO: add method to update authorization and challenge atomically.
-	if az.Fingerprint != "" {
-		if err := db.UpdateAuthorization(ctx, az); err != nil {
-			return WrapErrorISE(err, "error updating authorization")
-		}
-	}
-
 	if err := db.UpdateChallenge(ctx, ch); err != nil {
 		return WrapErrorISE(err, "error updating challenge")
 	}
 	return nil
 }

-var (
-	oidSubjectAlternativeName = asn1.ObjectIdentifier{2, 5, 29, 17}
-)
-
-type tpmAttestationData struct {
-	Certificate          *x509.Certificate
-	VerifiedChains       [][]*x509.Certificate
-	PermanentIdentifiers []string
-	Fingerprint          string
-}
-
-// coseAlgorithmIdentifier models a COSEAlgorithmIdentifier.
-// Also see https://www.w3.org/TR/webauthn-2/#sctn-alg-identifier.
-type coseAlgorithmIdentifier int32
-
-const (
-	coseAlgES256 coseAlgorithmIdentifier = -7
-	coseAlgRS256 coseAlgorithmIdentifier = -257
-	coseAlgRS1   coseAlgorithmIdentifier = -65535 // deprecated, but (still) often used in TPMs
-)
-
-func doTPMAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *attestationObject) (*tpmAttestationData, error) {
-	ver, ok := att.AttStatement["ver"].(string)
-	if !ok {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "ver not present")
-	}
-	if ver != "2.0" {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "version %q is not supported", ver)
-	}
-
-	x5c, ok := att.AttStatement["x5c"].([]interface{})
-	if !ok {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "x5c not present")
-	}
-	if len(x5c) == 0 {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "x5c is empty")
-	}
-
-	akCertBytes, ok := x5c[0].([]byte)
-	if !ok {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "x5c is malformed")
-	}
-	akCert, err := x509.ParseCertificate(akCertBytes)
-	if err != nil {
-		return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "x5c is malformed")
-	}
-
-	intermediates := x509.NewCertPool()
-	for _, v := range x5c[1:] {
-		intCertBytes, vok := v.([]byte)
-		if !vok {
-			return nil, NewDetailedError(ErrorBadAttestationStatementType, "x5c is malformed")
-		}
-		intCert, err := x509.ParseCertificate(intCertBytes)
-		if err != nil {
-			return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "x5c is malformed")
-		}
-		intermediates.AddCert(intCert)
-	}
-
-	// TODO(hs): this can be removed when permanent-identifier/hardware-module-name are handled correctly in
-	// the stdlib in https://cs.opensource.google/go/go/+/refs/tags/go1.19:src/crypto/x509/parser.go;drc=b5b2cf519fe332891c165077f3723ee74932a647;l=362,
-	// but I doubt that will happen.
-	if len(akCert.UnhandledCriticalExtensions) > 0 {
-		unhandledCriticalExtensions := akCert.UnhandledCriticalExtensions[:0]
-		for _, extOID := range akCert.UnhandledCriticalExtensions {
-			if !extOID.Equal(oidSubjectAlternativeName) {
-				// critical extensions other than the Subject Alternative Name remain unhandled
-				unhandledCriticalExtensions = append(unhandledCriticalExtensions, extOID)
-			}
-		}
-		akCert.UnhandledCriticalExtensions = unhandledCriticalExtensions
-	}
-
-	roots, ok := prov.GetAttestationRoots()
-	if !ok {
-		return nil, NewErrorISE("no root CA bundle available to verify the attestation certificate")
-	}
-
-	// verify that the AK certificate was signed by a trusted root,
-	// chained to by the intermediates provided by the client. As part
-	// of building the verified certificate chain, the signature over the
-	// AK certificate is checked to be a valid signature of one of the
-	// provided intermediates. Signatures over the intermediates are in
-	// turn also verified to be valid signatures from one of the trusted
-	// roots.
-	verifiedChains, err := akCert.Verify(x509.VerifyOptions{
-		Roots:         roots,
-		Intermediates: intermediates,
-		CurrentTime:   time.Now().Truncate(time.Second),
-		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
-	})
-	if err != nil {
-		return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "x5c is not valid")
-	}
-
-	// validate additional AK certificate requirements
-	if err := validateAKCertificate(akCert); err != nil {
-		return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "AK certificate is not valid")
-	}
-
-	// TODO(hs): implement revocation check; Verify() doesn't perform CRL check nor OCSP lookup.
-
-	sans, err := x509util.ParseSubjectAlternativeNames(akCert)
-	if err != nil {
-		return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "failed parsing AK certificate Subject Alternative Names")
-	}
-
-	permanentIdentifiers := make([]string, len(sans.PermanentIdentifiers))
-	for i, pi := range sans.PermanentIdentifiers {
-		permanentIdentifiers[i] = pi.Identifier
-	}
-
-	// extract and validate pubArea, sig, certInfo and alg properties from the request body
-	pubArea, ok := att.AttStatement["pubArea"].([]byte)
-	if !ok {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "invalid pubArea in attestation statement")
-	}
-	if len(pubArea) == 0 {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "pubArea is empty")
-	}
-
-	sig, ok := att.AttStatement["sig"].([]byte)
-	if !ok {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "invalid sig in attestation statement")
-	}
-	if len(sig) == 0 {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "sig is empty")
-	}
-
-	certInfo, ok := att.AttStatement["certInfo"].([]byte)
-	if !ok {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "invalid certInfo in attestation statement")
-	}
-	if len(certInfo) == 0 {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "certInfo is empty")
-	}
-
-	alg, ok := att.AttStatement["alg"].(int64)
-	if !ok {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "invalid alg in attestation statement")
-	}
-
-	var hash crypto.Hash
-	switch coseAlgorithmIdentifier(alg) {
-	case coseAlgRS256, coseAlgES256:
-		hash = crypto.SHA256
-	case coseAlgRS1:
-		hash = crypto.SHA1
-	default:
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "invalid alg %d in attestation statement", alg)
-	}
-
-	// recreate the generated key certification parameter values and verify
-	// the attested key using the public key of the AK.
-	certificationParameters := &attest.CertificationParameters{
-		Public:            pubArea,  // the public key that was attested
-		CreateAttestation: certInfo, // the attested properties of the key
-		CreateSignature:   sig,      // signature over the attested properties
-	}
-	verifyOpts := attest.VerifyOpts{
-		Public: akCert.PublicKey, // public key of the AK that attested the key
-		Hash:   hash,
-	}
-	if err = certificationParameters.Verify(verifyOpts); err != nil {
-		return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "invalid certification parameters")
-	}
-
-	// decode the "certInfo" data. This won't fail, as it's also done as part of Verify().
-	tpmCertInfo, err := tpm2.DecodeAttestationData(certInfo)
-	if err != nil {
-		return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "failed decoding attestation data")
-	}
-
-	keyAuth, err := KeyAuthorization(ch.Token, jwk)
-	if err != nil {
-		return nil, WrapErrorISE(err, "failed creating key auth digest")
-	}
-	hashedKeyAuth := sha256.Sum256([]byte(keyAuth))
-
-	// verify the WebAuthn object contains the expect key authorization digest, which is carried
-	// within the encoded `certInfo` property of the attestation statement.
-	if subtle.ConstantTimeCompare(hashedKeyAuth[:], []byte(tpmCertInfo.ExtraData)) == 0 {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "key authorization invalid")
-	}
-
-	// decode the (attested) public key and determine its fingerprint.  This won't fail, as it's also done as part of Verify().
-	pub, err := tpm2.DecodePublic(pubArea)
-	if err != nil {
-		return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "failed decoding pubArea")
-	}
-
-	publicKey, err := pub.Key()
-	if err != nil {
-		return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "failed getting public key")
-	}
-
-	data := &tpmAttestationData{
-		Certificate:          akCert,
-		VerifiedChains:       verifiedChains,
-		PermanentIdentifiers: permanentIdentifiers,
-	}
-
-	if data.Fingerprint, err = keyutil.Fingerprint(publicKey); err != nil {
-		return nil, WrapErrorISE(err, "error calculating key fingerprint")
-	}
-
-	// TODO(hs): pass more attestation data, so that that can be used/recorded too?
-	return data, nil
-}
-
-var (
-	oidExtensionExtendedKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 37}
-	oidTCGKpAIKCertificate       = asn1.ObjectIdentifier{2, 23, 133, 8, 3}
-)
-
-// validateAKCertificate validates the X.509 AK certificate to be
-// in accordance with the required properties. The requirements come from:
-// https://www.w3.org/TR/webauthn-2/#sctn-tpm-cert-requirements.
-//
-//   - Version MUST be set to 3.
-//   - Subject field MUST be set to empty.
-//   - The Subject Alternative Name extension MUST be set as defined
-//     in [TPMv2-EK-Profile] section 3.2.9.
-//   - The Extended Key Usage extension MUST contain the OID 2.23.133.8.3
-//     ("joint-iso-itu-t(2) international-organizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)").
-//   - The Basic Constraints extension MUST have the CA component set to false.
-//   - An Authority Information Access (AIA) extension with entry id-ad-ocsp
-//     and a CRL Distribution Point extension [RFC5280] are both OPTIONAL as
-//     the status of many attestation certificates is available through metadata
-//     services. See, for example, the FIDO Metadata Service.
-func validateAKCertificate(c *x509.Certificate) error {
-	if c.Version != 3 {
-		return fmt.Errorf("AK certificate has invalid version %d; only version 3 is allowed", c.Version)
-	}
-	if c.Subject.String() != "" {
-		return fmt.Errorf("AK certificate subject must be empty; got %q", c.Subject)
-	}
-	if c.IsCA {
-		return errors.New("AK certificate must not be a CA")
-	}
-	if err := validateAKCertificateExtendedKeyUsage(c); err != nil {
-		return err
-	}
-	return validateAKCertificateSubjectAlternativeNames(c)
-}
-
-// validateAKCertificateSubjectAlternativeNames checks if the AK certificate
-// has TPM hardware details set.
-func validateAKCertificateSubjectAlternativeNames(c *x509.Certificate) error {
-	sans, err := x509util.ParseSubjectAlternativeNames(c)
-	if err != nil {
-		return fmt.Errorf("failed parsing AK certificate Subject Alternative Names: %w", err)
-	}
-
-	details := sans.TPMHardwareDetails
-	manufacturer, model, version := details.Manufacturer, details.Model, details.Version
-
-	switch {
-	case manufacturer == "":
-		return errors.New("missing TPM manufacturer")
-	case model == "":
-		return errors.New("missing TPM model")
-	case version == "":
-		return errors.New("missing TPM version")
-	}
-
-	return nil
-}
-
-// validateAKCertificateExtendedKeyUsage checks if the AK certificate
-// has the "tcg-kp-AIKCertificate" Extended Key Usage set.
-func validateAKCertificateExtendedKeyUsage(c *x509.Certificate) error {
-	var (
-		valid = false
-		ekus  []asn1.ObjectIdentifier
-	)
-	for _, ext := range c.Extensions {
-		if ext.Id.Equal(oidExtensionExtendedKeyUsage) {
-			if _, err := asn1.Unmarshal(ext.Value, &ekus); err != nil || !ekus[0].Equal(oidTCGKpAIKCertificate) {
-				return errors.New("AK certificate is missing Extended Key Usage value tcg-kp-AIKCertificate (2.23.133.8.3)")
-			}
-			valid = true
-		}
-	}
-
-	if !valid {
-		return errors.New("AK certificate is missing Extended Key Usage extension")
-	}
-
-	return nil
-}
-
 // Apple Enterprise Attestation Root CA from
 // https://www.apple.com/certificateauthority/private/
 const appleEnterpriseAttestationRootCA = `-----BEGIN CERTIFICATE-----
@ -833,10 +442,9 @@ type appleAttestationData struct {
 	UDID         string
 	SEPVersion   string
 	Certificate  *x509.Certificate
-	Fingerprint  string
 }

-func doAppleAttestationFormat(_ context.Context, prov Provisioner, _ *Challenge, att *attestationObject) (*appleAttestationData, error) {
+func doAppleAttestationFormat(ctx context.Context, prov Provisioner, ch *Challenge, att *AttestationObject) (*appleAttestationData, error) {
 	// Use configured or default attestation roots if none is configured.
 	roots, ok := prov.GetAttestationRoots()
 	if !ok {
@ -850,30 +458,30 @@ func doAppleAttestationFormat(_ context.Context, prov Provisioner, _ *Challenge,

 	x5c, ok := att.AttStatement["x5c"].([]interface{})
 	if !ok {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "x5c not present")
+		return nil, NewError(ErrorBadAttestationStatementType, "x5c not present")
 	}
 	if len(x5c) == 0 {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "x5c is empty")
+		return nil, NewError(ErrorRejectedIdentifierType, "x5c is empty")
 	}

 	der, ok := x5c[0].([]byte)
 	if !ok {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "x5c is malformed")
+		return nil, NewError(ErrorBadAttestationStatementType, "x5c is malformed")
 	}
 	leaf, err := x509.ParseCertificate(der)
 	if err != nil {
-		return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "x5c is malformed")
+		return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is malformed")
 	}

 	intermediates := x509.NewCertPool()
 	for _, v := range x5c[1:] {
 		der, ok = v.([]byte)
 		if !ok {
-			return nil, NewDetailedError(ErrorBadAttestationStatementType, "x5c is malformed")
+			return nil, NewError(ErrorBadAttestationStatementType, "x5c is malformed")
 		}
 		cert, err := x509.ParseCertificate(der)
 		if err != nil {
-			return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "x5c is malformed")
+			return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is malformed")
 		}
 		intermediates.AddCert(cert)
 	}
@ -884,15 +492,12 @@ func doAppleAttestationFormat(_ context.Context, prov Provisioner, _ *Challenge,
 		CurrentTime:   time.Now().Truncate(time.Second),
 		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
 	}); err != nil {
-		return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "x5c is not valid")
+		return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is not valid")
 	}

 	data := &appleAttestationData{
 		Certificate: leaf,
 	}
-	if data.Fingerprint, err = keyutil.Fingerprint(leaf.PublicKey); err != nil {
-		return nil, WrapErrorISE(err, "error calculating key fingerprint")
-	}
 	for _, ext := range leaf.Extensions {
 		switch {
 		case ext.Id.Equal(oidAppleSerialNumber):
@ -938,10 +543,9 @@ var oidYubicoSerialNumber = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 41482, 3, 7}
 type stepAttestationData struct {
 	Certificate  *x509.Certificate
 	SerialNumber string
-	Fingerprint  string
 }

-func doStepAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *attestationObject) (*stepAttestationData, error) {
+func doStepAttestationFormat(ctx context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *AttestationObject) (*stepAttestationData, error) {
 	// Use configured or default attestation roots if none is configured.
 	roots, ok := prov.GetAttestationRoots()
 	if !ok {
@ -956,28 +560,28 @@ func doStepAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge,
 	// Extract x5c and verify certificate
 	x5c, ok := att.AttStatement["x5c"].([]interface{})
 	if !ok {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "x5c not present")
+		return nil, NewError(ErrorBadAttestationStatementType, "x5c not present")
 	}
 	if len(x5c) == 0 {
-		return nil, NewDetailedError(ErrorRejectedIdentifierType, "x5c is empty")
+		return nil, NewError(ErrorRejectedIdentifierType, "x5c is empty")
 	}
 	der, ok := x5c[0].([]byte)
 	if !ok {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "x5c is malformed")
+		return nil, NewError(ErrorBadAttestationStatementType, "x5c is malformed")
 	}
 	leaf, err := x509.ParseCertificate(der)
 	if err != nil {
-		return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "x5c is malformed")
+		return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is malformed")
 	}
 	intermediates := x509.NewCertPool()
 	for _, v := range x5c[1:] {
 		der, ok = v.([]byte)
 		if !ok {
-			return nil, NewDetailedError(ErrorBadAttestationStatementType, "x5c is malformed")
+			return nil, NewError(ErrorBadAttestationStatementType, "x5c is malformed")
 		}
 		cert, err := x509.ParseCertificate(der)
 		if err != nil {
-			return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "x5c is malformed")
+			return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is malformed")
 		}
 		intermediates.AddCert(cert)
 	}
@ -987,7 +591,7 @@ func doStepAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge,
 		CurrentTime:   time.Now().Truncate(time.Second),
 		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
 	}); err != nil {
-		return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "x5c is not valid")
+		return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is not valid")
 	}

 	// Verify proof of possession of private key validating the key
@ -997,10 +601,10 @@ func doStepAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge,
 	var sig []byte
 	csig, ok := att.AttStatement["sig"].([]byte)
 	if !ok {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "sig not present")
+		return nil, NewError(ErrorBadAttestationStatementType, "sig not present")
 	}
 	if err := cbor.Unmarshal(csig, &sig); err != nil {
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "sig is malformed")
+		return nil, NewError(ErrorBadAttestationStatementType, "sig is malformed")
 	}
 	keyAuth, err := KeyAuthorization(ch.Token, jwk)
 	if err != nil {
@ -1010,23 +614,23 @@ func doStepAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge,
 	switch pub := leaf.PublicKey.(type) {
 	case *ecdsa.PublicKey:
 		if pub.Curve != elliptic.P256() {
-			return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "unsupported elliptic curve %s", pub.Curve)
+			return nil, WrapError(ErrorBadAttestationStatementType, err, "unsupported elliptic curve %s", pub.Curve)
 		}
 		sum := sha256.Sum256([]byte(keyAuth))
 		if !ecdsa.VerifyASN1(pub, sum[:], sig) {
-			return nil, NewDetailedError(ErrorBadAttestationStatementType, "failed to validate signature")
+			return nil, NewError(ErrorBadAttestationStatementType, "failed to validate signature")
 		}
 	case *rsa.PublicKey:
 		sum := sha256.Sum256([]byte(keyAuth))
 		if err := rsa.VerifyPKCS1v15(pub, crypto.SHA256, sum[:], sig); err != nil {
-			return nil, NewDetailedError(ErrorBadAttestationStatementType, "failed to validate signature")
+			return nil, NewError(ErrorBadAttestationStatementType, "failed to validate signature")
 		}
 	case ed25519.PublicKey:
 		if !ed25519.Verify(pub, []byte(keyAuth), sig) {
-			return nil, NewDetailedError(ErrorBadAttestationStatementType, "failed to validate signature")
+			return nil, NewError(ErrorBadAttestationStatementType, "failed to validate signature")
 		}
 	default:
-		return nil, NewDetailedError(ErrorBadAttestationStatementType, "unsupported public key type %T", pub)
+		return nil, NewError(ErrorBadAttestationStatementType, "unsupported public key type %T", pub)
 	}

 	// Parse attestation data:
@ -1034,9 +638,6 @@ func doStepAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge,
 	data := &stepAttestationData{
 		Certificate: leaf,
 	}
-	if data.Fingerprint, err = keyutil.Fingerprint(leaf.PublicKey); err != nil {
-		return nil, WrapErrorISE(err, "error calculating key fingerprint")
-	}
 	for _, ext := range leaf.Extensions {
 		if !ext.Id.Equal(oidYubicoSerialNumber) {
 			continue
@ -1100,10 +701,10 @@ func uitoa(val uint) string {
 	var buf [20]byte // big enough for 64bit value base 10
 	i := len(buf) - 1
 	for val >= 10 {
-		v := val / 10
-		buf[i] = byte('0' + val - v*10)
+		q := val / 10
+		buf[i] = byte('0' + val - q*10)
 		i--
-		val = v
+		val = q
 	}
 	// val < 10
 	buf[i] = byte('0' + val)
--- a/acme/challenge_test.go
+++ b/acme/challenge_test.go
--- a/acme/challenge_tpmsimulator_test.go
+++ b/acme/challenge_tpmsimulator_test.go
@ -1,860 +0,0 @@
-//go:build tpmsimulator
-// +build tpmsimulator
-
-package acme
-
-import (
-	"context"
-	"crypto"
-	"crypto/sha256"
-	"crypto/x509"
-	"encoding/asn1"
-	"encoding/base64"
-	"encoding/json"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"net/url"
-	"testing"
-
-	"github.com/fxamacker/cbor/v2"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/smallstep/go-attestation/attest"
-	"go.step.sm/crypto/jose"
-	"go.step.sm/crypto/keyutil"
-	"go.step.sm/crypto/minica"
-	"go.step.sm/crypto/tpm"
-	"go.step.sm/crypto/tpm/simulator"
-	tpmstorage "go.step.sm/crypto/tpm/storage"
-	"go.step.sm/crypto/x509util"
-)
-
-func newSimulatedTPM(t *testing.T) *tpm.TPM {
-	t.Helper()
-	tmpDir := t.TempDir()
-	tpm, err := tpm.New(withSimulator(t), tpm.WithStore(tpmstorage.NewDirstore(tmpDir))) // TODO: provide in-memory storage implementation instead
-	require.NoError(t, err)
-	return tpm
-}
-
-func withSimulator(t *testing.T) tpm.NewTPMOption {
-	t.Helper()
-	var sim simulator.Simulator
-	t.Cleanup(func() {
-		if sim == nil {
-			return
-		}
-		err := sim.Close()
-		require.NoError(t, err)
-	})
-	sim, err := simulator.New()
-	require.NoError(t, err)
-	err = sim.Open()
-	require.NoError(t, err)
-	return tpm.WithSimulator(sim)
-}
-
-func generateKeyID(t *testing.T, pub crypto.PublicKey) []byte {
-	t.Helper()
-	b, err := x509.MarshalPKIXPublicKey(pub)
-	require.NoError(t, err)
-	hash := sha256.Sum256(b)
-	return hash[:]
-}
-
-func mustAttestTPM(t *testing.T, keyAuthorization string, permanentIdentifiers []string) ([]byte, crypto.Signer, *x509.Certificate) {
-	t.Helper()
-	aca, err := minica.New(
-		minica.WithName("TPM Testing"),
-		minica.WithGetSignerFunc(
-			func() (crypto.Signer, error) {
-				return keyutil.GenerateSigner("RSA", "", 2048)
-			},
-		),
-	)
-	require.NoError(t, err)
-
-	// prepare simulated TPM and create an AK
-	stpm := newSimulatedTPM(t)
-	eks, err := stpm.GetEKs(context.Background())
-	require.NoError(t, err)
-	ak, err := stpm.CreateAK(context.Background(), "first-ak")
-	require.NoError(t, err)
-	require.NotNil(t, ak)
-
-	// extract the AK public key // TODO(hs): replace this when there's a simpler method to get the AK public key (e.g. ak.Public())
-	ap, err := ak.AttestationParameters(context.Background())
-	require.NoError(t, err)
-	akp, err := attest.ParseAKPublic(attest.TPMVersion20, ap.Public)
-	require.NoError(t, err)
-
-	// create template and sign certificate for the AK public key
-	keyID := generateKeyID(t, eks[0].Public())
-	template := &x509.Certificate{
-		PublicKey:          akp.Public,
-		IsCA:               false,
-		UnknownExtKeyUsage: []asn1.ObjectIdentifier{oidTCGKpAIKCertificate},
-	}
-	sans := []x509util.SubjectAlternativeName{}
-	uris := []*url.URL{{Scheme: "urn", Opaque: "ek:sha256:" + base64.StdEncoding.EncodeToString(keyID)}}
-	for _, pi := range permanentIdentifiers {
-		sans = append(sans, x509util.SubjectAlternativeName{
-			Type:  x509util.PermanentIdentifierType,
-			Value: pi,
-		})
-	}
-	asn1Value := []byte(fmt.Sprintf(`{"extraNames":[{"type": %q, "value": %q},{"type": %q, "value": %q},{"type": %q, "value": %q}]}`, oidTPMManufacturer, "1414747215", oidTPMModel, "SLB 9670 TPM2.0", oidTPMVersion, "7.55"))
-	sans = append(sans, x509util.SubjectAlternativeName{
-		Type:      x509util.DirectoryNameType,
-		ASN1Value: asn1Value,
-	})
-	ext, err := createSubjectAltNameExtension(nil, nil, nil, uris, sans, true)
-	require.NoError(t, err)
-	ext.Set(template)
-	akCert, err := aca.Sign(template)
-	require.NoError(t, err)
-	require.NotNil(t, akCert)
-
-	// create a new key attested by the AK, while including
-	// the key authorization bytes as qualifying data.
-	keyAuthSum := sha256.Sum256([]byte(keyAuthorization))
-	config := tpm.AttestKeyConfig{
-		Algorithm:      "RSA",
-		Size:           2048,
-		QualifyingData: keyAuthSum[:],
-	}
-	key, err := stpm.AttestKey(context.Background(), "first-ak", "first-key", config)
-	require.NoError(t, err)
-	require.NotNil(t, key)
-	require.Equal(t, "first-key", key.Name())
-	require.NotEqual(t, 0, len(key.Data()))
-	require.Equal(t, "first-ak", key.AttestedBy())
-	require.True(t, key.WasAttested())
-	require.True(t, key.WasAttestedBy(ak))
-
-	signer, err := key.Signer(context.Background())
-	require.NoError(t, err)
-
-	// prepare the attestation object with the AK certificate chain,
-	// the attested key, its metadata and the signature signed by the
-	// AK.
-	params, err := key.CertificationParameters(context.Background())
-	require.NoError(t, err)
-	attObj, err := cbor.Marshal(struct {
-		Format       string                 `json:"fmt"`
-		AttStatement map[string]interface{} `json:"attStmt,omitempty"`
-	}{
-		Format: "tpm",
-		AttStatement: map[string]interface{}{
-			"ver":      "2.0",
-			"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-			"alg":      int64(-257), // RS256
-			"sig":      params.CreateSignature,
-			"certInfo": params.CreateAttestation,
-			"pubArea":  params.Public,
-		},
-	})
-	require.NoError(t, err)
-
-	// marshal the ACME payload
-	payload, err := json.Marshal(struct {
-		AttObj string `json:"attObj"`
-	}{
-		AttObj: base64.RawURLEncoding.EncodeToString(attObj),
-	})
-	require.NoError(t, err)
-
-	return payload, signer, aca.Root
-}
-
-func Test_deviceAttest01ValidateWithTPMSimulator(t *testing.T) {
-	type args struct {
-		ctx     context.Context
-		ch      *Challenge
-		db      DB
-		jwk     *jose.JSONWebKey
-		payload []byte
-	}
-	type test struct {
-		args    args
-		wantErr *Error
-	}
-	tests := map[string]func(t *testing.T) test{
-		"ok/doTPMAttestationFormat-storeError": func(t *testing.T) test {
-			jwk, keyAuth := mustAccountAndKeyAuthorization(t, "token")
-			payload, _, root := mustAttestTPM(t, keyAuth, nil) // TODO: value(s) for AK cert?
-			caRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: root.Raw})
-			ctx := NewProvisionerContext(context.Background(), mustAttestationProvisioner(t, caRoot))
-
-			// parse payload, set invalid "ver", remarshal
-			var p payloadType
-			err := json.Unmarshal(payload, &p)
-			require.NoError(t, err)
-			attObj, err := base64.RawURLEncoding.DecodeString(p.AttObj)
-			require.NoError(t, err)
-			att := attestationObject{}
-			err = cbor.Unmarshal(attObj, &att)
-			require.NoError(t, err)
-			att.AttStatement["ver"] = "bogus"
-			attObj, err = cbor.Marshal(struct {
-				Format       string                 `json:"fmt"`
-				AttStatement map[string]interface{} `json:"attStmt,omitempty"`
-			}{
-				Format:       "tpm",
-				AttStatement: att.AttStatement,
-			})
-			require.NoError(t, err)
-			payload, err = json.Marshal(struct {
-				AttObj string `json:"attObj"`
-			}{
-				AttObj: base64.RawURLEncoding.EncodeToString(attObj),
-			})
-			require.NoError(t, err)
-			return test{
-				args: args{
-					ctx: ctx,
-					jwk: jwk,
-					ch: &Challenge{
-						ID:              "chID",
-						AuthorizationID: "azID",
-						Token:           "token",
-						Type:            "device-attest-01",
-						Status:          StatusPending,
-						Value:           "device.id.12345678",
-					},
-					payload: payload,
-					db: &MockDB{
-						MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-							assert.Equal(t, "azID", id)
-							return &Authorization{ID: "azID"}, nil
-						},
-						MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
-							assert.Equal(t, "chID", updch.ID)
-							assert.Equal(t, "token", updch.Token)
-							assert.Equal(t, StatusInvalid, updch.Status)
-							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
-							assert.Equal(t, "device.id.12345678", updch.Value)
-
-							err := NewDetailedError(ErrorBadAttestationStatementType, `version "bogus" is not supported`)
-
-							assert.EqualError(t, updch.Error.Err, err.Err.Error())
-							assert.Equal(t, err.Type, updch.Error.Type)
-							assert.Equal(t, err.Detail, updch.Error.Detail)
-							assert.Equal(t, err.Status, updch.Error.Status)
-							assert.Equal(t, err.Subproblems, updch.Error.Subproblems)
-
-							return nil
-						},
-					},
-				},
-				wantErr: nil,
-			}
-		},
-		"ok with invalid PermanentIdentifier SAN": func(t *testing.T) test {
-			jwk, keyAuth := mustAccountAndKeyAuthorization(t, "token")
-			payload, _, root := mustAttestTPM(t, keyAuth, []string{"device.id.12345678"}) // TODO: value(s) for AK cert?
-			caRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: root.Raw})
-			ctx := NewProvisionerContext(context.Background(), mustAttestationProvisioner(t, caRoot))
-			return test{
-				args: args{
-					ctx: ctx,
-					jwk: jwk,
-					ch: &Challenge{
-						ID:              "chID",
-						AuthorizationID: "azID",
-						Token:           "token",
-						Type:            "device-attest-01",
-						Status:          StatusPending,
-						Value:           "device.id.99999999",
-					},
-					payload: payload,
-					db: &MockDB{
-						MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-							assert.Equal(t, "azID", id)
-							return &Authorization{ID: "azID"}, nil
-						},
-						MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
-							assert.Equal(t, "chID", updch.ID)
-							assert.Equal(t, "token", updch.Token)
-							assert.Equal(t, StatusInvalid, updch.Status)
-							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
-							assert.Equal(t, "device.id.99999999", updch.Value)
-
-							err := NewDetailedError(ErrorBadAttestationStatementType, `permanent identifier does not match`).
-								AddSubproblems(NewSubproblemWithIdentifier(
-									ErrorRejectedIdentifierType,
-									Identifier{Type: "permanent-identifier", Value: "device.id.99999999"},
-									`challenge identifier "device.id.99999999" doesn't match any of the attested hardware identifiers ["device.id.12345678"]`,
-								))
-
-							assert.EqualError(t, updch.Error.Err, err.Err.Error())
-							assert.Equal(t, err.Type, updch.Error.Type)
-							assert.Equal(t, err.Detail, updch.Error.Detail)
-							assert.Equal(t, err.Status, updch.Error.Status)
-							assert.Equal(t, err.Subproblems, updch.Error.Subproblems)
-
-							return nil
-						},
-					},
-				},
-				wantErr: nil,
-			}
-		},
-		"ok": func(t *testing.T) test {
-			jwk, keyAuth := mustAccountAndKeyAuthorization(t, "token")
-			payload, signer, root := mustAttestTPM(t, keyAuth, nil) // TODO: value(s) for AK cert?
-			caRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: root.Raw})
-			ctx := NewProvisionerContext(context.Background(), mustAttestationProvisioner(t, caRoot))
-			return test{
-				args: args{
-					ctx: ctx,
-					jwk: jwk,
-					ch: &Challenge{
-						ID:              "chID",
-						AuthorizationID: "azID",
-						Token:           "token",
-						Type:            "device-attest-01",
-						Status:          StatusPending,
-						Value:           "device.id.12345678",
-					},
-					payload: payload,
-					db: &MockDB{
-						MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-							assert.Equal(t, "azID", id)
-							return &Authorization{ID: "azID"}, nil
-						},
-						MockUpdateAuthorization: func(ctx context.Context, az *Authorization) error {
-							fingerprint, err := keyutil.Fingerprint(signer.Public())
-							assert.NoError(t, err)
-							assert.Equal(t, "azID", az.ID)
-							assert.Equal(t, fingerprint, az.Fingerprint)
-							return nil
-						},
-						MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
-							assert.Equal(t, "chID", updch.ID)
-							assert.Equal(t, "token", updch.Token)
-							assert.Equal(t, StatusValid, updch.Status)
-							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
-							assert.Equal(t, "device.id.12345678", updch.Value)
-							return nil
-						},
-					},
-				},
-				wantErr: nil,
-			}
-		},
-		"ok with PermanentIdentifier SAN": func(t *testing.T) test {
-			jwk, keyAuth := mustAccountAndKeyAuthorization(t, "token")
-			payload, signer, root := mustAttestTPM(t, keyAuth, []string{"device.id.12345678"}) // TODO: value(s) for AK cert?
-			caRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: root.Raw})
-			ctx := NewProvisionerContext(context.Background(), mustAttestationProvisioner(t, caRoot))
-			return test{
-				args: args{
-					ctx: ctx,
-					jwk: jwk,
-					ch: &Challenge{
-						ID:              "chID",
-						AuthorizationID: "azID",
-						Token:           "token",
-						Type:            "device-attest-01",
-						Status:          StatusPending,
-						Value:           "device.id.12345678",
-					},
-					payload: payload,
-					db: &MockDB{
-						MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-							assert.Equal(t, "azID", id)
-							return &Authorization{ID: "azID"}, nil
-						},
-						MockUpdateAuthorization: func(ctx context.Context, az *Authorization) error {
-							fingerprint, err := keyutil.Fingerprint(signer.Public())
-							assert.NoError(t, err)
-							assert.Equal(t, "azID", az.ID)
-							assert.Equal(t, fingerprint, az.Fingerprint)
-							return nil
-						},
-						MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
-							assert.Equal(t, "chID", updch.ID)
-							assert.Equal(t, "token", updch.Token)
-							assert.Equal(t, StatusValid, updch.Status)
-							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
-							assert.Equal(t, "device.id.12345678", updch.Value)
-							return nil
-						},
-					},
-				},
-				wantErr: nil,
-			}
-		},
-	}
-	for name, run := range tests {
-		t.Run(name, func(t *testing.T) {
-			tc := run(t)
-
-			if err := deviceAttest01Validate(tc.args.ctx, tc.args.ch, tc.args.db, tc.args.jwk, tc.args.payload); err != nil {
-				assert.Error(t, tc.wantErr)
-				assert.EqualError(t, err, tc.wantErr.Error())
-				return
-			}
-
-			assert.Nil(t, tc.wantErr)
-		})
-	}
-}
-
-func newBadAttestationStatementError(msg string) *Error {
-	return &Error{
-		Type:   "urn:ietf:params:acme:error:badAttestationStatement",
-		Status: 400,
-		Err:    errors.New(msg),
-	}
-}
-
-func newInternalServerError(msg string) *Error {
-	return &Error{
-		Type:   "urn:ietf:params:acme:error:serverInternal",
-		Status: 500,
-		Err:    errors.New(msg),
-	}
-}
-
-var (
-	oidPermanentIdentifier          = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 3}
-	oidHardwareModuleNameIdentifier = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 4}
-)
-
-func Test_doTPMAttestationFormat(t *testing.T) {
-	ctx := context.Background()
-	aca, err := minica.New(
-		minica.WithName("TPM Testing"),
-		minica.WithGetSignerFunc(
-			func() (crypto.Signer, error) {
-				return keyutil.GenerateSigner("RSA", "", 2048)
-			},
-		),
-	)
-	require.NoError(t, err)
-	acaRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: aca.Root.Raw})
-
-	// prepare simulated TPM and create an AK
-	stpm := newSimulatedTPM(t)
-	eks, err := stpm.GetEKs(context.Background())
-	require.NoError(t, err)
-	ak, err := stpm.CreateAK(context.Background(), "first-ak")
-	require.NoError(t, err)
-	require.NotNil(t, ak)
-
-	// extract the AK public key // TODO(hs): replace this when there's a simpler method to get the AK public key (e.g. ak.Public())
-	ap, err := ak.AttestationParameters(context.Background())
-	require.NoError(t, err)
-	akp, err := attest.ParseAKPublic(attest.TPMVersion20, ap.Public)
-	require.NoError(t, err)
-
-	// create template and sign certificate for the AK public key
-	keyID := generateKeyID(t, eks[0].Public())
-	template := &x509.Certificate{
-		PublicKey:          akp.Public,
-		IsCA:               false,
-		UnknownExtKeyUsage: []asn1.ObjectIdentifier{oidTCGKpAIKCertificate},
-	}
-	sans := []x509util.SubjectAlternativeName{}
-	uris := []*url.URL{{Scheme: "urn", Opaque: "ek:sha256:" + base64.StdEncoding.EncodeToString(keyID)}}
-	asn1Value := []byte(fmt.Sprintf(`{"extraNames":[{"type": %q, "value": %q},{"type": %q, "value": %q},{"type": %q, "value": %q}]}`, oidTPMManufacturer, "1414747215", oidTPMModel, "SLB 9670 TPM2.0", oidTPMVersion, "7.55"))
-	sans = append(sans, x509util.SubjectAlternativeName{
-		Type:      x509util.DirectoryNameType,
-		ASN1Value: asn1Value,
-	})
-	ext, err := createSubjectAltNameExtension(nil, nil, nil, uris, sans, true)
-	require.NoError(t, err)
-	ext.Set(template)
-	akCert, err := aca.Sign(template)
-	require.NoError(t, err)
-	require.NotNil(t, akCert)
-
-	invalidTemplate := &x509.Certificate{
-		PublicKey:          akp.Public,
-		IsCA:               false,
-		UnknownExtKeyUsage: []asn1.ObjectIdentifier{oidTCGKpAIKCertificate},
-	}
-	invalidAKCert, err := aca.Sign(invalidTemplate)
-	require.NoError(t, err)
-	require.NotNil(t, invalidAKCert)
-
-	// generate a JWK and the key authorization value
-	jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
-	require.NoError(t, err)
-	keyAuthorization, err := KeyAuthorization("token", jwk)
-	require.NoError(t, err)
-
-	// create a new key attested by the AK, while including
-	// the key authorization bytes as qualifying data.
-	keyAuthSum := sha256.Sum256([]byte(keyAuthorization))
-	config := tpm.AttestKeyConfig{
-		Algorithm:      "RSA",
-		Size:           2048,
-		QualifyingData: keyAuthSum[:],
-	}
-	key, err := stpm.AttestKey(context.Background(), "first-ak", "first-key", config)
-	require.NoError(t, err)
-	require.NotNil(t, key)
-	params, err := key.CertificationParameters(context.Background())
-	require.NoError(t, err)
-
-	signer, err := key.Signer(context.Background())
-	require.NoError(t, err)
-	fingerprint, err := keyutil.Fingerprint(signer.Public())
-	require.NoError(t, err)
-
-	// attest another key and get its certification parameters
-	anotherKey, err := stpm.AttestKey(context.Background(), "first-ak", "another-key", config)
-	require.NoError(t, err)
-	require.NotNil(t, key)
-	anotherKeyParams, err := anotherKey.CertificationParameters(context.Background())
-	require.NoError(t, err)
-
-	type args struct {
-		ctx  context.Context
-		prov Provisioner
-		ch   *Challenge
-		jwk  *jose.JSONWebKey
-		att  *attestationObject
-	}
-	tests := []struct {
-		name   string
-		args   args
-		want   *tpmAttestationData
-		expErr *Error
-	}{
-		{"ok", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, nil},
-		{"fail ver not present", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("ver not present")},
-		{"fail ver type", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      []interface{}{},
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("ver not present")},
-		{"fail bogus ver", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "bogus",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError(`version "bogus" is not supported`)},
-		{"fail x5c not present", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("x5c not present")},
-		{"fail x5c type", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      [][]byte{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("x5c not present")},
-		{"fail x5c empty", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("x5c is empty")},
-		{"fail leaf type", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "step",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{"leaf", aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("x5c is malformed")},
-		{"fail leaf parse", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "step",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw[:100], aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("x5c is malformed: x509: malformed certificate")},
-		{"fail intermediate type", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "step",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, "intermediate"},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("x5c is malformed")},
-		{"fail intermediate parse", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "step",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw[:100]},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("x5c is malformed: x509: malformed certificate")},
-		{"fail roots", args{ctx, mustAttestationProvisioner(t, nil), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newInternalServerError("no root CA bundle available to verify the attestation certificate")},
-		{"fail verify", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "step",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("x5c is not valid: x509: certificate signed by unknown authority")},
-		{"fail validateAKCertificate", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{invalidAKCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("AK certificate is not valid: missing TPM manufacturer")},
-		{"fail pubArea not present", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-			},
-		}}, nil, newBadAttestationStatementError("invalid pubArea in attestation statement")},
-		{"fail pubArea type", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  []interface{}{},
-			},
-		}}, nil, newBadAttestationStatementError("invalid pubArea in attestation statement")},
-		{"fail pubArea empty", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  []byte{},
-			},
-		}}, nil, newBadAttestationStatementError("pubArea is empty")},
-		{"fail sig not present", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("invalid sig in attestation statement")},
-		{"fail sig type", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      []interface{}{},
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("invalid sig in attestation statement")},
-		{"fail sig empty", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      []byte{},
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("sig is empty")},
-		{"fail certInfo not present", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":     "2.0",
-				"x5c":     []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":     int64(-257), // RS256
-				"sig":     params.CreateSignature,
-				"pubArea": params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("invalid certInfo in attestation statement")},
-		{"fail certInfo type", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": []interface{}{},
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("invalid certInfo in attestation statement")},
-		{"fail certInfo empty", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": []byte{},
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("certInfo is empty")},
-		{"fail alg not present", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("invalid alg in attestation statement")},
-		{"fail alg type", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(0), // invalid alg
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("invalid alg 0 in attestation statement")},
-		{"fail attestation verification", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  anotherKeyParams.Public,
-			},
-		}}, nil, newBadAttestationStatementError("invalid certification parameters: certification refers to a different key")},
-		{"fail keyAuthorization", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, &jose.JSONWebKey{Key: []byte("not an asymmetric key")}, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), // RS256
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newInternalServerError("failed creating key auth digest: error generating JWK thumbprint: go-jose/go-jose: unknown key type '[]uint8'")},
-		{"fail different keyAuthorization", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "aDifferentToken"}, jwk, &attestationObject{
-			Format: "tpm",
-			AttStatement: map[string]interface{}{
-				"ver":      "2.0",
-				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
-				"alg":      int64(-257), //
-				"sig":      params.CreateSignature,
-				"certInfo": params.CreateAttestation,
-				"pubArea":  params.Public,
-			},
-		}}, nil, newBadAttestationStatementError("key authorization invalid")},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := doTPMAttestationFormat(tt.args.ctx, tt.args.prov, tt.args.ch, tt.args.jwk, tt.args.att)
-			if tt.expErr != nil {
-				var ae *Error
-				if assert.True(t, errors.As(err, &ae)) {
-					assert.EqualError(t, err, tt.expErr.Error())
-					assert.Equal(t, ae.StatusCode(), tt.expErr.StatusCode())
-					assert.Equal(t, ae.Type, tt.expErr.Type)
-				}
-				assert.Nil(t, got)
-				return
-			}
-
-			assert.NoError(t, err)
-			if assert.NotNil(t, got) {
-				assert.Equal(t, akCert, got.Certificate)
-				assert.Equal(t, [][]*x509.Certificate{
-					{
-						akCert, aca.Intermediate, aca.Root,
-					},
-				}, got.VerifiedChains)
-				assert.Equal(t, fingerprint, got.Fingerprint)
-				assert.Empty(t, got.PermanentIdentifiers) // currently expected to be always empty
-			}
-		})
-	}
-}
--- a/acme/client.go
+++ b/acme/client.go
@ -55,7 +55,6 @@ func NewClient() Client {
 		http: &http.Client{
 			Timeout: 30 * time.Second,
 			Transport: &http.Transport{
-				Proxy: http.ProxyFromEnvironment,
 				TLSClientConfig: &tls.Config{
 					//nolint:gosec // used on tls-alpn-01 challenge
 					InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check]
--- a/acme/common.go
+++ b/acme/common.go
@ -21,7 +21,7 @@ var clock Clock

 // CertificateAuthority is the interface implemented by a CA authority.
 type CertificateAuthority interface {
-	SignWithContext(ctx context.Context, cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
+	Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
 	AreSANsAllowed(ctx context.Context, sans []string) error
 	IsRevoked(sn string) (bool, error)
 	Revoke(context.Context, *authority.RevokeOptions) error
@ -46,7 +46,7 @@ type PrerequisitesChecker func(ctx context.Context) (bool, error)

 // DefaultPrerequisitesChecker is the default PrerequisiteChecker and returns
 // always true.
-func DefaultPrerequisitesChecker(context.Context) (bool, error) {
+func DefaultPrerequisitesChecker(ctx context.Context) (bool, error) {
 	return true, nil
 }

@ -93,17 +93,14 @@ func ProvisionerFromContext(ctx context.Context) (v Provisioner, ok bool) {
 	return
 }

-// MustProvisionerFromContext returns the current provisioner from the given context.
+// MustLinkerFromContext returns the current provisioner from the given context.
 // It will panic if it's not in the context.
 func MustProvisionerFromContext(ctx context.Context) Provisioner {
-	var (
-		v  Provisioner
-		ok bool
-	)
-	if v, ok = ProvisionerFromContext(ctx); !ok {
+	if v, ok := ProvisionerFromContext(ctx); !ok {
 		panic("acme provisioner is not the context")
+	} else {
+		return v
 	}
-	return v
 }

 // MockProvisioner for testing
@ -130,7 +127,7 @@ func (m *MockProvisioner) GetName() string {
 	return m.Mret1.(string)
 }

-// AuthorizeOrderIdentifier mock
+// AuthorizeOrderIdentifiers mock
 func (m *MockProvisioner) AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error {
 	if m.MauthorizeOrderIdentifier != nil {
 		return m.MauthorizeOrderIdentifier(ctx, identifier)
--- a/acme/db.go
+++ b/acme/db.go
@ -2,7 +2,6 @@ package acme

 import (
 	"context"
-	"database/sql"

 	"github.com/pkg/errors"
 )
@ -13,12 +12,6 @@ import (
 // account.
 var ErrNotFound = errors.New("not found")

-// IsErrNotFound returns true if the error is a "not found" error. Returns false
-// otherwise.
-func IsErrNotFound(err error) bool {
-	return errors.Is(err, ErrNotFound) || errors.Is(err, sql.ErrNoRows)
-}
-
 // DB is the DB interface expected by the step-ca ACME API.
 type DB interface {
 	CreateAccount(ctx context.Context, acc *Account) error
@ -72,14 +65,11 @@ func DatabaseFromContext(ctx context.Context) (db DB, ok bool) {
 // MustDatabaseFromContext returns the current database from the given context.
 // It will panic if it's not in the context.
 func MustDatabaseFromContext(ctx context.Context) DB {
-	var (
-		db DB
-		ok bool
-	)
-	if db, ok = DatabaseFromContext(ctx); !ok {
+	if db, ok := DatabaseFromContext(ctx); !ok {
 		panic("acme database is not in the context")
+	} else {
+		return db
 	}
-	return db
 }

 // MockDB is an implementation of the DB interface that should only be used as
--- a/acme/db/nosql/account.go
+++ b/acme/db/nosql/account.go
@ -13,15 +13,12 @@ import (

 // dbAccount represents an ACME account.
 type dbAccount struct {
-	ID              string           `json:"id"`
-	Key             *jose.JSONWebKey `json:"key"`
-	Contact         []string         `json:"contact,omitempty"`
-	Status          acme.Status      `json:"status"`
-	LocationPrefix  string           `json:"locationPrefix"`
-	ProvisionerID   string           `json:"provisionerID,omitempty"`
-	ProvisionerName string           `json:"provisionerName"`
-	CreatedAt       time.Time        `json:"createdAt"`
-	DeactivatedAt   time.Time        `json:"deactivatedAt"`
+	ID            string           `json:"id"`
+	Key           *jose.JSONWebKey `json:"key"`
+	Contact       []string         `json:"contact,omitempty"`
+	Status        acme.Status      `json:"status"`
+	CreatedAt     time.Time        `json:"createdAt"`
+	DeactivatedAt time.Time        `json:"deactivatedAt"`
 }

 func (dba *dbAccount) clone() *dbAccount {
@ -29,7 +26,7 @@ func (dba *dbAccount) clone() *dbAccount {
 	return &nu
 }

-func (db *DB) getAccountIDByKeyID(_ context.Context, kid string) (string, error) {
+func (db *DB) getAccountIDByKeyID(ctx context.Context, kid string) (string, error) {
 	id, err := db.db.Get(accountByKeyIDTable, []byte(kid))
 	if err != nil {
 		if nosqlDB.IsErrNotFound(err) {
@ -41,7 +38,7 @@ func (db *DB) getAccountIDByKeyID(_ context.Context, kid string) (string, error)
 }

 // getDBAccount retrieves and unmarshals dbAccount.
-func (db *DB) getDBAccount(_ context.Context, id string) (*dbAccount, error) {
+func (db *DB) getDBAccount(ctx context.Context, id string) (*dbAccount, error) {
 	data, err := db.db.Get(accountTable, []byte(id))
 	if err != nil {
 		if nosqlDB.IsErrNotFound(err) {
@ -65,13 +62,10 @@ func (db *DB) GetAccount(ctx context.Context, id string) (*acme.Account, error)
 	}

 	return &acme.Account{
-		Status:          dbacc.Status,
-		Contact:         dbacc.Contact,
-		Key:             dbacc.Key,
-		ID:              dbacc.ID,
-		LocationPrefix:  dbacc.LocationPrefix,
-		ProvisionerID:   dbacc.ProvisionerID,
-		ProvisionerName: dbacc.ProvisionerName,
+		Status:  dbacc.Status,
+		Contact: dbacc.Contact,
+		Key:     dbacc.Key,
+		ID:      dbacc.ID,
 	}, nil
 }

@ -93,14 +87,11 @@ func (db *DB) CreateAccount(ctx context.Context, acc *acme.Account) error {
 	}

 	dba := &dbAccount{
-		ID:              acc.ID,
-		Key:             acc.Key,
-		Contact:         acc.Contact,
-		Status:          acc.Status,
-		CreatedAt:       clock.Now(),
-		LocationPrefix:  acc.LocationPrefix,
-		ProvisionerID:   acc.ProvisionerID,
-		ProvisionerName: acc.ProvisionerName,
+		ID:        acc.ID,
+		Key:       acc.Key,
+		Contact:   acc.Contact,
+		Status:    acc.Status,
+		CreatedAt: clock.Now(),
 	}

 	kid, err := acme.KeyToID(dba.Key)
--- a/acme/db/nosql/account_test.go
+++ b/acme/db/nosql/account_test.go
@ -68,14 +68,12 @@ func TestDB_getDBAccount(t *testing.T) {
 			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 			assert.FatalError(t, err)
 			dbacc := &dbAccount{
-				ID:              accID,
-				Status:          acme.StatusDeactivated,
-				CreatedAt:       now,
-				DeactivatedAt:   now,
-				Contact:         []string{"foo", "bar"},
-				Key:             jwk,
-				ProvisionerID:   "73d2c0f1-9753-448b-9b48-bf00fe434681",
-				ProvisionerName: "acme",
+				ID:            accID,
+				Status:        acme.StatusDeactivated,
+				CreatedAt:     now,
+				DeactivatedAt: now,
+				Contact:       []string{"foo", "bar"},
+				Key:           jwk,
 			}
 			b, err := json.Marshal(dbacc)
 			assert.FatalError(t, err)
@ -199,8 +197,6 @@ func TestDB_getAccountIDByKeyID(t *testing.T) {

 func TestDB_GetAccount(t *testing.T) {
 	accID := "accID"
-	locationPrefix := "https://test.ca.smallstep.com/acme/foo/account/"
-	provisionerName := "foo"
 	type test struct {
 		db      nosql.DB
 		err     error
@ -226,14 +222,12 @@ func TestDB_GetAccount(t *testing.T) {
 			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 			assert.FatalError(t, err)
 			dbacc := &dbAccount{
-				ID:              accID,
-				Status:          acme.StatusDeactivated,
-				CreatedAt:       now,
-				DeactivatedAt:   now,
-				Contact:         []string{"foo", "bar"},
-				Key:             jwk,
-				LocationPrefix:  locationPrefix,
-				ProvisionerName: provisionerName,
+				ID:            accID,
+				Status:        acme.StatusDeactivated,
+				CreatedAt:     now,
+				DeactivatedAt: now,
+				Contact:       []string{"foo", "bar"},
+				Key:           jwk,
 			}
 			b, err := json.Marshal(dbacc)
 			assert.FatalError(t, err)
@ -272,8 +266,6 @@ func TestDB_GetAccount(t *testing.T) {
 				assert.Equals(t, acc.ID, tc.dbacc.ID)
 				assert.Equals(t, acc.Status, tc.dbacc.Status)
 				assert.Equals(t, acc.Contact, tc.dbacc.Contact)
-				assert.Equals(t, acc.LocationPrefix, tc.dbacc.LocationPrefix)
-				assert.Equals(t, acc.ProvisionerName, tc.dbacc.ProvisionerName)
 				assert.Equals(t, acc.Key.KeyID, tc.dbacc.Key.KeyID)
 			}
 		})
@ -387,7 +379,6 @@ func TestDB_GetAccountByKeyID(t *testing.T) {
 }

 func TestDB_CreateAccount(t *testing.T) {
-	locationPrefix := "https://test.ca.smallstep.com/acme/foo/account/"
 	type test struct {
 		db  nosql.DB
 		acc *acme.Account
@ -399,10 +390,9 @@ func TestDB_CreateAccount(t *testing.T) {
 			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 			assert.FatalError(t, err)
 			acc := &acme.Account{
-				Status:         acme.StatusValid,
-				Contact:        []string{"foo", "bar"},
-				Key:            jwk,
-				LocationPrefix: locationPrefix,
+				Status:  acme.StatusValid,
+				Contact: []string{"foo", "bar"},
+				Key:     jwk,
 			}
 			return test{
 				db: &db.MockNoSQLDB{
@ -423,10 +413,9 @@ func TestDB_CreateAccount(t *testing.T) {
 			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 			assert.FatalError(t, err)
 			acc := &acme.Account{
-				Status:         acme.StatusValid,
-				Contact:        []string{"foo", "bar"},
-				Key:            jwk,
-				LocationPrefix: locationPrefix,
+				Status:  acme.StatusValid,
+				Contact: []string{"foo", "bar"},
+				Key:     jwk,
 			}
 			return test{
 				db: &db.MockNoSQLDB{
@ -447,10 +436,9 @@ func TestDB_CreateAccount(t *testing.T) {
 			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 			assert.FatalError(t, err)
 			acc := &acme.Account{
-				Status:         acme.StatusValid,
-				Contact:        []string{"foo", "bar"},
-				Key:            jwk,
-				LocationPrefix: locationPrefix,
+				Status:  acme.StatusValid,
+				Contact: []string{"foo", "bar"},
+				Key:     jwk,
 			}
 			return test{
 				db: &db.MockNoSQLDB{
@ -468,8 +456,6 @@ func TestDB_CreateAccount(t *testing.T) {
 							assert.FatalError(t, json.Unmarshal(nu, dbacc))
 							assert.Equals(t, dbacc.ID, string(key))
 							assert.Equals(t, dbacc.Contact, acc.Contact)
-							assert.Equals(t, dbacc.LocationPrefix, acc.LocationPrefix)
-							assert.Equals(t, dbacc.ProvisionerName, acc.ProvisionerName)
 							assert.Equals(t, dbacc.Key.KeyID, acc.Key.KeyID)
 							assert.True(t, clock.Now().Add(-time.Minute).Before(dbacc.CreatedAt))
 							assert.True(t, clock.Now().Add(time.Minute).After(dbacc.CreatedAt))
@ -493,10 +479,9 @@ func TestDB_CreateAccount(t *testing.T) {
 			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 			assert.FatalError(t, err)
 			acc := &acme.Account{
-				Status:         acme.StatusValid,
-				Contact:        []string{"foo", "bar"},
-				Key:            jwk,
-				LocationPrefix: locationPrefix,
+				Status:  acme.StatusValid,
+				Contact: []string{"foo", "bar"},
+				Key:     jwk,
 			}
 			return test{
 				db: &db.MockNoSQLDB{
@ -515,8 +500,6 @@ func TestDB_CreateAccount(t *testing.T) {
 							assert.FatalError(t, json.Unmarshal(nu, dbacc))
 							assert.Equals(t, dbacc.ID, string(key))
 							assert.Equals(t, dbacc.Contact, acc.Contact)
-							assert.Equals(t, dbacc.LocationPrefix, acc.LocationPrefix)
-							assert.Equals(t, dbacc.ProvisionerName, acc.ProvisionerName)
 							assert.Equals(t, dbacc.Key.KeyID, acc.Key.KeyID)
 							assert.True(t, clock.Now().Add(-time.Minute).Before(dbacc.CreatedAt))
 							assert.True(t, clock.Now().Add(time.Minute).After(dbacc.CreatedAt))
@ -556,14 +539,12 @@ func TestDB_UpdateAccount(t *testing.T) {
 	jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 	assert.FatalError(t, err)
 	dbacc := &dbAccount{
-		ID:              accID,
-		Status:          acme.StatusDeactivated,
-		CreatedAt:       now,
-		DeactivatedAt:   now,
-		Contact:         []string{"foo", "bar"},
-		LocationPrefix:  "foo",
-		ProvisionerName: "alpha",
-		Key:             jwk,
+		ID:            accID,
+		Status:        acme.StatusDeactivated,
+		CreatedAt:     now,
+		DeactivatedAt: now,
+		Contact:       []string{"foo", "bar"},
+		Key:           jwk,
 	}
 	b, err := json.Marshal(dbacc)
 	assert.FatalError(t, err)
@ -663,12 +644,10 @@ func TestDB_UpdateAccount(t *testing.T) {
 		},
 		"ok": func(t *testing.T) test {
 			acc := &acme.Account{
-				ID:              accID,
-				Status:          acme.StatusDeactivated,
-				Contact:         []string{"baz", "zap"},
-				LocationPrefix:  "bar",
-				ProvisionerName: "beta",
-				Key:             jwk,
+				ID:      accID,
+				Status:  acme.StatusDeactivated,
+				Contact: []string{"foo", "bar"},
+				Key:     jwk,
 			}
 			return test{
 				acc: acc,
@ -687,10 +666,7 @@ func TestDB_UpdateAccount(t *testing.T) {
 						assert.FatalError(t, json.Unmarshal(nu, dbNew))
 						assert.Equals(t, dbNew.ID, dbacc.ID)
 						assert.Equals(t, dbNew.Status, acc.Status)
-						assert.Equals(t, dbNew.Contact, acc.Contact)
-						// LocationPrefix should not change.
-						assert.Equals(t, dbNew.LocationPrefix, dbacc.LocationPrefix)
-						assert.Equals(t, dbNew.ProvisionerName, dbacc.ProvisionerName)
+						assert.Equals(t, dbNew.Contact, dbacc.Contact)
 						assert.Equals(t, dbNew.Key.KeyID, dbacc.Key.KeyID)
 						assert.Equals(t, dbNew.CreatedAt, dbacc.CreatedAt)
 						assert.True(t, dbNew.DeactivatedAt.Add(-time.Minute).Before(now))
@ -710,7 +686,12 @@ func TestDB_UpdateAccount(t *testing.T) {
 					assert.HasPrefix(t, err.Error(), tc.err.Error())
 				}
 			} else {
-				assert.Nil(t, tc.err)
+				if assert.Nil(t, tc.err) {
+					assert.Equals(t, tc.acc.ID, dbacc.ID)
+					assert.Equals(t, tc.acc.Status, dbacc.Status)
+					assert.Equals(t, tc.acc.Contact, dbacc.Contact)
+					assert.Equals(t, tc.acc.Key.KeyID, dbacc.Key.KeyID)
+				}
 			}
 		})
 	}
--- a/acme/db/nosql/authz.go
+++ b/acme/db/nosql/authz.go
@ -17,7 +17,6 @@ type dbAuthz struct {
 	Identifier   acme.Identifier `json:"identifier"`
 	Status       acme.Status     `json:"status"`
 	Token        string          `json:"token"`
-	Fingerprint  string          `json:"fingerprint,omitempty"`
 	ChallengeIDs []string        `json:"challengeIDs"`
 	Wildcard     bool            `json:"wildcard"`
 	CreatedAt    time.Time       `json:"createdAt"`
@ -32,7 +31,7 @@ func (ba *dbAuthz) clone() *dbAuthz {

 // getDBAuthz retrieves and unmarshals a database representation of the
 // ACME Authorization type.
-func (db *DB) getDBAuthz(_ context.Context, id string) (*dbAuthz, error) {
+func (db *DB) getDBAuthz(ctx context.Context, id string) (*dbAuthz, error) {
 	data, err := db.db.Get(authzTable, []byte(id))
 	if nosql.IsErrNotFound(err) {
 		return nil, acme.NewError(acme.ErrorMalformedType, "authz %s not found", id)
@ -62,16 +61,15 @@ func (db *DB) GetAuthorization(ctx context.Context, id string) (*acme.Authorizat
 		}
 	}
 	return &acme.Authorization{
-		ID:          dbaz.ID,
-		AccountID:   dbaz.AccountID,
-		Identifier:  dbaz.Identifier,
-		Status:      dbaz.Status,
-		Challenges:  chs,
-		Wildcard:    dbaz.Wildcard,
-		ExpiresAt:   dbaz.ExpiresAt,
-		Token:       dbaz.Token,
-		Fingerprint: dbaz.Fingerprint,
-		Error:       dbaz.Error,
+		ID:         dbaz.ID,
+		AccountID:  dbaz.AccountID,
+		Identifier: dbaz.Identifier,
+		Status:     dbaz.Status,
+		Challenges: chs,
+		Wildcard:   dbaz.Wildcard,
+		ExpiresAt:  dbaz.ExpiresAt,
+		Token:      dbaz.Token,
+		Error:      dbaz.Error,
 	}, nil
 }

@ -99,7 +97,6 @@ func (db *DB) CreateAuthorization(ctx context.Context, az *acme.Authorization) e
 		Identifier:   az.Identifier,
 		ChallengeIDs: chIDs,
 		Token:        az.Token,
-		Fingerprint:  az.Fingerprint,
 		Wildcard:     az.Wildcard,
 	}

@ -114,14 +111,14 @@ func (db *DB) UpdateAuthorization(ctx context.Context, az *acme.Authorization) e
 	}

 	nu := old.clone()
+
 	nu.Status = az.Status
-	nu.Fingerprint = az.Fingerprint
 	nu.Error = az.Error
 	return db.save(ctx, old.ID, nu, old, "authz", authzTable)
 }

 // GetAuthorizationsByAccountID retrieves and unmarshals ACME authz types from the database.
-func (db *DB) GetAuthorizationsByAccountID(_ context.Context, accountID string) ([]*acme.Authorization, error) {
+func (db *DB) GetAuthorizationsByAccountID(ctx context.Context, accountID string) ([]*acme.Authorization, error) {
 	entries, err := db.db.List(authzTable)
 	if err != nil {
 		return nil, errors.Wrapf(err, "error listing authz")
@ -139,16 +136,15 @@ func (db *DB) GetAuthorizationsByAccountID(_ context.Context, accountID string)
 			continue
 		}
 		authzs = append(authzs, &acme.Authorization{
-			ID:          dbaz.ID,
-			AccountID:   dbaz.AccountID,
-			Identifier:  dbaz.Identifier,
-			Status:      dbaz.Status,
-			Challenges:  nil, // challenges not required for current use case
-			Wildcard:    dbaz.Wildcard,
-			ExpiresAt:   dbaz.ExpiresAt,
-			Token:       dbaz.Token,
-			Fingerprint: dbaz.Fingerprint,
-			Error:       dbaz.Error,
+			ID:         dbaz.ID,
+			AccountID:  dbaz.AccountID,
+			Identifier: dbaz.Identifier,
+			Status:     dbaz.Status,
+			Challenges: nil, // challenges not required for current use case
+			Wildcard:   dbaz.Wildcard,
+			ExpiresAt:  dbaz.ExpiresAt,
+			Token:      dbaz.Token,
+			Error:      dbaz.Error,
 		})
 	}

--- a/acme/db/nosql/authz_test.go
+++ b/acme/db/nosql/authz_test.go
@ -473,7 +473,6 @@ func TestDB_UpdateAuthorization(t *testing.T) {
 		ExpiresAt:    now.Add(5 * time.Minute),
 		ChallengeIDs: []string{"foo", "bar"},
 		Wildcard:     true,
-		Fingerprint:  "fingerprint",
 	}
 	b, err := json.Marshal(dbaz)
 	assert.FatalError(t, err)
@ -550,11 +549,10 @@ func TestDB_UpdateAuthorization(t *testing.T) {
 					{ID: "foo"},
 					{ID: "bar"},
 				},
-				Token:       dbaz.Token,
-				Wildcard:    dbaz.Wildcard,
-				ExpiresAt:   dbaz.ExpiresAt,
-				Fingerprint: "fingerprint",
-				Error:       acme.NewError(acme.ErrorMalformedType, "malformed"),
+				Token:     dbaz.Token,
+				Wildcard:  dbaz.Wildcard,
+				ExpiresAt: dbaz.ExpiresAt,
+				Error:     acme.NewError(acme.ErrorMalformedType, "malformed"),
 			}
 			return test{
 				az: updAz,
@ -584,7 +582,6 @@ func TestDB_UpdateAuthorization(t *testing.T) {
 						assert.Equals(t, dbNew.Wildcard, dbaz.Wildcard)
 						assert.Equals(t, dbNew.CreatedAt, dbaz.CreatedAt)
 						assert.Equals(t, dbNew.ExpiresAt, dbaz.ExpiresAt)
-						assert.Equals(t, dbNew.Fingerprint, dbaz.Fingerprint)
 						assert.Equals(t, dbNew.Error.Error(), acme.NewError(acme.ErrorMalformedType, "The request message was malformed").Error())
 						return nu, true, nil
 					},
--- a/acme/db/nosql/certificate.go
+++ b/acme/db/nosql/certificate.go
@ -69,7 +69,7 @@ func (db *DB) CreateCertificate(ctx context.Context, cert *acme.Certificate) err

 // GetCertificate retrieves and unmarshals an ACME certificate type from the
 // datastore.
-func (db *DB) GetCertificate(_ context.Context, id string) (*acme.Certificate, error) {
+func (db *DB) GetCertificate(ctx context.Context, id string) (*acme.Certificate, error) {
 	b, err := db.db.Get(certTable, []byte(id))
 	if nosql.IsErrNotFound(err) {
 		return nil, acme.NewError(acme.ErrorMalformedType, "certificate %s not found", id)
--- a/acme/db/nosql/challenge.go
+++ b/acme/db/nosql/challenge.go
@ -6,10 +6,8 @@ import (
 	"time"

 	"github.com/pkg/errors"
-
-	"github.com/smallstep/nosql"
-
 	"github.com/smallstep/certificates/acme"
+	"github.com/smallstep/nosql"
 )

 type dbChallenge struct {
@ -21,7 +19,7 @@ type dbChallenge struct {
 	Value       string             `json:"value"`
 	ValidatedAt string             `json:"validatedAt"`
 	CreatedAt   time.Time          `json:"createdAt"`
-	Error       *acme.Error        `json:"error"` // TODO(hs): a bit dangerous; should become db-specific type
+	Error       *acme.Error        `json:"error"`
 }

 func (dbc *dbChallenge) clone() *dbChallenge {
@ -29,7 +27,7 @@ func (dbc *dbChallenge) clone() *dbChallenge {
 	return &u
 }

-func (db *DB) getDBChallenge(_ context.Context, id string) (*dbChallenge, error) {
+func (db *DB) getDBChallenge(ctx context.Context, id string) (*dbChallenge, error) {
 	data, err := db.db.Get(challengeTable, []byte(id))
 	if nosql.IsErrNotFound(err) {
 		return nil, acme.NewError(acme.ErrorMalformedType, "challenge %s not found", id)
@ -69,7 +67,6 @@ func (db *DB) CreateChallenge(ctx context.Context, ch *acme.Challenge) error {
 // GetChallenge retrieves and unmarshals an ACME challenge type from the database.
 // Implements the acme.DB GetChallenge interface.
 func (db *DB) GetChallenge(ctx context.Context, id, authzID string) (*acme.Challenge, error) {
-	_ = authzID // unused input
 	dbch, err := db.getDBChallenge(ctx, id)
 	if err != nil {
 		return nil, err
--- a/acme/db/nosql/eab.go
+++ b/acme/db/nosql/eab.go
@ -35,7 +35,7 @@ type dbExternalAccountKeyReference struct {
 }

 // getDBExternalAccountKey retrieves and unmarshals dbExternalAccountKey.
-func (db *DB) getDBExternalAccountKey(_ context.Context, id string) (*dbExternalAccountKey, error) {
+func (db *DB) getDBExternalAccountKey(ctx context.Context, id string) (*dbExternalAccountKey, error) {
 	data, err := db.db.Get(externalAccountKeyTable, []byte(id))
 	if err != nil {
 		if nosqlDB.IsErrNotFound(err) {
@ -160,8 +160,6 @@ func (db *DB) DeleteExternalAccountKey(ctx context.Context, provisionerID, keyID

 // GetExternalAccountKeys retrieves all External Account Binding keys for a provisioner
 func (db *DB) GetExternalAccountKeys(ctx context.Context, provisionerID, cursor string, limit int) ([]*acme.ExternalAccountKey, string, error) {
-	_, _ = cursor, limit // unused input
-
 	externalAccountKeyMutex.RLock()
 	defer externalAccountKeyMutex.RUnlock()

@ -229,7 +227,7 @@ func (db *DB) GetExternalAccountKeyByReference(ctx context.Context, provisionerI
 	return db.GetExternalAccountKey(ctx, provisionerID, dbExternalAccountKeyReference.ExternalAccountKeyID)
 }

-func (db *DB) GetExternalAccountKeyByAccountID(context.Context, string, string) (*acme.ExternalAccountKey, error) {
+func (db *DB) GetExternalAccountKeyByAccountID(ctx context.Context, provisionerID, accountID string) (*acme.ExternalAccountKey, error) {
 	//nolint:nilnil // legacy
 	return nil, nil
 }
--- a/acme/db/nosql/nonce.go
+++ b/acme/db/nosql/nonce.go
@ -39,7 +39,7 @@ func (db *DB) CreateNonce(ctx context.Context) (acme.Nonce, error) {

 // DeleteNonce verifies that the nonce is valid (by checking if it exists),
 // and if so, consumes the nonce resource by deleting it from the database.
-func (db *DB) DeleteNonce(_ context.Context, nonce acme.Nonce) error {
+func (db *DB) DeleteNonce(ctx context.Context, nonce acme.Nonce) error {
 	err := db.db.Update(&database.Tx{
 		Operations: []*database.TxEntry{
 			{
--- a/acme/db/nosql/nosql.go
+++ b/acme/db/nosql/nosql.go
@ -48,7 +48,7 @@ func New(db nosqlDB.DB) (*DB, error) {

 // save writes the new data to the database, overwriting the old data if it
 // existed.
-func (db *DB) save(_ context.Context, id string, nu, old interface{}, typ string, table []byte) error {
+func (db *DB) save(ctx context.Context, id string, nu, old interface{}, typ string, table []byte) error {
 	var (
 		err  error
 		newB []byte
--- a/acme/db/nosql/order.go
+++ b/acme/db/nosql/order.go
@ -35,7 +35,7 @@ func (a *dbOrder) clone() *dbOrder {
 }

 // getDBOrder retrieves and unmarshals an ACME Order type from the database.
-func (db *DB) getDBOrder(_ context.Context, id string) (*dbOrder, error) {
+func (db *DB) getDBOrder(ctx context.Context, id string) (*dbOrder, error) {
 	b, err := db.db.Get(orderTable, []byte(id))
 	if nosql.IsErrNotFound(err) {
 		return nil, acme.NewError(acme.ErrorMalformedType, "order %s not found", id)
--- a/acme/db_test.go
+++ b/acme/db_test.go
@ -1,32 +0,0 @@
-package acme
-
-import (
-	"database/sql"
-	"errors"
-	"fmt"
-	"testing"
-)
-
-func TestIsErrNotFound(t *testing.T) {
-	type args struct {
-		err error
-	}
-	tests := []struct {
-		name string
-		args args
-		want bool
-	}{
-		{"true ErrNotFound", args{ErrNotFound}, true},
-		{"true sql.ErrNoRows", args{sql.ErrNoRows}, true},
-		{"true wrapped ErrNotFound", args{fmt.Errorf("something failed: %w", ErrNotFound)}, true},
-		{"true wrapped sql.ErrNoRows", args{fmt.Errorf("something failed: %w", sql.ErrNoRows)}, true},
-		{"false other", args{errors.New("not found")}, false},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := IsErrNotFound(tt.args.err); got != tt.want {
-				t.Errorf("IsErrNotFound() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
--- a/acme/errors.go
+++ b/acme/errors.go
@ -270,77 +270,21 @@ var (
 	}
 )

-// Error represents an ACME Error
+// Error represents an ACME
 type Error struct {
-	Type        string       `json:"type"`
-	Detail      string       `json:"detail"`
-	Subproblems []Subproblem `json:"subproblems,omitempty"`
-	Err         error        `json:"-"`
-	Status      int          `json:"-"`
+	Type        string        `json:"type"`
+	Detail      string        `json:"detail"`
+	Subproblems []interface{} `json:"subproblems,omitempty"`
+	Identifier  interface{}   `json:"identifier,omitempty"`
+	Err         error         `json:"-"`
+	Status      int           `json:"-"`
 }

-// Subproblem represents an ACME subproblem. It's fairly
-// similar to an ACME error, but differs in that it can't
-// include subproblems itself, the error is reflected
-// in the Detail property and doesn't have a Status.
-type Subproblem struct {
-	Type   string `json:"type"`
-	Detail string `json:"detail"`
-	// The "identifier" field MUST NOT be present at the top level in ACME
-	// problem documents.  It can only be present in subproblems.
-	// Subproblems need not all have the same type, and they do not need to
-	// match the top level type.
-	Identifier *Identifier `json:"identifier,omitempty"`
-}
-
-// NewError creates a new Error.
+// NewError creates a new Error type.
 func NewError(pt ProblemType, msg string, args ...interface{}) *Error {
 	return newError(pt, errors.Errorf(msg, args...))
 }

-// NewDetailedError creates a new Error that includes the error
-// message in the details, providing more information to the
-// ACME client.
-func NewDetailedError(pt ProblemType, msg string, args ...interface{}) *Error {
-	return NewError(pt, msg, args...).withDetail()
-}
-
-func (e *Error) withDetail() *Error {
-	if e == nil || e.Status >= 500 || e.Err == nil {
-		return e
-	}
-
-	e.Detail = fmt.Sprintf("%s: %s", e.Detail, e.Err)
-	return e
-}
-
-// AddSubproblems adds the Subproblems to Error. It
-// returns the Error, allowing for fluent addition.
-func (e *Error) AddSubproblems(subproblems ...Subproblem) *Error {
-	e.Subproblems = append(e.Subproblems, subproblems...)
-	return e
-}
-
-// NewSubproblem creates a new Subproblem. The msg and args
-// are used to create a new error, which is set as the Detail, allowing
-// for more detailed error messages to be returned to the ACME client.
-func NewSubproblem(pt ProblemType, msg string, args ...interface{}) Subproblem {
-	e := newError(pt, fmt.Errorf(msg, args...))
-	s := Subproblem{
-		Type:   e.Type,
-		Detail: e.Err.Error(),
-	}
-	return s
-}
-
-// NewSubproblemWithIdentifier creates a new Subproblem with a specific ACME
-// Identifier. It calls NewSubproblem and sets the Identifier.
-func NewSubproblemWithIdentifier(pt ProblemType, identifier Identifier, msg string, args ...interface{}) Subproblem {
-	s := NewSubproblem(pt, msg, args...)
-	s.Identifier = &identifier
-	return s
-}
-
 func newError(pt ProblemType, err error) *Error {
 	meta, ok := errorMap[pt]
 	if !ok {
@ -384,10 +328,6 @@ func WrapError(typ ProblemType, err error, msg string, args ...interface{}) *Err
 	}
 }

-func WrapDetailedError(typ ProblemType, err error, msg string, args ...interface{}) *Error {
-	return WrapError(typ, err, msg, args...).withDetail()
-}
-
 // WrapErrorISE shortcut to wrap an internal server error type.
 func WrapErrorISE(err error, msg string, args ...interface{}) *Error {
 	return WrapError(ErrorServerInternalType, err, msg, args...)
@ -424,7 +364,7 @@ func (e *Error) ToLog() (interface{}, error) {
 }

 // Render implements render.RenderableError for Error.
-func (e *Error) Render(w http.ResponseWriter, r *http.Request) {
+func (e *Error) Render(w http.ResponseWriter) {
 	w.Header().Set("Content-Type", "application/problem+json")
-	render.JSONStatus(w, r, e, e.StatusCode())
+	render.JSONStatus(w, e, e.StatusCode())
 }
--- a/acme/errors_test.go
+++ b/acme/errors_test.go
@ -1,54 +0,0 @@
-package acme
-
-import (
-	"encoding/json"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func mustJSON(t *testing.T, m map[string]interface{}) string {
-	t.Helper()
-
-	b, err := json.Marshal(m)
-	require.NoError(t, err)
-
-	return string(b)
-}
-
-func TestError_WithAdditionalErrorDetail(t *testing.T) {
-	internalJSON := mustJSON(t, map[string]interface{}{
-		"detail": "The server experienced an internal error",
-		"type":   "urn:ietf:params:acme:error:serverInternal",
-	})
-	malformedErr := NewError(ErrorMalformedType, "malformed error") // will result in Err == nil behavior
-	malformedJSON := mustJSON(t, map[string]interface{}{
-		"detail": "The request message was malformed",
-		"type":   "urn:ietf:params:acme:error:malformed",
-	})
-	withDetailJSON := mustJSON(t, map[string]interface{}{
-		"detail": "Attestation statement cannot be verified: invalid property",
-		"type":   "urn:ietf:params:acme:error:badAttestationStatement",
-	})
-	tests := []struct {
-		name string
-		err  *Error
-		want string
-	}{
-		{"internal", NewDetailedError(ErrorServerInternalType, ""), internalJSON},
-		{"nil err", malformedErr, malformedJSON},
-		{"detailed", NewDetailedError(ErrorBadAttestationStatementType, "invalid property"), withDetailJSON},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			b, err := json.Marshal(tt.err)
-			require.NoError(t, err)
-
-			// tests if the additional error detail is included in the JSON representation
-			// of the ACME error. This is what is returned to ACME clients and being logged
-			// by the CA.
-			assert.JSONEq(t, tt.want, string(b))
-		})
-	}
-}
--- a/acme/linker.go
+++ b/acme/linker.go
@ -8,7 +8,7 @@ import (
 	"net/url"
 	"strings"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"
 	"github.com/smallstep/certificates/api/render"
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/provisioner"
@ -142,14 +142,11 @@ func LinkerFromContext(ctx context.Context) (v Linker, ok bool) {
 // MustLinkerFromContext returns the current linker from the given context. It
 // will panic if it's not in the context.
 func MustLinkerFromContext(ctx context.Context) Linker {
-	var (
-		v  Linker
-		ok bool
-	)
-	if v, ok = LinkerFromContext(ctx); !ok {
+	if v, ok := LinkerFromContext(ctx); !ok {
 		panic("acme linker is not the context")
+	} else {
+		return v
 	}
-	return v
 }

 type baseURLKey struct{}
@ -186,19 +183,19 @@ func (l *linker) Middleware(next http.Handler) http.Handler {
 		nameEscaped := chi.URLParam(r, "provisionerID")
 		name, err := url.PathUnescape(nameEscaped)
 		if err != nil {
-			render.Error(w, r, WrapErrorISE(err, "error url unescaping provisioner name '%s'", nameEscaped))
+			render.Error(w, WrapErrorISE(err, "error url unescaping provisioner name '%s'", nameEscaped))
 			return
 		}

 		p, err := authority.MustFromContext(ctx).LoadProvisionerByName(name)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

 		acmeProv, ok := p.(*provisioner.ACME)
 		if !ok {
-			render.Error(w, r, NewError(ErrorAccountDoesNotExistType, "provisioner must be of type ACME"))
+			render.Error(w, NewError(ErrorAccountDoesNotExistType, "provisioner must be of type ACME"))
 			return
 		}

--- a/acme/order.go
+++ b/acme/order.go
@ -3,7 +3,6 @@ package acme
 import (
 	"bytes"
 	"context"
-	"crypto/subtle"
 	"crypto/x509"
 	"encoding/json"
 	"net"
@ -12,7 +11,6 @@ import (
 	"time"

 	"github.com/smallstep/certificates/authority/provisioner"
-	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/x509util"
 )

@ -127,27 +125,6 @@ func (o *Order) UpdateStatus(ctx context.Context, db DB) error {
 	return nil
 }

-// getAuthorizationFingerprint returns a fingerprint from the list of authorizations. This
-// fingerprint is used on the device-attest-01 flow to verify the attestation
-// certificate public key with the CSR public key.
-//
-// There's no point on reading all the authorizations as there will be only one
-// for a permanent identifier.
-func (o *Order) getAuthorizationFingerprint(ctx context.Context, db DB) (string, error) {
-	for _, azID := range o.AuthorizationIDs {
-		az, err := db.GetAuthorization(ctx, azID)
-		if err != nil {
-			return "", WrapErrorISE(err, "error getting authorization %q", azID)
-		}
-		// There's no point on reading all the authorizations as there will
-		// be only one for a permanent identifier.
-		if az.Fingerprint != "" {
-			return az.Fingerprint, nil
-		}
-	}
-	return "", nil
-}
-
 // Finalize signs a certificate if the necessary conditions for Order completion
 // have been met.
 //
@ -173,24 +150,6 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 		return NewErrorISE("unexpected status %s for order %s", o.Status, o.ID)
 	}

-	// Get key fingerprint if any. And then compare it with the CSR fingerprint.
-	//
-	// In device-attest-01 challenges we should check that the keys in the CSR
-	// and the attestation certificate are the same.
-	fingerprint, err := o.getAuthorizationFingerprint(ctx, db)
-	if err != nil {
-		return err
-	}
-	if fingerprint != "" {
-		fp, err := keyutil.Fingerprint(csr.PublicKey)
-		if err != nil {
-			return WrapErrorISE(err, "error calculating key fingerprint")
-		}
-		if subtle.ConstantTimeCompare([]byte(fingerprint), []byte(fp)) == 0 {
-			return NewError(ErrorUnauthorizedType, "order %s csr does not match the attested key", o.ID)
-		}
-	}
-
 	// canonicalize the CSR to allow for comparison
 	csr = canonicalize(csr)

@ -206,15 +165,6 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 	for i := range o.Identifiers {
 		if o.Identifiers[i].Type == PermanentIdentifier {
 			permanentIdentifier = o.Identifiers[i].Value
-			// the first (and only) Permanent Identifier that gets added to the certificate
-			// should be equal to the Subject Common Name if it's set. If not equal, the CSR
-			// is rejected, because the Common Name hasn't been challenged in that case. This
-			// could result in unauthorized access if a relying system relies on the Common
-			// Name in its authorization logic.
-			if csr.Subject.CommonName != "" && csr.Subject.CommonName != permanentIdentifier {
-				return NewError(ErrorBadCSRType, "CSR Subject Common Name does not match identifiers exactly: "+
-					"CSR Subject Common Name = %s, Order Permanent Identifier = %s", csr.Subject.CommonName, permanentIdentifier)
-			}
 			break
 		}
 	}
@ -263,7 +213,7 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 	signOps = append(signOps, extraOptions...)

 	// Sign a new certificate.
-	certChain, err := auth.SignWithContext(ctx, csr, provisioner.SignOptions{
+	certChain, err := auth.Sign(csr, provisioner.SignOptions{
 		NotBefore: provisioner.NewTimeDuration(o.NotBefore),
 		NotAfter:  provisioner.NewTimeDuration(o.NotAfter),
 	}, signOps...)
--- a/acme/order_test.go
+++ b/acme/order_test.go
@ -2,12 +2,9 @@ package acme

 import (
 	"context"
-	"crypto"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/asn1"
 	"encoding/json"
-	"fmt"
 	"net"
 	"net/url"
 	"reflect"
@ -19,7 +16,6 @@ import (
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/provisioner"
-	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/x509util"
 )

@ -271,16 +267,16 @@ func TestOrder_UpdateStatus(t *testing.T) {
 }

 type mockSignAuth struct {
-	signWithContext       func(ctx context.Context, csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
+	sign                  func(csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
 	areSANsAllowed        func(ctx context.Context, sans []string) error
 	loadProvisionerByName func(string) (provisioner.Interface, error)
 	ret1, ret2            interface{}
 	err                   error
 }

-func (m *mockSignAuth) SignWithContext(ctx context.Context, csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
-	if m.signWithContext != nil {
-		return m.signWithContext(ctx, csr, signOpts, extraOpts...)
+func (m *mockSignAuth) Sign(csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+	if m.sign != nil {
+		return m.sign(csr, signOpts, extraOpts...)
 	} else if m.err != nil {
 		return nil, m.err
 	}
@ -301,7 +297,7 @@ func (m *mockSignAuth) LoadProvisionerByName(name string) (provisioner.Interface
 	return m.ret1.(provisioner.Interface), m.err
 }

-func (m *mockSignAuth) IsRevoked(string) (bool, error) {
+func (m *mockSignAuth) IsRevoked(sn string) (bool, error) {
 	return false, nil
 }

@ -310,14 +306,6 @@ func (m *mockSignAuth) Revoke(context.Context, *authority.RevokeOptions) error {
 }

 func TestOrder_Finalize(t *testing.T) {
-	mustSigner := func(kty, crv string, size int) crypto.Signer {
-		s, err := keyutil.GenerateSigner(kty, crv, size)
-		if err != nil {
-			t.Fatal(err)
-		}
-		return s
-	}
-
 	type test struct {
 		o    *Order
 		err  *Error
@ -398,72 +386,6 @@ func TestOrder_Finalize(t *testing.T) {
 				err: NewErrorISE("unrecognized order status: %s", o.Status),
 			}
 		},
-		"fail/non-matching-permanent-identifier-common-name": func(t *testing.T) test {
-			now := clock.Now()
-			o := &Order{
-				ID:               "oID",
-				AccountID:        "accID",
-				Status:           StatusReady,
-				ExpiresAt:        now.Add(5 * time.Minute),
-				AuthorizationIDs: []string{"a", "b"},
-				Identifiers: []Identifier{
-					{Type: "permanent-identifier", Value: "a-permanent-identifier"},
-				},
-			}
-
-			signer := mustSigner("EC", "P-256", 0)
-			fingerprint, err := keyutil.Fingerprint(signer.Public())
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			csr := &x509.CertificateRequest{
-				Subject: pkix.Name{
-					CommonName: "a-different-identifier",
-				},
-				PublicKey: signer.Public(),
-				ExtraExtensions: []pkix.Extension{
-					{
-						Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 3},
-						Value: []byte("a-permanent-identifier"),
-					},
-				},
-			}
-			return test{
-				o:   o,
-				csr: csr,
-				db: &MockDB{
-					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-						switch id {
-						case "a":
-							return &Authorization{
-								ID:     id,
-								Status: StatusValid,
-							}, nil
-						case "b":
-							return &Authorization{
-								ID:          id,
-								Fingerprint: fingerprint,
-								Status:      StatusValid,
-							}, nil
-						default:
-							assert.FatalError(t, errors.Errorf("unexpected authorization %s", id))
-							return nil, errors.New("force")
-						}
-					},
-					MockUpdateOrder: func(ctx context.Context, o *Order) error {
-						return nil
-					},
-				},
-				err: &Error{
-					Type:   "urn:ietf:params:acme:error:badCSR",
-					Detail: "The CSR is unacceptable",
-					Status: 400,
-					Err: fmt.Errorf("CSR Subject Common Name does not match identifiers exactly: "+
-						"CSR Subject Common Name = %s, Order Permanent Identifier = %s", csr.Subject.CommonName, "a-permanent-identifier"),
-				},
-			}
-		},
 		"fail/error-provisioner-auth": func(t *testing.T) test {
 			now := clock.Now()
 			o := &Order{
@ -493,11 +415,6 @@ func TestOrder_Finalize(t *testing.T) {
 						return nil, errors.New("force")
 					},
 				},
-				db: &MockDB{
-					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-						return &Authorization{ID: id, Status: StatusValid}, nil
-					},
-				},
 				err: NewErrorISE("error retrieving authorization options from ACME provisioner: force"),
 			}
 		},
@ -537,11 +454,6 @@ func TestOrder_Finalize(t *testing.T) {
 						}
 					},
 				},
-				db: &MockDB{
-					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-						return &Authorization{ID: id, Status: StatusValid}, nil
-					},
-				},
 				err: NewErrorISE("error creating template options from ACME provisioner: error unmarshaling template data: invalid character 'o' in literal false (expecting 'a')"),
 			}
 		},
@ -578,16 +490,11 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return nil, errors.New("force")
 					},
 				},
-				db: &MockDB{
-					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-						return &Authorization{ID: id, Status: StatusValid}, nil
-					},
-				},
 				err: NewErrorISE("error signing certificate for order oID: force"),
 			}
 		},
@ -628,15 +535,12 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return []*x509.Certificate{foo, bar, baz}, nil
 					},
 				},
 				db: &MockDB{
-					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-						return &Authorization{ID: id, Status: StatusValid}, nil
-					},
 					MockCreateCertificate: func(ctx context.Context, cert *Certificate) error {
 						assert.Equals(t, cert.AccountID, o.AccountID)
 						assert.Equals(t, cert.OrderID, o.ID)
@ -685,15 +589,12 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return []*x509.Certificate{foo, bar, baz}, nil
 					},
 				},
 				db: &MockDB{
-					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-						return &Authorization{ID: id, Status: StatusValid}, nil
-					},
 					MockCreateCertificate: func(ctx context.Context, cert *Certificate) error {
 						cert.ID = "certID"
 						assert.Equals(t, cert.AccountID, o.AccountID)
@ -716,297 +617,6 @@ func TestOrder_Finalize(t *testing.T) {
 				err: NewErrorISE("error updating order oID: force"),
 			}
 		},
-		"fail/csr-fingerprint": func(t *testing.T) test {
-			now := clock.Now()
-			o := &Order{
-				ID:               "oID",
-				AccountID:        "accID",
-				Status:           StatusReady,
-				ExpiresAt:        now.Add(5 * time.Minute),
-				AuthorizationIDs: []string{"a", "b"},
-				Identifiers: []Identifier{
-					{Type: "permanent-identifier", Value: "a-permanent-identifier"},
-				},
-			}
-
-			signer := mustSigner("EC", "P-256", 0)
-
-			csr := &x509.CertificateRequest{
-				Subject: pkix.Name{
-					CommonName: "a-permanent-identifier",
-				},
-				PublicKey: signer.Public(),
-				ExtraExtensions: []pkix.Extension{
-					{
-						Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 3},
-						Value: []byte("a-permanent-identifier"),
-					},
-				},
-			}
-
-			leaf := &x509.Certificate{
-				Subject:   pkix.Name{CommonName: "a-permanent-identifier"},
-				PublicKey: signer.Public(),
-				ExtraExtensions: []pkix.Extension{
-					{
-						Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 3},
-						Value: []byte("a-permanent-identifier"),
-					},
-				},
-			}
-			inter := &x509.Certificate{Subject: pkix.Name{CommonName: "inter"}}
-			root := &x509.Certificate{Subject: pkix.Name{CommonName: "root"}}
-
-			return test{
-				o:   o,
-				csr: csr,
-				prov: &MockProvisioner{
-					MauthorizeSign: func(ctx context.Context, token string) ([]provisioner.SignOption, error) {
-						assert.Equals(t, token, "")
-						return nil, nil
-					},
-					MgetOptions: func() *provisioner.Options {
-						return nil
-					},
-				},
-				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
-						assert.Equals(t, _csr, csr)
-						return []*x509.Certificate{leaf, inter, root}, nil
-					},
-				},
-				db: &MockDB{
-					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-						return &Authorization{
-							ID:          id,
-							Fingerprint: "other-fingerprint",
-							Status:      StatusValid,
-						}, nil
-					},
-					MockCreateCertificate: func(ctx context.Context, cert *Certificate) error {
-						cert.ID = "certID"
-						assert.Equals(t, cert.AccountID, o.AccountID)
-						assert.Equals(t, cert.OrderID, o.ID)
-						assert.Equals(t, cert.Leaf, leaf)
-						assert.Equals(t, cert.Intermediates, []*x509.Certificate{inter, root})
-						return nil
-					},
-					MockUpdateOrder: func(ctx context.Context, updo *Order) error {
-						assert.Equals(t, updo.CertificateID, "certID")
-						assert.Equals(t, updo.Status, StatusValid)
-						assert.Equals(t, updo.ID, o.ID)
-						assert.Equals(t, updo.AccountID, o.AccountID)
-						assert.Equals(t, updo.ExpiresAt, o.ExpiresAt)
-						assert.Equals(t, updo.AuthorizationIDs, o.AuthorizationIDs)
-						assert.Equals(t, updo.Identifiers, o.Identifiers)
-						return nil
-					},
-				},
-				err: NewError(ErrorUnauthorizedType, "order oID csr does not match the attested key"),
-			}
-		},
-		"ok/permanent-identifier": func(t *testing.T) test {
-			now := clock.Now()
-			o := &Order{
-				ID:               "oID",
-				AccountID:        "accID",
-				Status:           StatusReady,
-				ExpiresAt:        now.Add(5 * time.Minute),
-				AuthorizationIDs: []string{"a", "b"},
-				Identifiers: []Identifier{
-					{Type: "permanent-identifier", Value: "a-permanent-identifier"},
-				},
-			}
-
-			signer := mustSigner("EC", "P-256", 0)
-			fingerprint, err := keyutil.Fingerprint(signer.Public())
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			csr := &x509.CertificateRequest{
-				Subject: pkix.Name{
-					CommonName: "a-permanent-identifier",
-				},
-				PublicKey: signer.Public(),
-				ExtraExtensions: []pkix.Extension{
-					{
-						Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 3},
-						Value: []byte("a-permanent-identifier"),
-					},
-				},
-			}
-
-			leaf := &x509.Certificate{
-				Subject:   pkix.Name{CommonName: "a-permanent-identifier"},
-				PublicKey: signer.Public(),
-				ExtraExtensions: []pkix.Extension{
-					{
-						Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 3},
-						Value: []byte("a-permanent-identifier"),
-					},
-				},
-			}
-			inter := &x509.Certificate{Subject: pkix.Name{CommonName: "inter"}}
-			root := &x509.Certificate{Subject: pkix.Name{CommonName: "root"}}
-
-			return test{
-				o:   o,
-				csr: csr,
-				prov: &MockProvisioner{
-					MauthorizeSign: func(ctx context.Context, token string) ([]provisioner.SignOption, error) {
-						assert.Equals(t, token, "")
-						return nil, nil
-					},
-					MgetOptions: func() *provisioner.Options {
-						return nil
-					},
-				},
-				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
-						assert.Equals(t, _csr, csr)
-						return []*x509.Certificate{leaf, inter, root}, nil
-					},
-				},
-				db: &MockDB{
-					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-						switch id {
-						case "a":
-							return &Authorization{
-								ID:     id,
-								Status: StatusValid,
-							}, nil
-						case "b":
-							return &Authorization{
-								ID:          id,
-								Fingerprint: fingerprint,
-								Status:      StatusValid,
-							}, nil
-						default:
-							assert.FatalError(t, errors.Errorf("unexpected authorization %s", id))
-							return nil, errors.New("force")
-						}
-					},
-					MockCreateCertificate: func(ctx context.Context, cert *Certificate) error {
-						cert.ID = "certID"
-						assert.Equals(t, cert.AccountID, o.AccountID)
-						assert.Equals(t, cert.OrderID, o.ID)
-						assert.Equals(t, cert.Leaf, leaf)
-						assert.Equals(t, cert.Intermediates, []*x509.Certificate{inter, root})
-						return nil
-					},
-					MockUpdateOrder: func(ctx context.Context, updo *Order) error {
-						assert.Equals(t, updo.CertificateID, "certID")
-						assert.Equals(t, updo.Status, StatusValid)
-						assert.Equals(t, updo.ID, o.ID)
-						assert.Equals(t, updo.AccountID, o.AccountID)
-						assert.Equals(t, updo.ExpiresAt, o.ExpiresAt)
-						assert.Equals(t, updo.AuthorizationIDs, o.AuthorizationIDs)
-						assert.Equals(t, updo.Identifiers, o.Identifiers)
-						return nil
-					},
-				},
-			}
-		},
-		"ok/permanent-identifier-only": func(t *testing.T) test {
-			now := clock.Now()
-			o := &Order{
-				ID:               "oID",
-				AccountID:        "accID",
-				Status:           StatusReady,
-				ExpiresAt:        now.Add(5 * time.Minute),
-				AuthorizationIDs: []string{"a", "b"},
-				Identifiers: []Identifier{
-					{Type: "dns", Value: "foo.internal"},
-					{Type: "permanent-identifier", Value: "a-permanent-identifier"},
-				},
-			}
-
-			signer := mustSigner("EC", "P-256", 0)
-			fingerprint, err := keyutil.Fingerprint(signer.Public())
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			csr := &x509.CertificateRequest{
-				Subject: pkix.Name{
-					CommonName: "a-permanent-identifier",
-				},
-				DNSNames:  []string{"foo.internal"},
-				PublicKey: signer.Public(),
-				ExtraExtensions: []pkix.Extension{
-					{
-						Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 3},
-						Value: []byte("a-permanent-identifier"),
-					},
-				},
-			}
-
-			leaf := &x509.Certificate{
-				Subject:   pkix.Name{CommonName: "a-permanent-identifier"},
-				PublicKey: signer.Public(),
-				ExtraExtensions: []pkix.Extension{
-					{
-						Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 3},
-						Value: []byte("a-permanent-identifier"),
-					},
-				},
-			}
-			inter := &x509.Certificate{Subject: pkix.Name{CommonName: "inter"}}
-			root := &x509.Certificate{Subject: pkix.Name{CommonName: "root"}}
-
-			return test{
-				o:   o,
-				csr: csr,
-				prov: &MockProvisioner{
-					MauthorizeSign: func(ctx context.Context, token string) ([]provisioner.SignOption, error) {
-						assert.Equals(t, token, "")
-						return nil, nil
-					},
-					MgetOptions: func() *provisioner.Options {
-						return nil
-					},
-				},
-				// TODO(hs): we should work on making the mocks more realistic. Ideally, we should get rid of
-				// the mock entirely, relying on an instances of provisioner, authority and DB (possibly hardest), so
-				// that behavior of the tests is what an actual CA would do. We could gradually phase them out by
-				// using the mocking functions as a wrapper for actual test helpers generated per test case or per
-				// function that's tested.
-				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
-						assert.Equals(t, _csr, csr)
-						return []*x509.Certificate{leaf, inter, root}, nil
-					},
-				},
-				db: &MockDB{
-					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-						return &Authorization{
-							ID:          id,
-							Fingerprint: fingerprint,
-							Status:      StatusValid,
-						}, nil
-					},
-					MockCreateCertificate: func(ctx context.Context, cert *Certificate) error {
-						cert.ID = "certID"
-						assert.Equals(t, cert.AccountID, o.AccountID)
-						assert.Equals(t, cert.OrderID, o.ID)
-						assert.Equals(t, cert.Leaf, leaf)
-						assert.Equals(t, cert.Intermediates, []*x509.Certificate{inter, root})
-						return nil
-					},
-					MockUpdateOrder: func(ctx context.Context, updo *Order) error {
-						assert.Equals(t, updo.CertificateID, "certID")
-						assert.Equals(t, updo.Status, StatusValid)
-						assert.Equals(t, updo.ID, o.ID)
-						assert.Equals(t, updo.AccountID, o.AccountID)
-						assert.Equals(t, updo.ExpiresAt, o.ExpiresAt)
-						assert.Equals(t, updo.AuthorizationIDs, o.AuthorizationIDs)
-						assert.Equals(t, updo.Identifiers, o.Identifiers)
-						return nil
-					},
-				},
-			}
-		},
 		"ok/new-cert-dns": func(t *testing.T) test {
 			now := clock.Now()
 			o := &Order{
@ -1044,15 +654,12 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return []*x509.Certificate{foo, bar, baz}, nil
 					},
 				},
 				db: &MockDB{
-					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-						return &Authorization{ID: id, Status: StatusValid}, nil
-					},
 					MockCreateCertificate: func(ctx context.Context, cert *Certificate) error {
 						cert.ID = "certID"
 						assert.Equals(t, cert.AccountID, o.AccountID)
@ -1108,15 +715,12 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return []*x509.Certificate{foo, bar, baz}, nil
 					},
 				},
 				db: &MockDB{
-					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-						return &Authorization{ID: id, Status: StatusValid}, nil
-					},
 					MockCreateCertificate: func(ctx context.Context, cert *Certificate) error {
 						cert.ID = "certID"
 						assert.Equals(t, cert.AccountID, o.AccountID)
@ -1175,15 +779,12 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return []*x509.Certificate{foo, bar, baz}, nil
 					},
 				},
 				db: &MockDB{
-					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-						return &Authorization{ID: id, Status: StatusValid}, nil
-					},
 					MockCreateCertificate: func(ctx context.Context, cert *Certificate) error {
 						cert.ID = "certID"
 						assert.Equals(t, cert.AccountID, o.AccountID)
@ -1891,55 +1492,3 @@ func TestOrder_sans(t *testing.T) {
 		})
 	}
 }
-
-func TestOrder_getAuthorizationFingerprint(t *testing.T) {
-	ctx := context.Background()
-	type fields struct {
-		AuthorizationIDs []string
-	}
-	type args struct {
-		ctx context.Context
-		db  DB
-	}
-	tests := []struct {
-		name    string
-		fields  fields
-		args    args
-		want    string
-		wantErr bool
-	}{
-		{"ok", fields{[]string{"az1", "az2"}}, args{ctx, &MockDB{
-			MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-				return &Authorization{ID: id, Status: StatusValid}, nil
-			},
-		}}, "", false},
-		{"ok fingerprint", fields{[]string{"az1", "az2"}}, args{ctx, &MockDB{
-			MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-				if id == "az1" {
-					return &Authorization{ID: id, Status: StatusValid}, nil
-				}
-				return &Authorization{ID: id, Fingerprint: "fingerprint", Status: StatusValid}, nil
-			},
-		}}, "fingerprint", false},
-		{"fail", fields{[]string{"az1", "az2"}}, args{ctx, &MockDB{
-			MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
-				return nil, errors.New("force")
-			},
-		}}, "", true},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			o := &Order{
-				AuthorizationIDs: tt.fields.AuthorizationIDs,
-			}
-			got, err := o.getAuthorizationFingerprint(tt.args.ctx, tt.args.db)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("Order.getAuthorizationFingerprint() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if got != tt.want {
-				t.Errorf("Order.getAuthorizationFingerprint() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
--- a/api/api.go
+++ b/api/api.go
@ -1,7 +1,6 @@
 package api

 import (
-	"bytes"
 	"context"
 	"crypto"
 	"crypto/dsa" //nolint:staticcheck // support legacy algorithms
@ -19,13 +18,10 @@ import (
 	"strings"
 	"time"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"
 	"github.com/pkg/errors"
-	"go.step.sm/crypto/sshutil"
-	"golang.org/x/crypto/ssh"

 	"github.com/smallstep/certificates/api/log"
-	"github.com/smallstep/certificates/api/models"
 	"github.com/smallstep/certificates/api/render"
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/config"
@ -42,9 +38,8 @@ type Authority interface {
 	AuthorizeRenewToken(ctx context.Context, ott string) (*x509.Certificate, error)
 	GetTLSOptions() *config.TLSOptions
 	Root(shasum string) (*x509.Certificate, error)
-	SignWithContext(ctx context.Context, cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
+	Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
 	Renew(peer *x509.Certificate) ([]*x509.Certificate, error)
-	RenewContext(ctx context.Context, peer *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
 	Rekey(peer *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
 	LoadProvisionerByCertificate(*x509.Certificate) (provisioner.Interface, error)
 	LoadProvisionerByName(string) (provisioner.Interface, error)
@ -54,7 +49,6 @@ type Authority interface {
 	GetRoots() ([]*x509.Certificate, error)
 	GetFederation() ([]*x509.Certificate, error)
 	Version() authority.Version
-	GetCertificateRevocationList() (*authority.CertificateRevocationListInfo, error)
 }

 // mustAuthority will be replaced on unit tests.
@ -228,60 +222,8 @@ type RootResponse struct {
 // ProvisionersResponse is the response object that returns the list of
 // provisioners.
 type ProvisionersResponse struct {
-	Provisioners provisioner.List
-	NextCursor   string
-}
-
-const redacted = "*** REDACTED ***"
-
-func scepFromProvisioner(p *provisioner.SCEP) *models.SCEP {
-	return &models.SCEP{
-		ID:                            p.ID,
-		Type:                          p.Type,
-		Name:                          p.Name,
-		ForceCN:                       p.ForceCN,
-		ChallengePassword:             redacted,
-		Capabilities:                  p.Capabilities,
-		IncludeRoot:                   p.IncludeRoot,
-		ExcludeIntermediate:           p.ExcludeIntermediate,
-		MinimumPublicKeyLength:        p.MinimumPublicKeyLength,
-		DecrypterCertificate:          []byte(redacted),
-		DecrypterKeyPEM:               []byte(redacted),
-		DecrypterKeyURI:               redacted,
-		DecrypterKeyPassword:          redacted,
-		EncryptionAlgorithmIdentifier: p.EncryptionAlgorithmIdentifier,
-		Options:                       p.Options,
-		Claims:                        p.Claims,
-	}
-}
-
-// MarshalJSON implements json.Marshaler. It marshals the ProvisionersResponse
-// into a byte slice.
-//
-// Special treatment is given to the SCEP provisioner, as it contains a
-// challenge secret that MUST NOT be leaked in (public) HTTP responses. The
-// challenge value is thus redacted in HTTP responses.
-func (p ProvisionersResponse) MarshalJSON() ([]byte, error) {
-	var responseProvisioners provisioner.List
-	for _, item := range p.Provisioners {
-		scepProv, ok := item.(*provisioner.SCEP)
-		if !ok {
-			responseProvisioners = append(responseProvisioners, item)
-			continue
-		}
-
-		responseProvisioners = append(responseProvisioners, scepFromProvisioner(scepProv))
-	}
-
-	var list = struct {
-		Provisioners []provisioner.Interface `json:"provisioners"`
-		NextCursor   string                  `json:"nextCursor"`
-	}{
-		Provisioners: []provisioner.Interface(responseProvisioners),
-		NextCursor:   p.NextCursor,
-	}
-
-	return json.Marshal(list)
+	Provisioners provisioner.List `json:"provisioners"`
+	NextCursor   string           `json:"nextCursor"`
 }

 // ProvisionerKeyResponse is the response object that returns the encrypted key
@ -313,7 +255,7 @@ func (h *caHandler) Route(r Router) {
 // New creates a new RouterHandler with the CA endpoints.
 //
 // Deprecated: Use api.Route(r Router)
-func New(Authority) RouterHandler {
+func New(auth Authority) RouterHandler {
 	return &caHandler{}
 }

@ -325,7 +267,6 @@ func Route(r Router) {
 	r.MethodFunc("POST", "/renew", Renew)
 	r.MethodFunc("POST", "/rekey", Rekey)
 	r.MethodFunc("POST", "/revoke", Revoke)
-	r.MethodFunc("GET", "/crl", CRL)
 	r.MethodFunc("GET", "/provisioners", Provisioners)
 	r.MethodFunc("GET", "/provisioners/{kid}/encrypted-key", ProvisionerKey)
 	r.MethodFunc("GET", "/roots", Roots)
@ -353,7 +294,7 @@ func Route(r Router) {
 // Version is an HTTP handler that returns the version of the server.
 func Version(w http.ResponseWriter, r *http.Request) {
 	v := mustAuthority(r.Context()).Version()
-	render.JSON(w, r, VersionResponse{
+	render.JSON(w, VersionResponse{
 		Version:                     v.Version,
 		RequireClientAuthentication: v.RequireClientAuthentication,
 	})
@ -361,7 +302,7 @@ func Version(w http.ResponseWriter, r *http.Request) {

 // Health is an HTTP handler that returns the status of the server.
 func Health(w http.ResponseWriter, r *http.Request) {
-	render.JSON(w, r, HealthResponse{Status: "ok"})
+	render.JSON(w, HealthResponse{Status: "ok"})
 }

 // Root is an HTTP handler that using the SHA256 from the URL, returns the root
@ -372,11 +313,11 @@ func Root(w http.ResponseWriter, r *http.Request) {
 	// Load root certificate with the
 	cert, err := mustAuthority(r.Context()).Root(sum)
 	if err != nil {
-		render.Error(w, r, errs.Wrapf(http.StatusNotFound, err, "%s was not found", r.RequestURI))
+		render.Error(w, errs.Wrapf(http.StatusNotFound, err, "%s was not found", r.RequestURI))
 		return
 	}

-	render.JSON(w, r, &RootResponse{RootPEM: Certificate{cert}})
+	render.JSON(w, &RootResponse{RootPEM: Certificate{cert}})
 }

 func certChainToPEM(certChain []*x509.Certificate) []Certificate {
@ -391,17 +332,17 @@ func certChainToPEM(certChain []*x509.Certificate) []Certificate {
 func Provisioners(w http.ResponseWriter, r *http.Request) {
 	cursor, limit, err := ParseCursor(r)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	p, next, err := mustAuthority(r.Context()).GetProvisioners(cursor, limit)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}

-	render.JSON(w, r, &ProvisionersResponse{
+	render.JSON(w, &ProvisionersResponse{
 		Provisioners: p,
 		NextCursor:   next,
 	})
@ -412,18 +353,18 @@ func ProvisionerKey(w http.ResponseWriter, r *http.Request) {
 	kid := chi.URLParam(r, "kid")
 	key, err := mustAuthority(r.Context()).GetEncryptedKey(kid)
 	if err != nil {
-		render.Error(w, r, errs.NotFoundErr(err))
+		render.Error(w, errs.NotFoundErr(err))
 		return
 	}

-	render.JSON(w, r, &ProvisionerKeyResponse{key})
+	render.JSON(w, &ProvisionerKeyResponse{key})
 }

 // Roots returns all the root certificates for the CA.
 func Roots(w http.ResponseWriter, r *http.Request) {
 	roots, err := mustAuthority(r.Context()).GetRoots()
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error getting roots"))
+		render.Error(w, errs.ForbiddenErr(err, "error getting roots"))
 		return
 	}

@ -432,7 +373,7 @@ func Roots(w http.ResponseWriter, r *http.Request) {
 		certs[i] = Certificate{roots[i]}
 	}

-	render.JSONStatus(w, r, &RootsResponse{
+	render.JSONStatus(w, &RootsResponse{
 		Certificates: certs,
 	}, http.StatusCreated)
 }
@ -441,7 +382,7 @@ func Roots(w http.ResponseWriter, r *http.Request) {
 func RootsPEM(w http.ResponseWriter, r *http.Request) {
 	roots, err := mustAuthority(r.Context()).GetRoots()
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}

@ -454,7 +395,7 @@ func RootsPEM(w http.ResponseWriter, r *http.Request) {
 		})

 		if _, err := w.Write(block); err != nil {
-			log.Error(w, r, err)
+			log.Error(w, err)
 			return
 		}
 	}
@ -464,7 +405,7 @@ func RootsPEM(w http.ResponseWriter, r *http.Request) {
 func Federation(w http.ResponseWriter, r *http.Request) {
 	federated, err := mustAuthority(r.Context()).GetFederation()
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error getting federated roots"))
+		render.Error(w, errs.ForbiddenErr(err, "error getting federated roots"))
 		return
 	}

@ -473,7 +414,7 @@ func Federation(w http.ResponseWriter, r *http.Request) {
 		certs[i] = Certificate{federated[i]}
 	}

-	render.JSONStatus(w, r, &FederationResponse{
+	render.JSONStatus(w, &FederationResponse{
 		Certificates: certs,
 	}, http.StatusCreated)
 }
@ -494,7 +435,7 @@ func logOtt(w http.ResponseWriter, token string) {
 	}
 }

-// LogCertificate adds certificate fields to the log message.
+// LogCertificate add certificate fields to the log message.
 func LogCertificate(w http.ResponseWriter, cert *x509.Certificate) {
 	if rl, ok := w.(logging.ResponseLogger); ok {
 		m := map[string]interface{}{
@ -526,46 +467,11 @@ func LogCertificate(w http.ResponseWriter, cert *x509.Certificate) {
 	}
 }

-// LogSSHCertificate adds SSH certificate fields to the log message.
-func LogSSHCertificate(w http.ResponseWriter, cert *ssh.Certificate) {
-	if rl, ok := w.(logging.ResponseLogger); ok {
-		mak := bytes.TrimSpace(ssh.MarshalAuthorizedKey(cert))
-		var certificate string
-		parts := strings.Split(string(mak), " ")
-		if len(parts) > 1 {
-			certificate = parts[1]
-		}
-		var userOrHost string
-		if cert.CertType == ssh.HostCert {
-			userOrHost = "host"
-		} else {
-			userOrHost = "user"
-		}
-		certificateType := fmt.Sprintf("%s %s certificate", parts[0], userOrHost) // e.g. ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate
-		m := map[string]interface{}{
-			"serial":           cert.Serial,
-			"principals":       cert.ValidPrincipals,
-			"valid-from":       time.Unix(int64(cert.ValidAfter), 0).Format(time.RFC3339),
-			"valid-to":         time.Unix(int64(cert.ValidBefore), 0).Format(time.RFC3339),
-			"certificate":      certificate,
-			"certificate-type": certificateType,
-		}
-		fingerprint, err := sshutil.FormatFingerprint(mak, sshutil.DefaultFingerprint)
-		if err == nil {
-			fpParts := strings.Split(fingerprint, " ")
-			if len(fpParts) > 3 {
-				m["public-key"] = fmt.Sprintf("%s %s", fpParts[1], fpParts[len(fpParts)-1])
-			}
-		}
-		rl.WithFields(m)
-	}
-}
-
 // ParseCursor parses the cursor and limit from the request query params.
 func ParseCursor(r *http.Request) (cursor string, limit int, err error) {
 	q := r.URL.Query()
 	cursor = q.Get("cursor")
-	if v := q.Get("limit"); v != "" {
+	if v := q.Get("limit"); len(v) > 0 {
 		limit, err = strconv.Atoi(v)
 		if err != nil {
 			return "", 0, errs.BadRequestErr(err, "limit '%s' is not an integer", v)
--- a/api/api_test.go
+++ b/api/api_test.go
@ -4,7 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto"
-	"crypto/dsa" //nolint:staticcheck // support legacy algorithms
+	"crypto/dsa" //nolint
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/elliptic"
@ -26,14 +26,14 @@ import (
 	"testing"
 	"time"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"
 	"github.com/pkg/errors"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/ssh"
+
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/x509util"
-	"golang.org/x/crypto/ssh"

+	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
@ -189,10 +189,9 @@ type mockAuthority struct {
 	authorizeRenewToken          func(ctx context.Context, ott string) (*x509.Certificate, error)
 	getTLSOptions                func() *authority.TLSOptions
 	root                         func(shasum string) (*x509.Certificate, error)
-	signWithContext              func(ctx context.Context, cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
+	sign                         func(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
 	renew                        func(cert *x509.Certificate) ([]*x509.Certificate, error)
 	rekey                        func(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
-	renewContext                 func(ctx context.Context, oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
 	loadProvisionerByCertificate func(cert *x509.Certificate) (provisioner.Interface, error)
 	loadProvisionerByName        func(name string) (provisioner.Interface, error)
 	getProvisioners              func(nextCursor string, limit int) (provisioner.List, string, error)
@ -200,7 +199,6 @@ type mockAuthority struct {
 	getEncryptedKey              func(kid string) (string, error)
 	getRoots                     func() ([]*x509.Certificate, error)
 	getFederation                func() ([]*x509.Certificate, error)
-	getCRL                       func() (*authority.CertificateRevocationListInfo, error)
 	signSSH                      func(ctx context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)
 	signSSHAddUser               func(ctx context.Context, key ssh.PublicKey, cert *ssh.Certificate) (*ssh.Certificate, error)
 	renewSSH                     func(ctx context.Context, cert *ssh.Certificate) (*ssh.Certificate, error)
@ -214,14 +212,6 @@ type mockAuthority struct {
 	version                      func() authority.Version
 }

-func (m *mockAuthority) GetCertificateRevocationList() (*authority.CertificateRevocationListInfo, error) {
-	if m.getCRL != nil {
-		return m.getCRL()
-	}
-
-	return m.ret1.(*authority.CertificateRevocationListInfo), m.err
-}
-
 // TODO: remove once Authorize is deprecated.
 func (m *mockAuthority) Authorize(ctx context.Context, ott string) ([]provisioner.SignOption, error) {
 	if m.authorize != nil {
@ -251,9 +241,9 @@ func (m *mockAuthority) Root(shasum string) (*x509.Certificate, error) {
 	return m.ret1.(*x509.Certificate), m.err
 }

-func (m *mockAuthority) SignWithContext(ctx context.Context, cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
-	if m.signWithContext != nil {
-		return m.signWithContext(ctx, cr, opts, signOpts...)
+func (m *mockAuthority) Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+	if m.sign != nil {
+		return m.sign(cr, opts, signOpts...)
 	}
 	return []*x509.Certificate{m.ret1.(*x509.Certificate), m.ret2.(*x509.Certificate)}, m.err
 }
@ -265,13 +255,6 @@ func (m *mockAuthority) Renew(cert *x509.Certificate) ([]*x509.Certificate, erro
 	return []*x509.Certificate{m.ret1.(*x509.Certificate), m.ret2.(*x509.Certificate)}, m.err
 }

-func (m *mockAuthority) RenewContext(ctx context.Context, oldcert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error) {
-	if m.renewContext != nil {
-		return m.renewContext(ctx, oldcert, pk)
-	}
-	return []*x509.Certificate{m.ret1.(*x509.Certificate), m.ret2.(*x509.Certificate)}, m.err
-}
-
 func (m *mockAuthority) Rekey(oldcert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error) {
 	if m.rekey != nil {
 		return m.rekey(oldcert, pk)
@ -655,7 +638,7 @@ func TestSignRequest_Validate(t *testing.T) {
 			}
 			if err := s.Validate(); err != nil {
 				if assert.NotNil(t, tt.err) {
-					assert.True(t, strings.HasPrefix(err.Error(), tt.err.Error()))
+					assert.HasPrefix(t, err.Error(), tt.err.Error())
 				}
 			} else {
 				assert.Nil(t, tt.err)
@ -814,7 +797,7 @@ func Test_caHandler_Route(t *testing.T) {
 }

 func Test_Health(t *testing.T) {
-	req := httptest.NewRequest("GET", "http://example.com/health", http.NoBody)
+	req := httptest.NewRequest("GET", "http://example.com/health", nil)
 	w := httptest.NewRecorder()
 	Health(w, req)

@ -848,7 +831,7 @@ func Test_Root(t *testing.T) {
 	// Request with chi context
 	chiCtx := chi.NewRouteContext()
 	chiCtx.URLParams.Add("sha", "efc7d6b475a56fe587650bcdb999a4a308f815ba44db4bf0371ea68a786ccd36")
-	req := httptest.NewRequest("GET", "http://example.com/root/efc7d6b475a56fe587650bcdb999a4a308f815ba44db4bf0371ea68a786ccd36", http.NoBody)
+	req := httptest.NewRequest("GET", "http://example.com/root/efc7d6b475a56fe587650bcdb999a4a308f815ba44db4bf0371ea68a786ccd36", nil)
 	req = req.WithContext(context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx))

 	expected := []byte(`{"ca":"` + strings.ReplaceAll(rootPEM, "\n", `\n`) + `\n"}`)
@ -884,12 +867,16 @@ func Test_Sign(t *testing.T) {
 		CsrPEM: CertificateRequest{csr},
 		OTT:    "foobarzar",
 	})
-	require.NoError(t, err)
+	if err != nil {
+		t.Fatal(err)
+	}
 	invalid, err := json.Marshal(SignRequest{
 		CsrPEM: CertificateRequest{csr},
 		OTT:    "",
 	})
-	require.NoError(t, err)
+	if err != nil {
+		t.Fatal(err)
+	}

 	expected1 := []byte(`{"crt":"` + strings.ReplaceAll(certPEM, "\n", `\n`) + `\n","ca":"` + strings.ReplaceAll(rootPEM, "\n", `\n`) + `\n","certChain":["` + strings.ReplaceAll(certPEM, "\n", `\n`) + `\n","` + strings.ReplaceAll(rootPEM, "\n", `\n`) + `\n"]}`)
 	expected2 := []byte(`{"crt":"` + strings.ReplaceAll(stepCertPEM, "\n", `\n`) + `\n","ca":"` + strings.ReplaceAll(rootPEM, "\n", `\n`) + `\n","certChain":["` + strings.ReplaceAll(stepCertPEM, "\n", `\n`) + `\n","` + strings.ReplaceAll(rootPEM, "\n", `\n`) + `\n"]}`)
@ -1059,7 +1046,7 @@ func Test_Renew(t *testing.T) {
 					return nil
 				},
 			})
-			req := httptest.NewRequest("POST", "http://example.com/renew", http.NoBody)
+			req := httptest.NewRequest("POST", "http://example.com/renew", nil)
 			req.TLS = tt.tls
 			req.Header = tt.header
 			w := httptest.NewRecorder()
@ -1213,10 +1200,10 @@ func Test_Provisioners(t *testing.T) {

 	expectedError400 := errs.BadRequest("limit 'abc' is not an integer")
 	expectedError400Bytes, err := json.Marshal(expectedError400)
-	require.NoError(t, err)
+	assert.FatalError(t, err)
 	expectedError500 := errs.InternalServer("force")
 	expectedError500Bytes, err := json.Marshal(expectedError500)
-	require.NoError(t, err)
+	assert.FatalError(t, err)
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			mockMustAuthority(t, tt.fields.Authority)
@ -1267,7 +1254,7 @@ func Test_ProvisionerKey(t *testing.T) {
 	// Request with chi context
 	chiCtx := chi.NewRouteContext()
 	chiCtx.URLParams.Add("kid", "oV1p0MJeGQ7qBlK6B-oyfVdBRjh_e7VSK_YSEEqgW00")
-	req := httptest.NewRequest("GET", "http://example.com/provisioners/oV1p0MJeGQ7qBlK6B-oyfVdBRjh_e7VSK_YSEEqgW00/encrypted-key", http.NoBody)
+	req := httptest.NewRequest("GET", "http://example.com/provisioners/oV1p0MJeGQ7qBlK6B-oyfVdBRjh_e7VSK_YSEEqgW00/encrypted-key", nil)
 	req = req.WithContext(context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx))

 	tests := []struct {
@ -1283,7 +1270,7 @@ func Test_ProvisionerKey(t *testing.T) {
 	expected := []byte(`{"key":"` + privKey + `"}`)
 	expectedError404 := errs.NotFound("force")
 	expectedError404Bytes, err := json.Marshal(expectedError404)
-	require.NoError(t, err)
+	assert.FatalError(t, err)

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@ -1335,7 +1322,7 @@ func Test_Roots(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			mockMustAuthority(t, &mockAuthority{ret1: []*x509.Certificate{tt.root}, err: tt.err})
-			req := httptest.NewRequest("GET", "http://example.com/roots", http.NoBody)
+			req := httptest.NewRequest("GET", "http://example.com/roots", nil)
 			req.TLS = tt.tls
 			w := httptest.NewRecorder()
 			Roots(w, req)
@ -1376,7 +1363,7 @@ func Test_caHandler_RootsPEM(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			mockMustAuthority(t, &mockAuthority{ret1: tt.roots, err: tt.err})
-			req := httptest.NewRequest("GET", "https://example.com/roots", http.NoBody)
+			req := httptest.NewRequest("GET", "https://example.com/roots", nil)
 			w := httptest.NewRecorder()
 			RootsPEM(w, req)
 			res := w.Result()
@ -1421,7 +1408,7 @@ func Test_Federation(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			mockMustAuthority(t, &mockAuthority{ret1: []*x509.Certificate{tt.root}, err: tt.err})
-			req := httptest.NewRequest("GET", "http://example.com/federation", http.NoBody)
+			req := httptest.NewRequest("GET", "http://example.com/federation", nil)
 			req.TLS = tt.tls
 			w := httptest.NewRecorder()
 			Federation(w, req)
@ -1521,140 +1508,3 @@ func mustCertificate(t *testing.T, pub, priv interface{}) *x509.Certificate {
 	}
 	return cert
 }
-
-func TestProvisionersResponse_MarshalJSON(t *testing.T) {
-	k := map[string]any{
-		"use": "sig",
-		"kty": "EC",
-		"kid": "4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc",
-		"crv": "P-256",
-		"alg": "ES256",
-		"x":   "7ZdAAMZCFU4XwgblI5RfZouBi8lYmF6DlZusNNnsbm8",
-		"y":   "sQr2JdzwD2fgyrymBEXWsxDxFNjjqN64qLLSbLdLZ9Y",
-	}
-	key := jose.JSONWebKey{}
-	b, err := json.Marshal(k)
-	require.NoError(t, err)
-	err = json.Unmarshal(b, &key)
-	require.NoError(t, err)
-
-	r := ProvisionersResponse{
-		Provisioners: provisioner.List{
-			&provisioner.SCEP{
-				Name:                          "scep",
-				Type:                          "scep",
-				ChallengePassword:             "not-so-secret",
-				MinimumPublicKeyLength:        2048,
-				EncryptionAlgorithmIdentifier: 2,
-				IncludeRoot:                   true,
-				ExcludeIntermediate:           true,
-				DecrypterCertificate:          []byte{1, 2, 3, 4},
-				DecrypterKeyPEM:               []byte{5, 6, 7, 8},
-				DecrypterKeyURI:               "softkms:path=/path/to/private.key",
-				DecrypterKeyPassword:          "super-secret-password",
-			},
-			&provisioner.JWK{
-				EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
-				Key:          &key,
-				Name:         "step-cli",
-				Type:         "JWK",
-			},
-		},
-		NextCursor: "next",
-	}
-
-	expected := map[string]any{
-		"provisioners": []map[string]any{
-			{
-				"type":                          "scep",
-				"name":                          "scep",
-				"forceCN":                       false,
-				"includeRoot":                   true,
-				"excludeIntermediate":           true,
-				"challenge":                     "*** REDACTED ***",
-				"decrypterCertificate":          []byte("*** REDACTED ***"),
-				"decrypterKey":                  "*** REDACTED ***",
-				"decrypterKeyPEM":               []byte("*** REDACTED ***"),
-				"decrypterKeyPassword":          "*** REDACTED ***",
-				"minimumPublicKeyLength":        2048,
-				"encryptionAlgorithmIdentifier": 2,
-			},
-			{
-				"type": "JWK",
-				"name": "step-cli",
-				"key": map[string]any{
-					"use": "sig",
-					"kty": "EC",
-					"kid": "4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc",
-					"crv": "P-256",
-					"alg": "ES256",
-					"x":   "7ZdAAMZCFU4XwgblI5RfZouBi8lYmF6DlZusNNnsbm8",
-					"y":   "sQr2JdzwD2fgyrymBEXWsxDxFNjjqN64qLLSbLdLZ9Y",
-				},
-				"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
-			},
-		},
-		"nextCursor": "next",
-	}
-
-	expBytes, err := json.Marshal(expected)
-	assert.NoError(t, err)
-
-	br, err := r.MarshalJSON()
-	assert.NoError(t, err)
-	assert.JSONEq(t, string(expBytes), string(br))
-
-	keyCopy := key
-	expList := provisioner.List{
-		&provisioner.SCEP{
-			Name:                          "scep",
-			Type:                          "scep",
-			ChallengePassword:             "not-so-secret",
-			MinimumPublicKeyLength:        2048,
-			EncryptionAlgorithmIdentifier: 2,
-			IncludeRoot:                   true,
-			ExcludeIntermediate:           true,
-			DecrypterCertificate:          []byte{1, 2, 3, 4},
-			DecrypterKeyPEM:               []byte{5, 6, 7, 8},
-			DecrypterKeyURI:               "softkms:path=/path/to/private.key",
-			DecrypterKeyPassword:          "super-secret-password",
-		},
-		&provisioner.JWK{
-			EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
-			Key:          &keyCopy,
-			Name:         "step-cli",
-			Type:         "JWK",
-		},
-	}
-
-	// MarshalJSON must not affect the struct properties itself
-	assert.Equal(t, expList, r.Provisioners)
-}
-
-const (
-	fixtureECDSACertificate = `ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLnkvSk4odlo3b1R+RDw+LmorL3RkN354IilCIVFVen4AAAAIbmlzdHAyNTYAAABBBHjKHss8WM2ffMYlavisoLXR0I6UEIU+cidV1ogEH1U6+/SYaFPrlzQo0tGLM5CNkMbhInbyasQsrHzn8F1Rt7nHg5/tcSf9qwAAAAEAAAAGaGVybWFuAAAACgAAAAZoZXJtYW4AAAAAY8kvJwAAAABjyhBjAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEE/ayqpPrZZF5uA1UlDt4FreTf15agztQIzpxnWq/XoxAHzagRSkFGkdgFpjgsfiRpP8URHH3BZScqc0ZDCTxhoQAAAGQAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEkAAAAhAJuP1wCVwoyrKrEtHGfFXrVbRHySDjvXtS1tVTdHyqymAAAAIBa/CSSzfZb4D2NLP+eEmOOMJwSjYOiNM8fiOoAaqglI herman`
-)
-
-func TestLogSSHCertificate(t *testing.T) {
-
-	out, _, _, _, err := ssh.ParseAuthorizedKey([]byte(fixtureECDSACertificate))
-	require.NoError(t, err)
-
-	cert, ok := out.(*ssh.Certificate)
-	require.True(t, ok)
-
-	w := httptest.NewRecorder()
-	rl := logging.NewResponseLogger(w)
-	LogSSHCertificate(rl, cert)
-
-	assert.Equal(t, 200, w.Result().StatusCode)
-
-	fields := rl.Fields()
-	assert.Equal(t, uint64(14376510277651266987), fields["serial"])
-	assert.Equal(t, []string{"herman"}, fields["principals"])
-	assert.Equal(t, "ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate", fields["certificate-type"])
-	assert.Equal(t, time.Unix(1674129191, 0).Format(time.RFC3339), fields["valid-from"])
-	assert.Equal(t, time.Unix(1674186851, 0).Format(time.RFC3339), fields["valid-to"])
-	assert.Equal(t, "AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLnkvSk4odlo3b1R+RDw+LmorL3RkN354IilCIVFVen4AAAAIbmlzdHAyNTYAAABBBHjKHss8WM2ffMYlavisoLXR0I6UEIU+cidV1ogEH1U6+/SYaFPrlzQo0tGLM5CNkMbhInbyasQsrHzn8F1Rt7nHg5/tcSf9qwAAAAEAAAAGaGVybWFuAAAACgAAAAZoZXJtYW4AAAAAY8kvJwAAAABjyhBjAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEE/ayqpPrZZF5uA1UlDt4FreTf15agztQIzpxnWq/XoxAHzagRSkFGkdgFpjgsfiRpP8URHH3BZScqc0ZDCTxhoQAAAGQAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEkAAAAhAJuP1wCVwoyrKrEtHGfFXrVbRHySDjvXtS1tVTdHyqymAAAAIBa/CSSzfZb4D2NLP+eEmOOMJwSjYOiNM8fiOoAaqglI", fields["certificate"])
-	assert.Equal(t, "SHA256:RvkDPGwl/G9d7LUFm1kmWhvOD9I/moPq4yxcb0STwr0 (ECDSA-CERT)", fields["public-key"])
-}
--- a/api/crl.go
+++ b/api/crl.go
@ -1,46 +0,0 @@
-package api
-
-import (
-	"encoding/pem"
-	"net/http"
-	"time"
-
-	"github.com/smallstep/certificates/api/render"
-	"github.com/smallstep/certificates/errs"
-)
-
-// CRL is an HTTP handler that returns the current CRL in DER or PEM format
-func CRL(w http.ResponseWriter, r *http.Request) {
-	crlInfo, err := mustAuthority(r.Context()).GetCertificateRevocationList()
-	if err != nil {
-		render.Error(w, r, err)
-		return
-	}
-
-	if crlInfo == nil {
-		render.Error(w, r, errs.New(http.StatusNotFound, "no CRL available"))
-		return
-	}
-
-	expires := crlInfo.ExpiresAt
-	if expires.IsZero() {
-		expires = time.Now()
-	}
-
-	w.Header().Add("Expires", expires.Format(time.RFC1123))
-
-	_, formatAsPEM := r.URL.Query()["pem"]
-	if formatAsPEM {
-		w.Header().Add("Content-Type", "application/x-pem-file")
-		w.Header().Add("Content-Disposition", "attachment; filename=\"crl.pem\"")
-
-		_ = pem.Encode(w, &pem.Block{
-			Type:  "X509 CRL",
-			Bytes: crlInfo.Data,
-		})
-	} else {
-		w.Header().Add("Content-Type", "application/pkix-crl")
-		w.Header().Add("Content-Disposition", "attachment; filename=\"crl.der\"")
-		w.Write(crlInfo.Data)
-	}
-}
--- a/api/crl_test.go
+++ b/api/crl_test.go
@ -1,93 +0,0 @@
-package api
-
-import (
-	"bytes"
-	"context"
-	"encoding/pem"
-	"io"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-	"time"
-
-	"github.com/go-chi/chi/v5"
-	"github.com/pkg/errors"
-	"github.com/smallstep/certificates/authority"
-	"github.com/smallstep/certificates/errs"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func Test_CRL(t *testing.T) {
-	data := []byte{1, 2, 3, 4}
-	pemData := pem.EncodeToMemory(&pem.Block{
-		Type:  "X509 CRL",
-		Bytes: data,
-	})
-	pemData = bytes.TrimSpace(pemData)
-	emptyPEMData := pem.EncodeToMemory(&pem.Block{
-		Type:  "X509 CRL",
-		Bytes: nil,
-	})
-	emptyPEMData = bytes.TrimSpace(emptyPEMData)
-	tests := []struct {
-		name              string
-		url               string
-		err               error
-		statusCode        int
-		crlInfo           *authority.CertificateRevocationListInfo
-		expectedBody      []byte
-		expectedHeaders   http.Header
-		expectedErrorJSON string
-	}{
-		{"ok", "http://example.com/crl", nil, http.StatusOK, &authority.CertificateRevocationListInfo{Data: data}, data, http.Header{"Content-Type": []string{"application/pkix-crl"}, "Content-Disposition": []string{`attachment; filename="crl.der"`}}, ""},
-		{"ok/pem", "http://example.com/crl?pem=true", nil, http.StatusOK, &authority.CertificateRevocationListInfo{Data: data}, pemData, http.Header{"Content-Type": []string{"application/x-pem-file"}, "Content-Disposition": []string{`attachment; filename="crl.pem"`}}, ""},
-		{"ok/empty", "http://example.com/crl", nil, http.StatusOK, &authority.CertificateRevocationListInfo{Data: nil}, nil, http.Header{"Content-Type": []string{"application/pkix-crl"}, "Content-Disposition": []string{`attachment; filename="crl.der"`}}, ""},
-		{"ok/empty-pem", "http://example.com/crl?pem=true", nil, http.StatusOK, &authority.CertificateRevocationListInfo{Data: nil}, emptyPEMData, http.Header{"Content-Type": []string{"application/x-pem-file"}, "Content-Disposition": []string{`attachment; filename="crl.pem"`}}, ""},
-		{"fail/internal", "http://example.com/crl", errs.Wrap(http.StatusInternalServerError, errors.New("failure"), "authority.GetCertificateRevocationList"), http.StatusInternalServerError, nil, nil, http.Header{}, `{"status":500,"message":"The certificate authority encountered an Internal Server Error. Please see the certificate authority logs for more info."}`},
-		{"fail/nil", "http://example.com/crl", nil, http.StatusNotFound, nil, nil, http.Header{}, `{"status":404,"message":"no CRL available"}`},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			mockMustAuthority(t, &mockAuthority{ret1: tt.crlInfo, err: tt.err})
-
-			chiCtx := chi.NewRouteContext()
-			req := httptest.NewRequest("GET", tt.url, http.NoBody)
-			req = req.WithContext(context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx))
-			w := httptest.NewRecorder()
-			CRL(w, req)
-			res := w.Result()
-
-			assert.Equal(t, tt.statusCode, res.StatusCode)
-
-			body, err := io.ReadAll(res.Body)
-			res.Body.Close()
-			require.NoError(t, err)
-
-			if tt.statusCode >= 300 {
-				assert.JSONEq(t, tt.expectedErrorJSON, string(bytes.TrimSpace(body)))
-				return
-			}
-
-			// check expected header values
-			for _, h := range []string{"content-type", "content-disposition"} {
-				v := tt.expectedHeaders.Get(h)
-				require.NotEmpty(t, v)
-
-				actual := res.Header.Get(h)
-				assert.Equal(t, v, actual)
-			}
-
-			// check expires header value
-			assert.NotEmpty(t, res.Header.Get("expires"))
-			t1, err := time.Parse(time.RFC1123, res.Header.Get("expires"))
-			if assert.NoError(t, err) {
-				assert.False(t, t1.IsZero())
-			}
-
-			// check body contents
-			assert.Equal(t, tt.expectedBody, bytes.TrimSpace(body))
-		})
-	}
-}
--- a/api/log/log.go
+++ b/api/log/log.go
@ -2,36 +2,14 @@
 package log

 import (
-	"context"
 	"fmt"
 	"net/http"
 	"os"

 	"github.com/pkg/errors"
-)
-
-type errorLoggerKey struct{}
-
-// ErrorLogger is the function type used to log errors.
-type ErrorLogger func(http.ResponseWriter, *http.Request, error)
-
-func (fn ErrorLogger) call(w http.ResponseWriter, r *http.Request, err error) {
-	if fn == nil {
-		return
-	}
-	fn(w, r, err)
-}

-// WithErrorLogger returns a new context with the given error logger.
-func WithErrorLogger(ctx context.Context, fn ErrorLogger) context.Context {
-	return context.WithValue(ctx, errorLoggerKey{}, fn)
-}
-
-// ErrorLoggerFromContext returns an error logger from the context.
-func ErrorLoggerFromContext(ctx context.Context) (fn ErrorLogger) {
-	fn, _ = ctx.Value(errorLoggerKey{}).(ErrorLogger)
-	return
-}
+	"github.com/smallstep/certificates/logging"
+)

 // StackTracedError is the set of errors implementing the StackTrace function.
 //
@ -43,23 +21,16 @@ type StackTracedError interface {
 	StackTrace() errors.StackTrace
 }

-type fieldCarrier interface {
-	WithFields(map[string]any)
-	Fields() map[string]any
-}
-
 // Error adds to the response writer the given error if it implements
 // logging.ResponseLogger. If it does not implement it, then writes the error
 // using the log package.
-func Error(w http.ResponseWriter, r *http.Request, err error) {
-	ErrorLoggerFromContext(r.Context()).call(w, r, err)
-
-	fc, ok := w.(fieldCarrier)
+func Error(rw http.ResponseWriter, err error) {
+	rl, ok := rw.(logging.ResponseLogger)
 	if !ok {
 		return
 	}

-	fc.WithFields(map[string]any{
+	rl.WithFields(map[string]interface{}{
 		"error": err,
 	})

@ -68,8 +39,8 @@ func Error(w http.ResponseWriter, r *http.Request, err error) {
 	}

 	var st StackTracedError
-	if errors.As(err, &st) {
-		fc.WithFields(map[string]any{
+	if !errors.As(err, &st) {
+		rl.WithFields(map[string]interface{}{
 			"stack-trace": fmt.Sprintf("%+v", st.StackTrace()),
 		})
 	}
@ -77,21 +48,21 @@ func Error(w http.ResponseWriter, r *http.Request, err error) {

 // EnabledResponse log the response object if it implements the EnableLogger
 // interface.
-func EnabledResponse(rw http.ResponseWriter, r *http.Request, v any) {
+func EnabledResponse(rw http.ResponseWriter, v interface{}) {
 	type enableLogger interface {
-		ToLog() (any, error)
+		ToLog() (interface{}, error)
 	}

 	if el, ok := v.(enableLogger); ok {
 		out, err := el.ToLog()
 		if err != nil {
-			Error(rw, r, err)
+			Error(rw, err)

 			return
 		}

-		if rl, ok := rw.(fieldCarrier); ok {
-			rl.WithFields(map[string]any{
+		if rl, ok := rw.(logging.ResponseLogger); ok {
+			rl.WithFields(map[string]interface{}{
 				"response": out,
 			})
 		}
--- a/api/log/log_test.go
+++ b/api/log/log_test.go
@ -1,108 +1,43 @@
 package log

 import (
-	"bytes"
-	"encoding/json"
-	"log/slog"
+	"errors"
 	"net/http"
 	"net/http/httptest"
+	"reflect"
 	"testing"
-	"unsafe"
-
-	pkgerrors "github.com/pkg/errors"
-	"github.com/stretchr/testify/assert"

 	"github.com/smallstep/certificates/logging"
 )

-type stackTracedError struct{}
-
-func (stackTracedError) Error() string {
-	return "a stacktraced error"
-}
-
-func (stackTracedError) StackTrace() pkgerrors.StackTrace {
-	f := struct{}{}
-	return pkgerrors.StackTrace{ // fake stacktrace
-		pkgerrors.Frame(unsafe.Pointer(&f)),
-		pkgerrors.Frame(unsafe.Pointer(&f)),
-	}
-}
-
 func TestError(t *testing.T) {
-	var buf bytes.Buffer
-	logger := slog.New(slog.NewJSONHandler(&buf, &slog.HandlerOptions{}))
-	req := httptest.NewRequest("GET", "/test", http.NoBody)
-	reqWithLogger := req.WithContext(WithErrorLogger(req.Context(), func(w http.ResponseWriter, r *http.Request, err error) {
-		if err != nil {
-			logger.ErrorContext(r.Context(), "request failed", slog.Any("error", err))
-		}
-	}))
+	theError := errors.New("the error")

+	type args struct {
+		rw  http.ResponseWriter
+		err error
+	}
 	tests := []struct {
-		name string
-		error
-		rw               http.ResponseWriter
-		r                *http.Request
-		isFieldCarrier   bool
-		isSlogLogger     bool
-		stepDebug        bool
-		expectStackTrace bool
+		name       string
+		args       args
+		withFields bool
 	}{
-		{"noLogger", nil, nil, req, false, false, false, false},
-		{"noError", nil, logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, false, false},
-		{"noErrorDebug", nil, logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, true, false},
-		{"anError", assert.AnError, logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, false, false},
-		{"anErrorDebug", assert.AnError, logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, true, false},
-		{"stackTracedError", new(stackTracedError), logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, true, true},
-		{"stackTracedErrorDebug", new(stackTracedError), logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, true, true},
-		{"slogWithNoError", nil, logging.NewResponseLogger(httptest.NewRecorder()), reqWithLogger, true, true, false, false},
-		{"slogWithError", assert.AnError, logging.NewResponseLogger(httptest.NewRecorder()), reqWithLogger, true, true, false, false},
+		{"normalLogger", args{httptest.NewRecorder(), theError}, false},
+		{"responseLogger", args{logging.NewResponseLogger(httptest.NewRecorder()), theError}, true},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if tt.stepDebug {
-				t.Setenv("STEPDEBUG", "1")
-			} else {
-				t.Setenv("STEPDEBUG", "0")
-			}
-
-			Error(tt.rw, tt.r, tt.error)
-
-			// return early if test case doesn't use logger
-			if !tt.isFieldCarrier && !tt.isSlogLogger {
-				return
-			}
-
-			if tt.isFieldCarrier {
-				fields := tt.rw.(logging.ResponseLogger).Fields()
-
-				// expect the error field to be (not) set and to be the same error that was fed to Error
-				if tt.error == nil {
-					assert.Nil(t, fields["error"])
+			Error(tt.args.rw, tt.args.err)
+			if tt.withFields {
+				if rl, ok := tt.args.rw.(logging.ResponseLogger); ok {
+					fields := rl.Fields()
+					if !reflect.DeepEqual(fields["error"], theError) {
+						t.Errorf("ResponseLogger[\"error\"] = %s, wants %s", fields["error"], theError)
+					}
 				} else {
-					assert.Same(t, tt.error, fields["error"])
-				}
-
-				// check if stack-trace is set when expected
-				if _, hasStackTrace := fields["stack-trace"]; tt.expectStackTrace && !hasStackTrace {
-					t.Error(`ResponseLogger["stack-trace"] not set`)
-				} else if !tt.expectStackTrace && hasStackTrace {
-					t.Error(`ResponseLogger["stack-trace"] was set`)
-				}
-			}
-
-			if tt.isSlogLogger {
-				b := buf.Bytes()
-				if tt.error == nil {
-					assert.Empty(t, b)
-				} else if assert.NotEmpty(t, b) {
-					var m map[string]any
-					assert.NoError(t, json.Unmarshal(b, &m))
-					assert.Equal(t, tt.error.Error(), m["error"])
+					t.Error("ResponseWriter does not implement logging.ResponseLogger")
 				}
-				buf.Reset()
 			}
 		})
 	}
--- a/api/models/scep.go
+++ b/api/models/scep.go
@ -1,118 +0,0 @@
-package models
-
-import (
-	"context"
-	"crypto/x509"
-	"errors"
-
-	"github.com/smallstep/certificates/authority/provisioner"
-	"golang.org/x/crypto/ssh"
-)
-
-var errDummyImplementation = errors.New("dummy implementation")
-
-// SCEP is the SCEP provisioner model used solely in CA API
-// responses. All methods for the [provisioner.Interface] interface
-// are implemented, but return a dummy error.
-// TODO(hs): remove reliance on the interface for the API responses
-type SCEP struct {
-	ID                            string               `json:"-"`
-	Type                          string               `json:"type"`
-	Name                          string               `json:"name"`
-	ForceCN                       bool                 `json:"forceCN"`
-	ChallengePassword             string               `json:"challenge"`
-	Capabilities                  []string             `json:"capabilities,omitempty"`
-	IncludeRoot                   bool                 `json:"includeRoot"`
-	ExcludeIntermediate           bool                 `json:"excludeIntermediate"`
-	MinimumPublicKeyLength        int                  `json:"minimumPublicKeyLength"`
-	DecrypterCertificate          []byte               `json:"decrypterCertificate"`
-	DecrypterKeyPEM               []byte               `json:"decrypterKeyPEM"`
-	DecrypterKeyURI               string               `json:"decrypterKey"`
-	DecrypterKeyPassword          string               `json:"decrypterKeyPassword"`
-	EncryptionAlgorithmIdentifier int                  `json:"encryptionAlgorithmIdentifier"`
-	Options                       *provisioner.Options `json:"options,omitempty"`
-	Claims                        *provisioner.Claims  `json:"claims,omitempty"`
-}
-
-// GetID returns the provisioner unique identifier.
-func (s *SCEP) GetID() string {
-	if s.ID != "" {
-		return s.ID
-	}
-	return s.GetIDForToken()
-}
-
-// GetIDForToken returns an identifier that will be used to load the provisioner
-// from a token.
-func (s *SCEP) GetIDForToken() string {
-	return "scep/" + s.Name
-}
-
-// GetName returns the name of the provisioner.
-func (s *SCEP) GetName() string {
-	return s.Name
-}
-
-// GetType returns the type of provisioner.
-func (s *SCEP) GetType() provisioner.Type {
-	return provisioner.TypeSCEP
-}
-
-// GetEncryptedKey returns the base provisioner encrypted key if it's defined.
-func (s *SCEP) GetEncryptedKey() (string, string, bool) {
-	return "", "", false
-}
-
-// GetTokenID returns the identifier of the token.
-func (s *SCEP) GetTokenID(string) (string, error) {
-	return "", errDummyImplementation
-}
-
-// Init initializes and validates the fields of a SCEP type.
-func (s *SCEP) Init(_ provisioner.Config) (err error) {
-	return errDummyImplementation
-}
-
-// AuthorizeSign returns an unimplemented error. Provisioners should overwrite
-// this method if they will support authorizing tokens for signing x509 Certificates.
-func (s *SCEP) AuthorizeSign(context.Context, string) ([]provisioner.SignOption, error) {
-	return nil, errDummyImplementation
-}
-
-// AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite
-// this method if they will support authorizing tokens for revoking x509 Certificates.
-func (s *SCEP) AuthorizeRevoke(context.Context, string) error {
-	return errDummyImplementation
-}
-
-// AuthorizeRenew returns an unimplemented error. Provisioners should overwrite
-// this method if they will support authorizing tokens for renewing x509 Certificates.
-func (s *SCEP) AuthorizeRenew(context.Context, *x509.Certificate) error {
-	return errDummyImplementation
-}
-
-// AuthorizeSSHSign returns an unimplemented error. Provisioners should overwrite
-// this method if they will support authorizing tokens for signing SSH Certificates.
-func (s *SCEP) AuthorizeSSHSign(context.Context, string) ([]provisioner.SignOption, error) {
-	return nil, errDummyImplementation
-}
-
-// AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite
-// this method if they will support authorizing tokens for revoking SSH Certificates.
-func (s *SCEP) AuthorizeSSHRevoke(context.Context, string) error {
-	return errDummyImplementation
-}
-
-// AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite
-// this method if they will support authorizing tokens for renewing SSH Certificates.
-func (s *SCEP) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error) {
-	return nil, errDummyImplementation
-}
-
-// AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite
-// this method if they will support authorizing tokens for rekeying SSH Certificates.
-func (s *SCEP) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []provisioner.SignOption, error) {
-	return nil, nil, errDummyImplementation
-}
-
-var _ provisioner.Interface = (*SCEP)(nil)
--- a/api/read/read.go
+++ b/api/read/read.go
@ -51,7 +51,7 @@ func (e badProtoJSONError) Error() string {
 }

 // Render implements render.RenderableError for badProtoJSONError
-func (e badProtoJSONError) Render(w http.ResponseWriter, r *http.Request) {
+func (e badProtoJSONError) Render(w http.ResponseWriter) {
 	v := struct {
 		Type    string `json:"type"`
 		Detail  string `json:"detail"`
@ -62,5 +62,5 @@ func (e badProtoJSONError) Render(w http.ResponseWriter, r *http.Request) {
 		// trim the proto prefix for the message
 		Message: strings.TrimSpace(strings.TrimPrefix(e.Error(), "proto:")),
 	}
-	render.JSONStatus(w, r, v, http.StatusBadRequest)
+	render.JSONStatus(w, v, http.StatusBadRequest)
 }
--- a/api/read/read_test.go
+++ b/api/read/read_test.go
@ -142,8 +142,7 @@ func Test_badProtoJSONError_Render(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {

 			w := httptest.NewRecorder()
-			r := httptest.NewRequest("POST", "/test", http.NoBody)
-			tt.e.Render(w, r)
+			tt.e.Render(w)
 			res := w.Result()
 			defer res.Body.Close()

--- a/api/rekey.go
+++ b/api/rekey.go
@ -29,25 +29,25 @@ func (s *RekeyRequest) Validate() error {
 // Rekey is similar to renew except that the certificate will be renewed with new key from csr.
 func Rekey(w http.ResponseWriter, r *http.Request) {
 	if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
-		render.Error(w, r, errs.BadRequest("missing client certificate"))
+		render.Error(w, errs.BadRequest("missing client certificate"))
 		return
 	}

 	var body RekeyRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}

 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	a := mustAuthority(r.Context())
 	certChain, err := a.Rekey(r.TLS.PeerCertificates[0], body.CsrPEM.CertificateRequest.PublicKey)
 	if err != nil {
-		render.Error(w, r, errs.Wrap(http.StatusInternalServerError, err, "cahandler.Rekey"))
+		render.Error(w, errs.Wrap(http.StatusInternalServerError, err, "cahandler.Rekey"))
 		return
 	}
 	certChainPEM := certChainToPEM(certChain)
@ -57,7 +57,7 @@ func Rekey(w http.ResponseWriter, r *http.Request) {
 	}

 	LogCertificate(w, certChain[0])
-	render.JSONStatus(w, r, &SignResponse{
+	render.JSONStatus(w, &SignResponse{
 		ServerPEM:    certChainPEM[0],
 		CaPEM:        caPEM,
 		CertChainPEM: certChainPEM,
--- a/api/render/render.go
+++ b/api/render/render.go
@ -2,6 +2,7 @@
 package render

 import (
+	"bytes"
 	"encoding/json"
 	"errors"
 	"net/http"
@ -13,8 +14,8 @@ import (
 )

 // JSON is shorthand for JSONStatus(w, v, http.StatusOK).
-func JSON(w http.ResponseWriter, r *http.Request, v interface{}) {
-	JSONStatus(w, r, v, http.StatusOK)
+func JSON(w http.ResponseWriter, v interface{}) {
+	JSONStatus(w, v, http.StatusOK)
 }

 // JSONStatus marshals v into w. It additionally sets the status code of
@ -22,28 +23,17 @@ func JSON(w http.ResponseWriter, r *http.Request, v interface{}) {
 //
 // JSONStatus sets the Content-Type of w to application/json unless one is
 // specified.
-func JSONStatus(w http.ResponseWriter, r *http.Request, v interface{}, status int) {
+func JSONStatus(w http.ResponseWriter, v interface{}, status int) {
+	var b bytes.Buffer
+	if err := json.NewEncoder(&b).Encode(v); err != nil {
+		panic(err)
+	}
+
 	setContentTypeUnlessPresent(w, "application/json")
 	w.WriteHeader(status)
+	_, _ = b.WriteTo(w)

-	if err := json.NewEncoder(w).Encode(v); err != nil {
-		var errUnsupportedType *json.UnsupportedTypeError
-		if errors.As(err, &errUnsupportedType) {
-			panic(err)
-		}
-
-		var errUnsupportedValue *json.UnsupportedValueError
-		if errors.As(err, &errUnsupportedValue) {
-			panic(err)
-		}
-
-		var errMarshalError *json.MarshalerError
-		if errors.As(err, &errMarshalError) {
-			panic(err)
-		}
-	}
-
-	log.EnabledResponse(w, r, v)
+	log.EnabledResponse(w, v)
 }

 // ProtoJSON is shorthand for ProtoJSONStatus(w, m, http.StatusOK).
@ -80,22 +70,22 @@ func setContentTypeUnlessPresent(w http.ResponseWriter, contentType string) {
 type RenderableError interface {
 	error

-	Render(http.ResponseWriter, *http.Request)
+	Render(http.ResponseWriter)
 }

 // Error marshals the JSON representation of err to w. In case err implements
 // RenderableError its own Render method will be called instead.
-func Error(rw http.ResponseWriter, r *http.Request, err error) {
-	log.Error(rw, r, err)
+func Error(w http.ResponseWriter, err error) {
+	log.Error(w, err)

-	var re RenderableError
-	if errors.As(err, &re) {
-		re.Render(rw, r)
+	var r RenderableError
+	if errors.As(err, &r) {
+		r.Render(w)

 		return
 	}

-	JSONStatus(rw, r, err, statusCodeFromError(err))
+	JSONStatus(w, err, statusCodeFromError(err))
 }

 // StatusCodedError is the set of errors that implement the basic StatusCode
--- a/api/render/render_test.go
+++ b/api/render/render_test.go
@ -1,10 +1,8 @@
 package render

 import (
-	"encoding/json"
 	"fmt"
 	"io"
-	"math"
 	"net/http"
 	"net/http/httptest"
 	"strconv"
@ -18,8 +16,8 @@ import (
 func TestJSON(t *testing.T) {
 	rec := httptest.NewRecorder()
 	rw := logging.NewResponseLogger(rec)
-	r := httptest.NewRequest("POST", "/test", http.NoBody)
-	JSON(rw, r, map[string]interface{}{"foo": "bar"})
+
+	JSON(rw, map[string]interface{}{"foo": "bar"})

 	assert.Equal(t, http.StatusOK, rec.Result().StatusCode)
 	assert.Equal(t, "application/json", rec.Header().Get("Content-Type"))
@ -28,44 +26,10 @@ func TestJSON(t *testing.T) {
 	assert.Empty(t, rw.Fields())
 }

-func TestJSONPanicsOnUnsupportedType(t *testing.T) {
-	jsonPanicTest[json.UnsupportedTypeError](t, make(chan struct{}))
-}
-
-func TestJSONPanicsOnUnsupportedValue(t *testing.T) {
-	jsonPanicTest[json.UnsupportedValueError](t, math.NaN())
-}
-
-func TestJSONPanicsOnMarshalerError(t *testing.T) {
-	var v erroneousJSONMarshaler
-	jsonPanicTest[json.MarshalerError](t, v)
-}
-
-type erroneousJSONMarshaler struct{}
-
-func (erroneousJSONMarshaler) MarshalJSON() ([]byte, error) {
-	return nil, assert.AnError
-}
-
-func jsonPanicTest[T json.UnsupportedTypeError | json.UnsupportedValueError | json.MarshalerError](t *testing.T, v any) {
-	t.Helper()
-
-	defer func() {
-		var err error
-		if r := recover(); r == nil {
-			t.Fatal("expected panic")
-		} else if e, ok := r.(error); !ok {
-			t.Fatalf("did not panic with an error (%T)", r)
-		} else {
-			err = e
-		}
-
-		var e *T
-		assert.ErrorAs(t, err, &e)
-	}()
-
-	r := httptest.NewRequest("POST", "/test", http.NoBody)
-	JSON(httptest.NewRecorder(), r, v)
+func TestJSONPanics(t *testing.T) {
+	assert.Panics(t, func() {
+		JSON(httptest.NewRecorder(), make(chan struct{}))
+	})
 }

 type renderableError struct {
@ -77,9 +41,10 @@ func (err renderableError) Error() string {
 	return err.Message
 }

-func (err renderableError) Render(w http.ResponseWriter, r *http.Request) {
+func (err renderableError) Render(w http.ResponseWriter) {
 	w.Header().Set("Content-Type", "something/custom")
-	JSONStatus(w, r, err, err.Code)
+
+	JSONStatus(w, err, err.Code)
 }

 type statusedError struct {
@ -116,8 +81,8 @@ func TestError(t *testing.T) {

 		t.Run(strconv.Itoa(caseIndex), func(t *testing.T) {
 			rec := httptest.NewRecorder()
-			r := httptest.NewRequest("POST", "/test", http.NoBody)
-			Error(rec, r, kase.err)
+
+			Error(rec, kase.err)

 			assert.Equal(t, kase.code, rec.Result().StatusCode)
 			assert.Equal(t, kase.body, rec.Body.String())
--- a/api/renew.go
+++ b/api/renew.go
@ -6,7 +6,6 @@ import (
 	"strings"

 	"github.com/smallstep/certificates/api/render"
-	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/errs"
 )

@ -18,25 +17,16 @@ const (
 // Renew uses the information of certificate in the TLS connection to create a
 // new one.
 func Renew(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-
-	// Get the leaf certificate from the peer or the token.
-	cert, token, err := getPeerCertificate(r)
+	cert, err := getPeerCertificate(r)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

-	// The token can be used by RAs to renew a certificate.
-	if token != "" {
-		ctx = authority.NewTokenContext(ctx, token)
-		logOtt(w, token)
-	}
-
-	a := mustAuthority(ctx)
-	certChain, err := a.RenewContext(ctx, cert, nil)
+	a := mustAuthority(r.Context())
+	certChain, err := a.Renew(cert)
 	if err != nil {
-		render.Error(w, r, errs.Wrap(http.StatusInternalServerError, err, "cahandler.Renew"))
+		render.Error(w, errs.Wrap(http.StatusInternalServerError, err, "cahandler.Renew"))
 		return
 	}
 	certChainPEM := certChainToPEM(certChain)
@ -46,7 +36,7 @@ func Renew(w http.ResponseWriter, r *http.Request) {
 	}

 	LogCertificate(w, certChain[0])
-	render.JSONStatus(w, r, &SignResponse{
+	render.JSONStatus(w, &SignResponse{
 		ServerPEM:    certChainPEM[0],
 		CaPEM:        caPEM,
 		CertChainPEM: certChainPEM,
@ -54,16 +44,15 @@ func Renew(w http.ResponseWriter, r *http.Request) {
 	}, http.StatusCreated)
 }

-func getPeerCertificate(r *http.Request) (*x509.Certificate, string, error) {
+func getPeerCertificate(r *http.Request) (*x509.Certificate, error) {
 	if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
-		return r.TLS.PeerCertificates[0], "", nil
+		return r.TLS.PeerCertificates[0], nil
 	}
 	if s := r.Header.Get(authorizationHeader); s != "" {
 		if parts := strings.SplitN(s, bearerScheme+" ", 2); len(parts) == 2 {
 			ctx := r.Context()
-			peer, err := mustAuthority(ctx).AuthorizeRenewToken(ctx, parts[1])
-			return peer, parts[1], err
+			return mustAuthority(ctx).AuthorizeRenewToken(ctx, parts[1])
 		}
 	}
-	return nil, "", errs.BadRequest("missing client certificate")
+	return nil, errs.BadRequest("missing client certificate")
 }
--- a/api/revoke.go
+++ b/api/revoke.go
@ -57,12 +57,12 @@ func (r *RevokeRequest) Validate() (err error) {
 func Revoke(w http.ResponseWriter, r *http.Request) {
 	var body RevokeRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}

 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -78,10 +78,10 @@ func Revoke(w http.ResponseWriter, r *http.Request) {

 	// A token indicates that we are using the api via a provisioner token,
 	// otherwise it is assumed that the certificate is revoking itself over mTLS.
-	if body.OTT != "" {
+	if len(body.OTT) > 0 {
 		logOtt(w, body.OTT)
 		if _, err := a.Authorize(ctx, body.OTT); err != nil {
-			render.Error(w, r, errs.UnauthorizedErr(err))
+			render.Error(w, errs.UnauthorizedErr(err))
 			return
 		}
 		opts.OTT = body.OTT
@ -90,12 +90,12 @@ func Revoke(w http.ResponseWriter, r *http.Request) {
 		// the client certificate Serial Number must match the serial number
 		// being revoked.
 		if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
-			render.Error(w, r, errs.BadRequest("missing ott or client certificate"))
+			render.Error(w, errs.BadRequest("missing ott or client certificate"))
 			return
 		}
 		opts.Crt = r.TLS.PeerCertificates[0]
 		if opts.Crt.SerialNumber.String() != opts.Serial {
-			render.Error(w, r, errs.BadRequest("serial number in client certificate different than body"))
+			render.Error(w, errs.BadRequest("serial number in client certificate different than body"))
 			return
 		}
 		// TODO: should probably be checking if the certificate was revoked here.
@ -106,12 +106,12 @@ func Revoke(w http.ResponseWriter, r *http.Request) {
 	}

 	if err := a.Revoke(ctx, opts); err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error revoking certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error revoking certificate"))
 		return
 	}

 	logRevoke(w, opts)
-	render.JSON(w, r, &RevokeResponse{Status: "ok"})
+	render.JSON(w, &RevokeResponse{Status: "ok"})
 }

 func logRevoke(w http.ResponseWriter, ri *authority.RevokeOptions) {
--- a/api/sign.go
+++ b/api/sign.go
@ -52,13 +52,13 @@ type SignResponse struct {
 func Sign(w http.ResponseWriter, r *http.Request) {
 	var body SignRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}

 	logOtt(w, body.OTT)
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -74,13 +74,13 @@ func Sign(w http.ResponseWriter, r *http.Request) {
 	ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignMethod)
 	signOpts, err := a.Authorize(ctx, body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.UnauthorizedErr(err))
+		render.Error(w, errs.UnauthorizedErr(err))
 		return
 	}

-	certChain, err := a.SignWithContext(ctx, body.CsrPEM.CertificateRequest, opts, signOpts...)
+	certChain, err := a.Sign(body.CsrPEM.CertificateRequest, opts, signOpts...)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error signing certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error signing certificate"))
 		return
 	}
 	certChainPEM := certChainToPEM(certChain)
@ -88,9 +88,8 @@ func Sign(w http.ResponseWriter, r *http.Request) {
 	if len(certChainPEM) > 1 {
 		caPEM = certChainPEM[1]
 	}
-
 	LogCertificate(w, certChain[0])
-	render.JSONStatus(w, r, &SignResponse{
+	render.JSONStatus(w, &SignResponse{
 		ServerPEM:    certChainPEM[0],
 		CaPEM:        caPEM,
 		CertChainPEM: certChainPEM,
--- a/api/ssh.go
+++ b/api/ssh.go
@ -253,19 +253,19 @@ type SSHBastionResponse struct {
 func SSHSign(w http.ResponseWriter, r *http.Request) {
 	var body SSHSignRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}

 	logOtt(w, body.OTT)
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	publicKey, err := ssh.ParsePublicKey(body.PublicKey)
 	if err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error parsing publicKey"))
+		render.Error(w, errs.BadRequestErr(err, "error parsing publicKey"))
 		return
 	}

@ -273,7 +273,7 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 	if body.AddUserPublicKey != nil {
 		addUserPublicKey, err = ssh.ParsePublicKey(body.AddUserPublicKey)
 		if err != nil {
-			render.Error(w, r, errs.BadRequestErr(err, "error parsing addUserPublicKey"))
+			render.Error(w, errs.BadRequestErr(err, "error parsing addUserPublicKey"))
 			return
 		}
 	}
@ -293,13 +293,13 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 	a := mustAuthority(ctx)
 	signOpts, err := a.Authorize(ctx, body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.UnauthorizedErr(err))
+		render.Error(w, errs.UnauthorizedErr(err))
 		return
 	}

 	cert, err := a.SignSSH(ctx, publicKey, opts, signOpts...)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error signing ssh certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
 		return
 	}

@ -307,7 +307,7 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 	if addUserPublicKey != nil && authority.IsValidForAddUser(cert) == nil {
 		addUserCert, err := a.SignSSHAddUser(ctx, addUserPublicKey, cert)
 		if err != nil {
-			render.Error(w, r, errs.ForbiddenErr(err, "error signing ssh certificate"))
+			render.Error(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
 			return
 		}
 		addUserCertificate = &SSHCertificate{addUserCert}
@ -317,10 +317,10 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 	var identityCertificate []Certificate
 	if cr := body.IdentityCSR.CertificateRequest; cr != nil {
 		ctx := authority.NewContextWithSkipTokenReuse(r.Context())
-		ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignIdentityMethod)
+		ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignMethod)
 		signOpts, err := a.Authorize(ctx, body.OTT)
 		if err != nil {
-			render.Error(w, r, errs.UnauthorizedErr(err))
+			render.Error(w, errs.UnauthorizedErr(err))
 			return
 		}

@ -330,16 +330,15 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 			NotAfter:  time.Unix(int64(cert.ValidBefore), 0),
 		})

-		certChain, err := a.SignWithContext(ctx, cr, provisioner.SignOptions{}, signOpts...)
+		certChain, err := a.Sign(cr, provisioner.SignOptions{}, signOpts...)
 		if err != nil {
-			render.Error(w, r, errs.ForbiddenErr(err, "error signing identity certificate"))
+			render.Error(w, errs.ForbiddenErr(err, "error signing identity certificate"))
 			return
 		}
 		identityCertificate = certChainToPEM(certChain)
 	}

-	LogSSHCertificate(w, cert)
-	render.JSONStatus(w, r, &SSHSignResponse{
+	render.JSONStatus(w, &SSHSignResponse{
 		Certificate:         SSHCertificate{cert},
 		AddUserCertificate:  addUserCertificate,
 		IdentityCertificate: identityCertificate,
@ -352,12 +351,12 @@ func SSHRoots(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	keys, err := mustAuthority(ctx).GetSSHRoots(ctx)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}

 	if len(keys.HostKeys) == 0 && len(keys.UserKeys) == 0 {
-		render.Error(w, r, errs.NotFound("no keys found"))
+		render.Error(w, errs.NotFound("no keys found"))
 		return
 	}

@ -369,7 +368,7 @@ func SSHRoots(w http.ResponseWriter, r *http.Request) {
 		resp.UserKeys = append(resp.UserKeys, SSHPublicKey{PublicKey: k})
 	}

-	render.JSON(w, r, resp)
+	render.JSON(w, resp)
 }

 // SSHFederation is an HTTP handler that returns the federated SSH public keys
@ -378,12 +377,12 @@ func SSHFederation(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	keys, err := mustAuthority(ctx).GetSSHFederation(ctx)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}

 	if len(keys.HostKeys) == 0 && len(keys.UserKeys) == 0 {
-		render.Error(w, r, errs.NotFound("no keys found"))
+		render.Error(w, errs.NotFound("no keys found"))
 		return
 	}

@ -395,7 +394,7 @@ func SSHFederation(w http.ResponseWriter, r *http.Request) {
 		resp.UserKeys = append(resp.UserKeys, SSHPublicKey{PublicKey: k})
 	}

-	render.JSON(w, r, resp)
+	render.JSON(w, resp)
 }

 // SSHConfig is an HTTP handler that returns rendered templates for ssh clients
@ -403,18 +402,18 @@ func SSHFederation(w http.ResponseWriter, r *http.Request) {
 func SSHConfig(w http.ResponseWriter, r *http.Request) {
 	var body SSHConfigRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	ctx := r.Context()
 	ts, err := mustAuthority(ctx).GetSSHConfig(ctx, body.Type, body.Data)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}

@ -425,32 +424,32 @@ func SSHConfig(w http.ResponseWriter, r *http.Request) {
 	case provisioner.SSHHostCert:
 		cfg.HostTemplates = ts
 	default:
-		render.Error(w, r, errs.InternalServer("it should hot get here"))
+		render.Error(w, errs.InternalServer("it should hot get here"))
 		return
 	}

-	render.JSON(w, r, cfg)
+	render.JSON(w, cfg)
 }

 // SSHCheckHost is the HTTP handler that returns if a hosts certificate exists or not.
 func SSHCheckHost(w http.ResponseWriter, r *http.Request) {
 	var body SSHCheckPrincipalRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	ctx := r.Context()
 	exists, err := mustAuthority(ctx).CheckSSHHost(ctx, body.Principal, body.Token)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
-	render.JSON(w, r, &SSHCheckPrincipalResponse{
+	render.JSON(w, &SSHCheckPrincipalResponse{
 		Exists: exists,
 	})
 }
@ -465,10 +464,10 @@ func SSHGetHosts(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	hosts, err := mustAuthority(ctx).GetSSHHosts(ctx, cert)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
-	render.JSON(w, r, &SSHGetHostsResponse{
+	render.JSON(w, &SSHGetHostsResponse{
 		Hosts: hosts,
 	})
 }
@ -477,22 +476,22 @@ func SSHGetHosts(w http.ResponseWriter, r *http.Request) {
 func SSHBastion(w http.ResponseWriter, r *http.Request) {
 	var body SSHBastionRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	ctx := r.Context()
 	bastion, err := mustAuthority(ctx).GetSSHBastion(ctx, body.User, body.Hostname)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}

-	render.JSON(w, r, &SSHBastionResponse{
+	render.JSON(w, &SSHBastionResponse{
 		Hostname: body.Hostname,
 		Bastion:  bastion,
 	})
--- a/api/sshRekey.go
+++ b/api/sshRekey.go
@ -42,19 +42,19 @@ type SSHRekeyResponse struct {
 func SSHRekey(w http.ResponseWriter, r *http.Request) {
 	var body SSHRekeyRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}

 	logOtt(w, body.OTT)
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	publicKey, err := ssh.ParsePublicKey(body.PublicKey)
 	if err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error parsing publicKey"))
+		render.Error(w, errs.BadRequestErr(err, "error parsing publicKey"))
 		return
 	}

@ -64,18 +64,18 @@ func SSHRekey(w http.ResponseWriter, r *http.Request) {
 	a := mustAuthority(ctx)
 	signOpts, err := a.Authorize(ctx, body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.UnauthorizedErr(err))
+		render.Error(w, errs.UnauthorizedErr(err))
 		return
 	}
 	oldCert, _, err := provisioner.ExtractSSHPOPCert(body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}

 	newCert, err := a.RekeySSH(ctx, oldCert, publicKey, signOpts...)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error rekeying ssh certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error rekeying ssh certificate"))
 		return
 	}

@ -85,12 +85,11 @@ func SSHRekey(w http.ResponseWriter, r *http.Request) {

 	identity, err := renewIdentityCertificate(r, notBefore, notAfter)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error renewing identity certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error renewing identity certificate"))
 		return
 	}

-	LogSSHCertificate(w, newCert)
-	render.JSONStatus(w, r, &SSHRekeyResponse{
+	render.JSONStatus(w, &SSHRekeyResponse{
 		Certificate:         SSHCertificate{newCert},
 		IdentityCertificate: identity,
 	}, http.StatusCreated)
--- a/api/sshRenew.go
+++ b/api/sshRenew.go
@ -40,13 +40,13 @@ type SSHRenewResponse struct {
 func SSHRenew(w http.ResponseWriter, r *http.Request) {
 	var body SSHRenewRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}

 	logOtt(w, body.OTT)
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -56,18 +56,18 @@ func SSHRenew(w http.ResponseWriter, r *http.Request) {
 	a := mustAuthority(ctx)
 	_, err := a.Authorize(ctx, body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.UnauthorizedErr(err))
+		render.Error(w, errs.UnauthorizedErr(err))
 		return
 	}
 	oldCert, _, err := provisioner.ExtractSSHPOPCert(body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}

 	newCert, err := a.RenewSSH(ctx, oldCert)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error renewing ssh certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error renewing ssh certificate"))
 		return
 	}

@ -77,12 +77,11 @@ func SSHRenew(w http.ResponseWriter, r *http.Request) {

 	identity, err := renewIdentityCertificate(r, notBefore, notAfter)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error renewing identity certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error renewing identity certificate"))
 		return
 	}

-	LogSSHCertificate(w, newCert)
-	render.JSONStatus(w, r, &SSHSignResponse{
+	render.JSONStatus(w, &SSHSignResponse{
 		Certificate:         SSHCertificate{newCert},
 		IdentityCertificate: identity,
 	}, http.StatusCreated)
--- a/api/sshRevoke.go
+++ b/api/sshRevoke.go
@ -51,12 +51,12 @@ func (r *SSHRevokeRequest) Validate() (err error) {
 func SSHRevoke(w http.ResponseWriter, r *http.Request) {
 	var body SSHRevokeRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}

 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -75,18 +75,18 @@ func SSHRevoke(w http.ResponseWriter, r *http.Request) {
 	logOtt(w, body.OTT)

 	if _, err := a.Authorize(ctx, body.OTT); err != nil {
-		render.Error(w, r, errs.UnauthorizedErr(err))
+		render.Error(w, errs.UnauthorizedErr(err))
 		return
 	}
 	opts.OTT = body.OTT

 	if err := a.Revoke(ctx, opts); err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error revoking ssh certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error revoking ssh certificate"))
 		return
 	}

 	logSSHRevoke(w, opts)
-	render.JSON(w, r, &SSHRevokeResponse{Status: "ok"})
+	render.JSON(w, &SSHRevokeResponse{Status: "ok"})
 }

 func logSSHRevoke(w http.ResponseWriter, ri *authority.RevokeOptions) {
--- a/api/ssh_test.go
+++ b/api/ssh_test.go
@ -325,7 +325,7 @@ func Test_SSHSign(t *testing.T) {
 				signSSHAddUser: func(ctx context.Context, key ssh.PublicKey, cert *ssh.Certificate) (*ssh.Certificate, error) {
 					return tt.addUserCert, tt.addUserErr
 				},
-				signWithContext: func(ctx context.Context, cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+				sign: func(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 					return tt.tlsSignCerts, tt.tlsSignErr
 				},
 			})
--- a/authority/admin/api/acme.go
+++ b/authority/admin/api/acme.go
@ -40,12 +40,12 @@ func requireEABEnabled(next http.HandlerFunc) http.HandlerFunc {

 		acmeProvisioner := prov.GetDetails().GetACME()
 		if acmeProvisioner == nil {
-			render.Error(w, r, admin.NewErrorISE("error getting ACME details for provisioner '%s'", prov.GetName()))
+			render.Error(w, admin.NewErrorISE("error getting ACME details for provisioner '%s'", prov.GetName()))
 			return
 		}

 		if !acmeProvisioner.RequireEab {
-			render.Error(w, r, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner '%s'", prov.GetName()))
+			render.Error(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner '%s'", prov.GetName()))
 			return
 		}

@ -70,17 +70,17 @@ func NewACMEAdminResponder() ACMEAdminResponder {

 // GetExternalAccountKeys writes the response for the EAB keys GET endpoint
 func (h *acmeAdminResponder) GetExternalAccountKeys(w http.ResponseWriter, r *http.Request) {
-	render.Error(w, r, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
+	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
 }

 // CreateExternalAccountKey writes the response for the EAB key POST endpoint
 func (h *acmeAdminResponder) CreateExternalAccountKey(w http.ResponseWriter, r *http.Request) {
-	render.Error(w, r, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
+	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
 }

 // DeleteExternalAccountKey writes the response for the EAB key DELETE endpoint
 func (h *acmeAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, r *http.Request) {
-	render.Error(w, r, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
+	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
 }

 func eakToLinked(k *acme.ExternalAccountKey) *linkedca.EABKey {
--- a/authority/admin/api/acme_test.go
+++ b/authority/admin/api/acme_test.go
@ -12,7 +12,7 @@ import (
 	"testing"
 	"time"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/timestamppb"
@ -128,7 +128,7 @@ func TestHandler_requireEABEnabled(t *testing.T) {
 	for name, prep := range tests {
 		tc := prep(t)
 		t.Run(name, func(t *testing.T) {
-			req := httptest.NewRequest("GET", "/foo", http.NoBody).WithContext(tc.ctx)
+			req := httptest.NewRequest("GET", "/foo", nil).WithContext(tc.ctx)
 			w := httptest.NewRecorder()
 			requireEABEnabled(tc.next)(w, req)
 			res := w.Result()
@ -223,7 +223,7 @@ func TestHandler_CreateExternalAccountKey(t *testing.T) {
 		tc := prep(t)
 		t.Run(name, func(t *testing.T) {

-			req := httptest.NewRequest("POST", "/foo", http.NoBody) // chi routing is prepared in test setup
+			req := httptest.NewRequest("POST", "/foo", nil) // chi routing is prepared in test setup
 			req = req.WithContext(tc.ctx)
 			w := httptest.NewRecorder()
 			acmeResponder := NewACMEAdminResponder()
@ -276,7 +276,7 @@ func TestHandler_DeleteExternalAccountKey(t *testing.T) {
 		tc := prep(t)
 		t.Run(name, func(t *testing.T) {

-			req := httptest.NewRequest("DELETE", "/foo", http.NoBody) // chi routing is prepared in test setup
+			req := httptest.NewRequest("DELETE", "/foo", nil) // chi routing is prepared in test setup
 			req = req.WithContext(tc.ctx)
 			w := httptest.NewRecorder()
 			acmeResponder := NewACMEAdminResponder()
@ -311,7 +311,7 @@ func TestHandler_GetExternalAccountKeys(t *testing.T) {
 		"ok": func(t *testing.T) test {
 			chiCtx := chi.NewRouteContext()
 			chiCtx.URLParams.Add("provisionerName", "provName")
-			req := httptest.NewRequest("GET", "/foo", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo", nil)
 			ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
 			return test{
 				ctx:        ctx,
--- a/authority/admin/api/admin.go
+++ b/authority/admin/api/admin.go
@ -4,7 +4,7 @@ import (
 	"context"
 	"net/http"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"

 	"go.step.sm/linkedca"

@ -90,7 +90,7 @@ func GetAdmin(w http.ResponseWriter, r *http.Request) {

 	adm, ok := mustAuthority(r.Context()).LoadAdminByID(id)
 	if !ok {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType,
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType,
 			"admin %s not found", id))
 		return
 	}
@ -101,17 +101,17 @@ func GetAdmin(w http.ResponseWriter, r *http.Request) {
 func GetAdmins(w http.ResponseWriter, r *http.Request) {
 	cursor, limit, err := api.ParseCursor(r)
 	if err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err,
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err,
 			"error parsing cursor and limit from query params"))
 		return
 	}

 	admins, nextCursor, err := mustAuthority(r.Context()).GetAdmins(cursor, limit)
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error retrieving paginated admins"))
+		render.Error(w, admin.WrapErrorISE(err, "error retrieving paginated admins"))
 		return
 	}
-	render.JSON(w, r, &GetAdminsResponse{
+	render.JSON(w, &GetAdminsResponse{
 		Admins:     admins,
 		NextCursor: nextCursor,
 	})
@ -121,19 +121,19 @@ func GetAdmins(w http.ResponseWriter, r *http.Request) {
 func CreateAdmin(w http.ResponseWriter, r *http.Request) {
 	var body CreateAdminRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error reading request body"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error reading request body"))
 		return
 	}

 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	auth := mustAuthority(r.Context())
 	p, err := auth.LoadProvisionerByName(body.Provisioner)
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", body.Provisioner))
+		render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", body.Provisioner))
 		return
 	}
 	adm := &linkedca.Admin{
@ -143,7 +143,7 @@ func CreateAdmin(w http.ResponseWriter, r *http.Request) {
 	}
 	// Store to authority collection.
 	if err := auth.StoreAdmin(r.Context(), adm, p); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error storing admin"))
+		render.Error(w, admin.WrapErrorISE(err, "error storing admin"))
 		return
 	}

@ -155,23 +155,23 @@ func DeleteAdmin(w http.ResponseWriter, r *http.Request) {
 	id := chi.URLParam(r, "id")

 	if err := mustAuthority(r.Context()).RemoveAdmin(r.Context(), id); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error deleting admin %s", id))
+		render.Error(w, admin.WrapErrorISE(err, "error deleting admin %s", id))
 		return
 	}

-	render.JSON(w, r, &DeleteResponse{Status: "ok"})
+	render.JSON(w, &DeleteResponse{Status: "ok"})
 }

 // UpdateAdmin updates an existing admin.
 func UpdateAdmin(w http.ResponseWriter, r *http.Request) {
 	var body UpdateAdminRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error reading request body"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error reading request body"))
 		return
 	}

 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -179,7 +179,7 @@ func UpdateAdmin(w http.ResponseWriter, r *http.Request) {
 	auth := mustAuthority(r.Context())
 	adm, err := auth.UpdateAdmin(r.Context(), id, &linkedca.Admin{Type: body.Type})
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error updating admin %s", id))
+		render.Error(w, admin.WrapErrorISE(err, "error updating admin %s", id))
 		return
 	}

--- a/authority/admin/api/admin_test.go
+++ b/authority/admin/api/admin_test.go
@ -11,7 +11,7 @@ import (
 	"testing"
 	"time"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"google.golang.org/protobuf/types/known/timestamppb"
@ -357,7 +357,7 @@ func TestHandler_GetAdmin(t *testing.T) {
 		tc := prep(t)
 		t.Run(name, func(t *testing.T) {
 			mockMustAuthority(t, tc.auth)
-			req := httptest.NewRequest("GET", "/foo", http.NoBody) // chi routing is prepared in test setup
+			req := httptest.NewRequest("GET", "/foo", nil) // chi routing is prepared in test setup
 			req = req.WithContext(tc.ctx)
 			w := httptest.NewRecorder()
 			GetAdmin(w, req)
@ -406,7 +406,7 @@ func TestHandler_GetAdmins(t *testing.T) {
 	}
 	var tests = map[string]func(t *testing.T) test{
 		"fail/parse-cursor": func(t *testing.T) test {
-			req := httptest.NewRequest("GET", "/foo?limit=A", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo?limit=A", nil)
 			return test{
 				ctx:        context.Background(),
 				req:        req,
@ -420,7 +420,7 @@ func TestHandler_GetAdmins(t *testing.T) {
 			}
 		},
 		"fail/auth.GetAdmins": func(t *testing.T) test {
-			req := httptest.NewRequest("GET", "/foo", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo", nil)
 			auth := &mockAdminAuthority{
 				MockGetAdmins: func(cursor string, limit int) ([]*linkedca.Admin, string, error) {
 					assert.Equals(t, "", cursor)
@ -442,7 +442,7 @@ func TestHandler_GetAdmins(t *testing.T) {
 			}
 		},
 		"ok": func(t *testing.T) test {
-			req := httptest.NewRequest("GET", "/foo", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo", nil)
 			createdAt := time.Now()
 			var deletedAt time.Time
 			adm1 := &linkedca.Admin{
@ -764,7 +764,7 @@ func TestHandler_DeleteAdmin(t *testing.T) {
 		tc := prep(t)
 		t.Run(name, func(t *testing.T) {
 			mockMustAuthority(t, tc.auth)
-			req := httptest.NewRequest("DELETE", "/foo", http.NoBody) // chi routing is prepared in test setup
+			req := httptest.NewRequest("DELETE", "/foo", nil) // chi routing is prepared in test setup
 			req = req.WithContext(tc.ctx)
 			w := httptest.NewRecorder()
 			DeleteAdmin(w, req)
--- a/authority/admin/api/middleware.go
+++ b/authority/admin/api/middleware.go
@ -1,9 +1,10 @@
 package api

 import (
+	"errors"
 	"net/http"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"

 	"go.step.sm/linkedca"

@ -19,7 +20,7 @@ import (
 func requireAPIEnabled(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if !mustAuthority(r.Context()).IsAdminAPIEnabled() {
-			render.Error(w, r, admin.NewError(admin.ErrorNotImplementedType, "administration API not enabled"))
+			render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "administration API not enabled"))
 			return
 		}
 		next(w, r)
@ -31,7 +32,7 @@ func extractAuthorizeTokenAdmin(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		tok := r.Header.Get("Authorization")
 		if tok == "" {
-			render.Error(w, r, admin.NewError(admin.ErrorUnauthorizedType,
+			render.Error(w, admin.NewError(admin.ErrorUnauthorizedType,
 				"missing authorization header token"))
 			return
 		}
@ -39,7 +40,7 @@ func extractAuthorizeTokenAdmin(next http.HandlerFunc) http.HandlerFunc {
 		ctx := r.Context()
 		adm, err := mustAuthority(ctx).AuthorizeAdminToken(r, tok)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

@ -64,13 +65,13 @@ func loadProvisionerByName(next http.HandlerFunc) http.HandlerFunc {

 		// TODO(hs): distinguish 404 vs. 500
 		if p, err = auth.LoadProvisionerByName(name); err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", name))
+			render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", name))
 			return
 		}

 		prov, err := adminDB.GetProvisioner(ctx, p.GetID())
 		if err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error retrieving provisioner %s", name))
+			render.Error(w, admin.WrapErrorISE(err, "error retrieving provisioner %s", name))
 			return
 		}

@ -91,7 +92,7 @@ func checkAction(next http.HandlerFunc, supportedInStandalone bool) http.Handler
 		// when an action is not supported in standalone mode and when
 		// using a nosql.DB backend, actions are not supported
 		if _, ok := admin.MustFromContext(r.Context()).(*nosql.DB); ok {
-			render.Error(w, r, admin.NewError(admin.ErrorNotImplementedType,
+			render.Error(w, admin.NewError(admin.ErrorNotImplementedType,
 				"operation not supported in standalone mode"))
 			return
 		}
@ -124,16 +125,16 @@ func loadExternalAccountKey(next http.HandlerFunc) http.HandlerFunc {
 		}

 		if err != nil {
-			if acme.IsErrNotFound(err) {
-				render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
+			if errors.Is(err, acme.ErrNotFound) {
+				render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
 				return
 			}
-			render.Error(w, r, admin.WrapErrorISE(err, "error retrieving ACME External Account Key"))
+			render.Error(w, admin.WrapErrorISE(err, "error retrieving ACME External Account Key"))
 			return
 		}

 		if eak == nil {
-			render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
+			render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
 			return
 		}

--- a/authority/admin/api/middleware_test.go
+++ b/authority/admin/api/middleware_test.go
@ -11,7 +11,7 @@ import (
 	"testing"
 	"time"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"google.golang.org/protobuf/types/known/timestamppb"
@ -72,7 +72,7 @@ func TestHandler_requireAPIEnabled(t *testing.T) {
 		tc := prep(t)
 		t.Run(name, func(t *testing.T) {
 			mockMustAuthority(t, tc.auth)
-			req := httptest.NewRequest("GET", "/foo", http.NoBody) // chi routing is prepared in test setup
+			req := httptest.NewRequest("GET", "/foo", nil) // chi routing is prepared in test setup
 			req = req.WithContext(tc.ctx)
 			w := httptest.NewRecorder()
 			requireAPIEnabled(tc.next)(w, req)
@ -113,7 +113,7 @@ func TestHandler_extractAuthorizeTokenAdmin(t *testing.T) {
 	}
 	var tests = map[string]func(t *testing.T) test{
 		"fail/missing-authorization-token": func(t *testing.T) test {
-			req := httptest.NewRequest("GET", "/foo", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo", nil)
 			req.Header["Authorization"] = []string{""}
 			return test{
 				ctx:        context.Background(),
@ -128,7 +128,7 @@ func TestHandler_extractAuthorizeTokenAdmin(t *testing.T) {
 			}
 		},
 		"fail/auth.AuthorizeAdminToken": func(t *testing.T) test {
-			req := httptest.NewRequest("GET", "/foo", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo", nil)
 			req.Header["Authorization"] = []string{"token"}
 			auth := &mockAdminAuthority{
 				MockAuthorizeAdminToken: func(r *http.Request, token string) (*linkedca.Admin, error) {
@ -153,7 +153,7 @@ func TestHandler_extractAuthorizeTokenAdmin(t *testing.T) {
 			}
 		},
 		"ok": func(t *testing.T) test {
-			req := httptest.NewRequest("GET", "/foo", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo", nil)
 			req.Header["Authorization"] = []string{"token"}
 			createdAt := time.Now()
 			var deletedAt time.Time
@ -324,7 +324,7 @@ func TestHandler_loadProvisionerByName(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			mockMustAuthority(t, tc.auth)
 			ctx := admin.NewContext(tc.ctx, tc.adminDB)
-			req := httptest.NewRequest("GET", "/foo", http.NoBody) // chi routing is prepared in test setup
+			req := httptest.NewRequest("GET", "/foo", nil) // chi routing is prepared in test setup
 			req = req.WithContext(ctx)

 			w := httptest.NewRecorder()
@ -399,7 +399,7 @@ func TestHandler_checkAction(t *testing.T) {
 		tc := prep(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := admin.NewContext(context.Background(), tc.adminDB)
-			req := httptest.NewRequest("GET", "/foo", http.NoBody).WithContext(ctx)
+			req := httptest.NewRequest("GET", "/foo", nil).WithContext(ctx)
 			w := httptest.NewRecorder()
 			checkAction(tc.next, tc.supportedInStandalone)(w, req)
 			res := w.Result()
@ -643,7 +643,7 @@ func TestHandler_loadExternalAccountKey(t *testing.T) {
 		tc := prep(t)
 		t.Run(name, func(t *testing.T) {
 			ctx := acme.NewDatabaseContext(tc.ctx, tc.acmeDB)
-			req := httptest.NewRequest("GET", "/foo", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo", nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
 			loadExternalAccountKey(tc.next)(w, req)
--- a/authority/admin/api/policy.go
+++ b/authority/admin/api/policy.go
@ -35,7 +35,7 @@ type PolicyAdminResponder interface {
 // policyAdminResponder implements PolicyAdminResponder.
 type policyAdminResponder struct{}

-// NewPolicyAdminResponder returns a new PolicyAdminResponder.
+// NewACMEAdminResponder returns a new PolicyAdminResponder.
 func NewPolicyAdminResponder() PolicyAdminResponder {
 	return &policyAdminResponder{}
 }
@ -44,7 +44,7 @@ func NewPolicyAdminResponder() PolicyAdminResponder {
 func (par *policyAdminResponder) GetAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -52,12 +52,12 @@ func (par *policyAdminResponder) GetAuthorityPolicy(w http.ResponseWriter, r *ht
 	authorityPolicy, err := auth.GetAuthorityPolicy(r.Context())
 	var ae *admin.Error
 	if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) {
-		render.Error(w, r, admin.WrapErrorISE(ae, "error retrieving authority policy"))
+		render.Error(w, admin.WrapErrorISE(ae, "error retrieving authority policy"))
 		return
 	}

 	if authorityPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
 		return
 	}

@ -68,7 +68,7 @@ func (par *policyAdminResponder) GetAuthorityPolicy(w http.ResponseWriter, r *ht
 func (par *policyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -77,26 +77,26 @@ func (par *policyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r

 	var ae *admin.Error
 	if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) {
-		render.Error(w, r, admin.WrapErrorISE(err, "error retrieving authority policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error retrieving authority policy"))
 		return
 	}

 	if authorityPolicy != nil {
 		adminErr := admin.NewError(admin.ErrorConflictType, "authority already has a policy")
-		render.Error(w, r, adminErr)
+		render.Error(w, adminErr)
 		return
 	}

 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	newPolicy.Deduplicate()

 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating authority policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating authority policy"))
 		return
 	}

@ -105,11 +105,11 @@ func (par *policyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r
 	var createdPolicy *linkedca.Policy
 	if createdPolicy, err = auth.CreateAuthorityPolicy(ctx, adm, newPolicy); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error storing authority policy"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error storing authority policy"))
 			return
 		}

-		render.Error(w, r, admin.WrapErrorISE(err, "error storing authority policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error storing authority policy"))
 		return
 	}

@ -120,7 +120,7 @@ func (par *policyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r
 func (par *policyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -129,25 +129,25 @@ func (par *policyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r

 	var ae *admin.Error
 	if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) {
-		render.Error(w, r, admin.WrapErrorISE(err, "error retrieving authority policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error retrieving authority policy"))
 		return
 	}

 	if authorityPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
 		return
 	}

 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	newPolicy.Deduplicate()

 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating authority policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating authority policy"))
 		return
 	}

@ -156,11 +156,11 @@ func (par *policyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r
 	var updatedPolicy *linkedca.Policy
 	if updatedPolicy, err = auth.UpdateAuthorityPolicy(ctx, adm, newPolicy); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error updating authority policy"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error updating authority policy"))
 			return
 		}

-		render.Error(w, r, admin.WrapErrorISE(err, "error updating authority policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error updating authority policy"))
 		return
 	}

@ -171,7 +171,7 @@ func (par *policyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r
 func (par *policyAdminResponder) DeleteAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -180,35 +180,35 @@ func (par *policyAdminResponder) DeleteAuthorityPolicy(w http.ResponseWriter, r

 	var ae *admin.Error
 	if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) {
-		render.Error(w, r, admin.WrapErrorISE(ae, "error retrieving authority policy"))
+		render.Error(w, admin.WrapErrorISE(ae, "error retrieving authority policy"))
 		return
 	}

 	if authorityPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
 		return
 	}

 	if err := auth.RemoveAuthorityPolicy(ctx); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error deleting authority policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error deleting authority policy"))
 		return
 	}

-	render.JSONStatus(w, r, DeleteResponse{Status: "ok"}, http.StatusOK)
+	render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
 }

 // GetProvisionerPolicy handles the GET /admin/provisioners/{name}/policy request
 func (par *policyAdminResponder) GetProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	prov := linkedca.MustProvisionerFromContext(ctx)
 	provisionerPolicy := prov.GetPolicy()
 	if provisionerPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
 		return
 	}

@ -219,7 +219,7 @@ func (par *policyAdminResponder) GetProvisionerPolicy(w http.ResponseWriter, r *
 func (par *policyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -227,20 +227,20 @@ func (par *policyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter,
 	provisionerPolicy := prov.GetPolicy()
 	if provisionerPolicy != nil {
 		adminErr := admin.NewError(admin.ErrorConflictType, "provisioner %s already has a policy", prov.Name)
-		render.Error(w, r, adminErr)
+		render.Error(w, adminErr)
 		return
 	}

 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	newPolicy.Deduplicate()

 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating provisioner policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating provisioner policy"))
 		return
 	}

@ -248,11 +248,11 @@ func (par *policyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter,
 	auth := mustAuthority(ctx)
 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error creating provisioner policy"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error creating provisioner policy"))
 			return
 		}

-		render.Error(w, r, admin.WrapErrorISE(err, "error creating provisioner policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error creating provisioner policy"))
 		return
 	}

@ -263,27 +263,27 @@ func (par *policyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter,
 func (par *policyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	prov := linkedca.MustProvisionerFromContext(ctx)
 	provisionerPolicy := prov.GetPolicy()
 	if provisionerPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
 		return
 	}

 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	newPolicy.Deduplicate()

 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating provisioner policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating provisioner policy"))
 		return
 	}

@ -291,11 +291,11 @@ func (par *policyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter,
 	auth := mustAuthority(ctx)
 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error updating provisioner policy"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error updating provisioner policy"))
 			return
 		}

-		render.Error(w, r, admin.WrapErrorISE(err, "error updating provisioner policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error updating provisioner policy"))
 		return
 	}

@ -306,13 +306,13 @@ func (par *policyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter,
 func (par *policyAdminResponder) DeleteProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	prov := linkedca.MustProvisionerFromContext(ctx)
 	if prov.Policy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
 		return
 	}

@ -321,24 +321,24 @@ func (par *policyAdminResponder) DeleteProvisionerPolicy(w http.ResponseWriter,

 	auth := mustAuthority(ctx)
 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error deleting provisioner policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error deleting provisioner policy"))
 		return
 	}

-	render.JSONStatus(w, r, DeleteResponse{Status: "ok"}, http.StatusOK)
+	render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
 }

 func (par *policyAdminResponder) GetACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	eak := linkedca.MustExternalAccountKeyFromContext(ctx)
 	eakPolicy := eak.GetPolicy()
 	if eakPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
 		return
 	}

@ -348,7 +348,7 @@ func (par *policyAdminResponder) GetACMEAccountPolicy(w http.ResponseWriter, r *
 func (par *policyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -357,20 +357,20 @@ func (par *policyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter,
 	eakPolicy := eak.GetPolicy()
 	if eakPolicy != nil {
 		adminErr := admin.NewError(admin.ErrorConflictType, "ACME EAK %s already has a policy", eak.Id)
-		render.Error(w, r, adminErr)
+		render.Error(w, adminErr)
 		return
 	}

 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	newPolicy.Deduplicate()

 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating ACME EAK policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating ACME EAK policy"))
 		return
 	}

@ -379,7 +379,7 @@ func (par *policyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter,
 	acmeEAK := linkedEAKToCertificates(eak)
 	acmeDB := acme.MustDatabaseFromContext(ctx)
 	if err := acmeDB.UpdateExternalAccountKey(ctx, prov.GetId(), acmeEAK); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error creating ACME EAK policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error creating ACME EAK policy"))
 		return
 	}

@ -389,7 +389,7 @@ func (par *policyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter,
 func (par *policyAdminResponder) UpdateACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -397,20 +397,20 @@ func (par *policyAdminResponder) UpdateACMEAccountPolicy(w http.ResponseWriter,
 	eak := linkedca.MustExternalAccountKeyFromContext(ctx)
 	eakPolicy := eak.GetPolicy()
 	if eakPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
 		return
 	}

 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	newPolicy.Deduplicate()

 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating ACME EAK policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating ACME EAK policy"))
 		return
 	}

@ -418,7 +418,7 @@ func (par *policyAdminResponder) UpdateACMEAccountPolicy(w http.ResponseWriter,
 	acmeEAK := linkedEAKToCertificates(eak)
 	acmeDB := acme.MustDatabaseFromContext(ctx)
 	if err := acmeDB.UpdateExternalAccountKey(ctx, prov.GetId(), acmeEAK); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error updating ACME EAK policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error updating ACME EAK policy"))
 		return
 	}

@ -428,7 +428,7 @@ func (par *policyAdminResponder) UpdateACMEAccountPolicy(w http.ResponseWriter,
 func (par *policyAdminResponder) DeleteACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -436,7 +436,7 @@ func (par *policyAdminResponder) DeleteACMEAccountPolicy(w http.ResponseWriter,
 	eak := linkedca.MustExternalAccountKeyFromContext(ctx)
 	eakPolicy := eak.GetPolicy()
 	if eakPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
 		return
 	}

@ -446,11 +446,11 @@ func (par *policyAdminResponder) DeleteACMEAccountPolicy(w http.ResponseWriter,
 	acmeEAK := linkedEAKToCertificates(eak)
 	acmeDB := acme.MustDatabaseFromContext(ctx)
 	if err := acmeDB.UpdateExternalAccountKey(ctx, prov.GetId(), acmeEAK); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error deleting ACME EAK policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error deleting ACME EAK policy"))
 		return
 	}

-	render.JSONStatus(w, r, DeleteResponse{Status: "ok"}, http.StatusOK)
+	render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
 }

 // blockLinkedCA blocks all API operations on linked deployments
--- a/authority/admin/api/policy_test.go
+++ b/authority/admin/api/policy_test.go
@ -241,7 +241,7 @@ func TestPolicyAdminResponder_GetAuthorityPolicy(t *testing.T) {
 			ctx := admin.NewContext(tc.ctx, tc.adminDB)
 			par := NewPolicyAdminResponder()

-			req := httptest.NewRequest("GET", "/foo", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo", nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()

@ -1164,7 +1164,7 @@ func TestPolicyAdminResponder_GetProvisionerPolicy(t *testing.T) {
 			ctx = acme.NewDatabaseContext(ctx, tc.acmeDB)
 			par := NewPolicyAdminResponder()

-			req := httptest.NewRequest("GET", "/foo", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo", nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()

@ -1986,7 +1986,7 @@ func TestPolicyAdminResponder_GetACMEAccountPolicy(t *testing.T) {
 			ctx = acme.NewDatabaseContext(ctx, tc.acmeDB)
 			par := NewPolicyAdminResponder()

-			req := httptest.NewRequest("GET", "/foo", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo", nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()

--- a/authority/admin/api/provisioner.go
+++ b/authority/admin/api/provisioner.go
@ -4,7 +4,7 @@ import (
 	"fmt"
 	"net/http"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"

 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"
@ -38,21 +38,21 @@ func GetProvisioner(w http.ResponseWriter, r *http.Request) {
 	auth := mustAuthority(ctx)
 	db := admin.MustFromContext(ctx)

-	if id != "" {
+	if len(id) > 0 {
 		if p, err = auth.LoadProvisionerByID(id); err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", id))
+			render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", id))
 			return
 		}
 	} else {
 		if p, err = auth.LoadProvisionerByName(name); err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", name))
+			render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", name))
 			return
 		}
 	}

 	prov, err := db.GetProvisioner(ctx, p.GetID())
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	render.ProtoJSON(w, prov)
@ -62,17 +62,17 @@ func GetProvisioner(w http.ResponseWriter, r *http.Request) {
 func GetProvisioners(w http.ResponseWriter, r *http.Request) {
 	cursor, limit, err := api.ParseCursor(r)
 	if err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err,
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err,
 			"error parsing cursor and limit from query params"))
 		return
 	}

 	p, next, err := mustAuthority(r.Context()).GetProvisioners(cursor, limit)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
-	render.JSON(w, r, &GetProvisionersResponse{
+	render.JSON(w, &GetProvisionersResponse{
 		Provisioners: p,
 		NextCursor:   next,
 	})
@ -82,24 +82,24 @@ func GetProvisioners(w http.ResponseWriter, r *http.Request) {
 func CreateProvisioner(w http.ResponseWriter, r *http.Request) {
 	var prov = new(linkedca.Provisioner)
 	if err := read.ProtoJSON(r.Body, prov); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	// TODO: Validate inputs
 	if err := authority.ValidateClaims(prov.Claims); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	// validate the templates and template data
 	if err := validateTemplates(prov.X509Template, prov.SshTemplate); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "invalid template"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "invalid template"))
 		return
 	}

 	if err := mustAuthority(r.Context()).StoreProvisioner(r.Context(), prov); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error storing provisioner %s", prov.Name))
+		render.Error(w, admin.WrapErrorISE(err, "error storing provisioner %s", prov.Name))
 		return
 	}
 	render.ProtoJSONStatus(w, prov, http.StatusCreated)
@ -116,31 +116,31 @@ func DeleteProvisioner(w http.ResponseWriter, r *http.Request) {
 	name := chi.URLParam(r, "name")
 	auth := mustAuthority(r.Context())

-	if id != "" {
+	if len(id) > 0 {
 		if p, err = auth.LoadProvisionerByID(id); err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", id))
+			render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", id))
 			return
 		}
 	} else {
 		if p, err = auth.LoadProvisionerByName(name); err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", name))
+			render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", name))
 			return
 		}
 	}

 	if err := auth.RemoveProvisioner(r.Context(), p.GetID()); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error removing provisioner %s", p.GetName()))
+		render.Error(w, admin.WrapErrorISE(err, "error removing provisioner %s", p.GetName()))
 		return
 	}

-	render.JSON(w, r, &DeleteResponse{Status: "ok"})
+	render.JSON(w, &DeleteResponse{Status: "ok"})
 }

 // UpdateProvisioner updates an existing prov.
 func UpdateProvisioner(w http.ResponseWriter, r *http.Request) {
 	var nu = new(linkedca.Provisioner)
 	if err := read.ProtoJSON(r.Body, nu); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -151,51 +151,51 @@ func UpdateProvisioner(w http.ResponseWriter, r *http.Request) {

 	p, err := auth.LoadProvisionerByName(name)
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner from cached configuration '%s'", name))
+		render.Error(w, admin.WrapErrorISE(err, "error loading provisioner from cached configuration '%s'", name))
 		return
 	}

 	old, err := db.GetProvisioner(r.Context(), p.GetID())
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner from db '%s'", p.GetID()))
+		render.Error(w, admin.WrapErrorISE(err, "error loading provisioner from db '%s'", p.GetID()))
 		return
 	}

 	if nu.Id != old.Id {
-		render.Error(w, r, admin.NewErrorISE("cannot change provisioner ID"))
+		render.Error(w, admin.NewErrorISE("cannot change provisioner ID"))
 		return
 	}
 	if nu.Type != old.Type {
-		render.Error(w, r, admin.NewErrorISE("cannot change provisioner type"))
+		render.Error(w, admin.NewErrorISE("cannot change provisioner type"))
 		return
 	}
 	if nu.AuthorityId != old.AuthorityId {
-		render.Error(w, r, admin.NewErrorISE("cannot change provisioner authorityID"))
+		render.Error(w, admin.NewErrorISE("cannot change provisioner authorityID"))
 		return
 	}
 	if !nu.CreatedAt.AsTime().Equal(old.CreatedAt.AsTime()) {
-		render.Error(w, r, admin.NewErrorISE("cannot change provisioner createdAt"))
+		render.Error(w, admin.NewErrorISE("cannot change provisioner createdAt"))
 		return
 	}
 	if !nu.DeletedAt.AsTime().Equal(old.DeletedAt.AsTime()) {
-		render.Error(w, r, admin.NewErrorISE("cannot change provisioner deletedAt"))
+		render.Error(w, admin.NewErrorISE("cannot change provisioner deletedAt"))
 		return
 	}

 	// TODO: Validate inputs
 	if err := authority.ValidateClaims(nu.Claims); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	// validate the templates and template data
 	if err := validateTemplates(nu.X509Template, nu.SshTemplate); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "invalid template"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "invalid template"))
 		return
 	}

 	if err := auth.UpdateProvisioner(r.Context(), nu); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	render.ProtoJSON(w, nu)
--- a/authority/admin/api/provisioner_test.go
+++ b/authority/admin/api/provisioner_test.go
@ -12,7 +12,7 @@ import (
 	"testing"
 	"time"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"google.golang.org/protobuf/encoding/protojson"
@ -37,7 +37,7 @@ func TestHandler_GetProvisioner(t *testing.T) {
 	}
 	var tests = map[string]func(t *testing.T) test{
 		"fail/auth.LoadProvisionerByID": func(t *testing.T) test {
-			req := httptest.NewRequest("GET", "/foo?id=provID", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo?id=provID", nil)
 			chiCtx := chi.NewRouteContext()
 			ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
 			auth := &mockAdminAuthority{
@ -61,7 +61,7 @@ func TestHandler_GetProvisioner(t *testing.T) {
 			}
 		},
 		"fail/auth.LoadProvisionerByName": func(t *testing.T) test {
-			req := httptest.NewRequest("GET", "/foo", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo", nil)
 			chiCtx := chi.NewRouteContext()
 			chiCtx.URLParams.Add("name", "provName")
 			ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
@ -86,7 +86,7 @@ func TestHandler_GetProvisioner(t *testing.T) {
 			}
 		},
 		"fail/db.GetProvisioner": func(t *testing.T) test {
-			req := httptest.NewRequest("GET", "/foo", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo", nil)
 			chiCtx := chi.NewRouteContext()
 			chiCtx.URLParams.Add("name", "provName")
 			ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
@ -120,7 +120,7 @@ func TestHandler_GetProvisioner(t *testing.T) {
 			}
 		},
 		"ok": func(t *testing.T) test {
-			req := httptest.NewRequest("GET", "/foo", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo", nil)
 			chiCtx := chi.NewRouteContext()
 			chiCtx.URLParams.Add("name", "provName")
 			ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
@ -208,7 +208,7 @@ func TestHandler_GetProvisioners(t *testing.T) {
 	}
 	var tests = map[string]func(t *testing.T) test{
 		"fail/parse-cursor": func(t *testing.T) test {
-			req := httptest.NewRequest("GET", "/foo?limit=X", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo?limit=X", nil)
 			return test{
 				ctx:        context.Background(),
 				statusCode: 400,
@ -222,7 +222,7 @@ func TestHandler_GetProvisioners(t *testing.T) {
 			}
 		},
 		"fail/auth.GetProvisioners": func(t *testing.T) test {
-			req := httptest.NewRequest("GET", "/foo", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo", nil)
 			auth := &mockAdminAuthority{
 				MockGetProvisioners: func(cursor string, limit int) (provisioner.List, string, error) {
 					assert.Equals(t, "", cursor)
@ -244,7 +244,7 @@ func TestHandler_GetProvisioners(t *testing.T) {
 			}
 		},
 		"ok": func(t *testing.T) test {
-			req := httptest.NewRequest("GET", "/foo", http.NoBody)
+			req := httptest.NewRequest("GET", "/foo", nil)
 			provisioners := provisioner.List{
 				&provisioner.OIDC{
 					Type: "OIDC",
@ -481,7 +481,7 @@ func TestHandler_DeleteProvisioner(t *testing.T) {
 	}
 	var tests = map[string]func(t *testing.T) test{
 		"fail/auth.LoadProvisionerByID": func(t *testing.T) test {
-			req := httptest.NewRequest("DELETE", "/foo?id=provID", http.NoBody)
+			req := httptest.NewRequest("DELETE", "/foo?id=provID", nil)
 			chiCtx := chi.NewRouteContext()
 			ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
 			auth := &mockAdminAuthority{
@ -504,7 +504,7 @@ func TestHandler_DeleteProvisioner(t *testing.T) {
 			}
 		},
 		"fail/auth.LoadProvisionerByName": func(t *testing.T) test {
-			req := httptest.NewRequest("DELETE", "/foo", http.NoBody)
+			req := httptest.NewRequest("DELETE", "/foo", nil)
 			chiCtx := chi.NewRouteContext()
 			chiCtx.URLParams.Add("name", "provName")
 			ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
@ -528,7 +528,7 @@ func TestHandler_DeleteProvisioner(t *testing.T) {
 			}
 		},
 		"fail/auth.RemoveProvisioner": func(t *testing.T) test {
-			req := httptest.NewRequest("DELETE", "/foo", http.NoBody)
+			req := httptest.NewRequest("DELETE", "/foo", nil)
 			chiCtx := chi.NewRouteContext()
 			chiCtx.URLParams.Add("name", "provName")
 			ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
@ -560,7 +560,7 @@ func TestHandler_DeleteProvisioner(t *testing.T) {
 			}
 		},
 		"ok": func(t *testing.T) test {
-			req := httptest.NewRequest("DELETE", "/foo", http.NoBody)
+			req := httptest.NewRequest("DELETE", "/foo", nil)
 			chiCtx := chi.NewRouteContext()
 			chiCtx.URLParams.Add("name", "provName")
 			ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
--- a/authority/admin/api/webhook.go
+++ b/authority/admin/api/webhook.go
@ -6,7 +6,7 @@ import (
 	"net/http"
 	"net/url"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"
 	"github.com/smallstep/certificates/api/read"
 	"github.com/smallstep/certificates/api/render"
 	"github.com/smallstep/certificates/authority/admin"
@ -56,8 +56,10 @@ func validateWebhook(webhook *linkedca.Webhook) error {
 	}

 	// kind
-	if _, ok := linkedca.Webhook_Kind_name[int32(webhook.Kind)]; !ok || webhook.Kind == linkedca.Webhook_NO_KIND {
-		return admin.NewError(admin.ErrorBadRequestType, "webhook kind %q is invalid", webhook.Kind)
+	switch webhook.Kind {
+	case linkedca.Webhook_ENRICHING, linkedca.Webhook_AUTHORIZING:
+	default:
+		return admin.NewError(admin.ErrorBadRequestType, "webhook kind is invalid")
 	}

 	return nil
@ -71,28 +73,28 @@ func (war *webhookAdminResponder) CreateProvisionerWebhook(w http.ResponseWriter

 	var newWebhook = new(linkedca.Webhook)
 	if err := read.ProtoJSON(r.Body, newWebhook); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	if err := validateWebhook(newWebhook); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	if newWebhook.Secret != "" {
 		err := admin.NewError(admin.ErrorBadRequestType, "webhook secret must not be set")
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	if newWebhook.Id != "" {
 		err := admin.NewError(admin.ErrorBadRequestType, "webhook ID must not be set")
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	id, err := randutil.UUIDv4()
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error generating webhook id"))
+		render.Error(w, admin.WrapErrorISE(err, "error generating webhook id"))
 		return
 	}
 	newWebhook.Id = id
@ -101,14 +103,14 @@ func (war *webhookAdminResponder) CreateProvisionerWebhook(w http.ResponseWriter
 	for _, wh := range prov.Webhooks {
 		if wh.Name == newWebhook.Name {
 			err := admin.NewError(admin.ErrorConflictType, "provisioner %q already has a webhook with the name %q", prov.Name, newWebhook.Name)
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 	}

 	secret, err := randutil.Bytes(64)
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error generating webhook secret"))
+		render.Error(w, admin.WrapErrorISE(err, "error generating webhook secret"))
 		return
 	}
 	newWebhook.Secret = base64.StdEncoding.EncodeToString(secret)
@ -117,11 +119,11 @@ func (war *webhookAdminResponder) CreateProvisionerWebhook(w http.ResponseWriter

 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error creating provisioner webhook"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error creating provisioner webhook"))
 			return
 		}

-		render.Error(w, r, admin.WrapErrorISE(err, "error creating provisioner webhook"))
+		render.Error(w, admin.WrapErrorISE(err, "error creating provisioner webhook"))
 		return
 	}

@ -145,21 +147,21 @@ func (war *webhookAdminResponder) DeleteProvisionerWebhook(w http.ResponseWriter
 		}
 	}
 	if !found {
-		render.JSONStatus(w, r, DeleteResponse{Status: "ok"}, http.StatusOK)
+		render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
 		return
 	}

 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error deleting provisioner webhook"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error deleting provisioner webhook"))
 			return
 		}

-		render.Error(w, r, admin.WrapErrorISE(err, "error deleting provisioner webhook"))
+		render.Error(w, admin.WrapErrorISE(err, "error deleting provisioner webhook"))
 		return
 	}

-	render.JSONStatus(w, r, DeleteResponse{Status: "ok"}, http.StatusOK)
+	render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
 }

 func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter, r *http.Request) {
@ -170,12 +172,12 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter

 	var newWebhook = new(linkedca.Webhook)
 	if err := read.ProtoJSON(r.Body, newWebhook); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	if err := validateWebhook(newWebhook); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -186,13 +188,13 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter
 		}
 		if newWebhook.Secret != "" && newWebhook.Secret != wh.Secret {
 			err := admin.NewError(admin.ErrorBadRequestType, "webhook secret cannot be updated")
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		newWebhook.Secret = wh.Secret
 		if newWebhook.Id != "" && newWebhook.Id != wh.Id {
 			err := admin.NewError(admin.ErrorBadRequestType, "webhook ID cannot be updated")
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		newWebhook.Id = wh.Id
@ -203,17 +205,17 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter
 	if !found {
 		msg := fmt.Sprintf("provisioner %q has no webhook with the name %q", prov.Name, newWebhook.Name)
 		err := admin.NewError(admin.ErrorNotFoundType, msg)
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error updating provisioner webhook"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error updating provisioner webhook"))
 			return
 		}

-		render.Error(w, r, admin.WrapErrorISE(err, "error updating provisioner webhook"))
+		render.Error(w, admin.WrapErrorISE(err, "error updating provisioner webhook"))
 		return
 	}

--- a/authority/admin/api/webhook_test.go
+++ b/authority/admin/api/webhook_test.go
@ -6,12 +6,11 @@ import (
 	"encoding/json"
 	"errors"
 	"io"
-	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"

-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/admin"
 	"github.com/stretchr/testify/assert"
@ -181,26 +180,6 @@ func TestWebhookAdminResponder_CreateProvisionerWebhook(t *testing.T) {
 				statusCode: 400,
 			}
 		},
-		"fail/unsupported-webhook-kind": func(t *testing.T) test {
-			prov := &linkedca.Provisioner{
-				Name: "provName",
-			}
-			ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
-			adminErr := admin.NewError(admin.ErrorBadRequestType, `(line 5:13): invalid value for enum type: "UNSUPPORTED"`)
-			adminErr.Message = `(line 5:13): invalid value for enum type: "UNSUPPORTED"`
-			body := []byte(`
-			{
-				"name": "metadata",
-				"url": "https://example.com",
-				"kind": "UNSUPPORTED",
-			}`)
-			return test{
-				ctx:        ctx,
-				body:       body,
-				err:        adminErr,
-				statusCode: 400,
-			}
-		},
 		"fail/auth.UpdateProvisioner-error": func(t *testing.T) test {
 			adm := &linkedca.Admin{
 				Subject: "step",
@ -376,7 +355,7 @@ func TestWebhookAdminResponder_DeleteProvisionerWebhook(t *testing.T) {
 			}
 			ctx = linkedca.NewContextWithProvisioner(ctx, prov)
 			ctx = admin.NewContext(ctx, &admin.MockDB{})
-			req := httptest.NewRequest("DELETE", "/foo", http.NoBody).WithContext(ctx)
+			req := httptest.NewRequest("DELETE", "/foo", nil).WithContext(ctx)

 			war := NewWebhookAdminResponder()

--- a/authority/admin/db.go
+++ b/authority/admin/db.go
@ -92,14 +92,11 @@ func FromContext(ctx context.Context) (db DB, ok bool) {
 // MustFromContext returns the current admin database from the given context. It
 // will panic if it's not in the context.
 func MustFromContext(ctx context.Context) DB {
-	var (
-		db DB
-		ok bool
-	)
-	if db, ok = FromContext(ctx); !ok {
+	if db, ok := FromContext(ctx); !ok {
 		panic("admin database is not in the context")
+	} else {
+		return db
 	}
-	return db
 }

 // MockDB is an implementation of the DB interface that should only be used as
--- a/authority/admin/db/nosql/admin.go
+++ b/authority/admin/db/nosql/admin.go
@ -40,7 +40,7 @@ func (dba *dbAdmin) clone() *dbAdmin {
 	return &u
 }

-func (db *DB) getDBAdminBytes(_ context.Context, id string) ([]byte, error) {
+func (db *DB) getDBAdminBytes(ctx context.Context, id string) ([]byte, error) {
 	data, err := db.db.Get(adminsTable, []byte(id))
 	if nosql.IsErrNotFound(err) {
 		return nil, admin.NewError(admin.ErrorNotFoundType, "admin %s not found", id)
@ -102,7 +102,7 @@ func (db *DB) GetAdmin(ctx context.Context, id string) (*linkedca.Admin, error)
 // GetAdmins retrieves and unmarshals all active (not deleted) admins
 // from the database.
 // TODO should we be paginating?
-func (db *DB) GetAdmins(context.Context) ([]*linkedca.Admin, error) {
+func (db *DB) GetAdmins(ctx context.Context) ([]*linkedca.Admin, error) {
 	dbEntries, err := db.db.List(adminsTable)
 	if err != nil {
 		return nil, errors.Wrap(err, "error loading admins")
@ -115,10 +115,12 @@ func (db *DB) GetAdmins(context.Context) ([]*linkedca.Admin, error) {
 			if errors.As(err, &ae) {
 				if ae.IsType(admin.ErrorDeletedType) || ae.IsType(admin.ErrorAuthorityMismatchType) {
 					continue
+				} else {
+					return nil, err
 				}
+			} else {
 				return nil, err
 			}
-			return nil, err
 		}
 		if adm.AuthorityId != db.authorityID {
 			continue
--- a/authority/admin/db/nosql/admin_test.go
+++ b/authority/admin/db/nosql/admin_test.go
@ -857,7 +857,7 @@ func TestDB_CreateAdmin(t *testing.T) {
 						var _dba = new(dbAdmin)
 						assert.FatalError(t, json.Unmarshal(nu, _dba))

-						assert.True(t, _dba.ID != "" && _dba.ID == string(key))
+						assert.True(t, len(_dba.ID) > 0 && _dba.ID == string(key))
 						assert.Equals(t, _dba.AuthorityID, adm.AuthorityId)
 						assert.Equals(t, _dba.ProvisionerID, adm.ProvisionerId)
 						assert.Equals(t, _dba.Subject, adm.Subject)
@ -890,7 +890,7 @@ func TestDB_CreateAdmin(t *testing.T) {
 						var _dba = new(dbAdmin)
 						assert.FatalError(t, json.Unmarshal(nu, _dba))

-						assert.True(t, _dba.ID != "" && _dba.ID == string(key))
+						assert.True(t, len(_dba.ID) > 0 && _dba.ID == string(key))
 						assert.Equals(t, _dba.AuthorityID, adm.AuthorityId)
 						assert.Equals(t, _dba.ProvisionerID, adm.ProvisionerId)
 						assert.Equals(t, _dba.Subject, adm.Subject)
--- a/authority/admin/db/nosql/nosql.go
+++ b/authority/admin/db/nosql/nosql.go
@ -36,7 +36,7 @@ func New(db nosqlDB.DB, authorityID string) (*DB, error) {

 // save writes the new data to the database, overwriting the old data if it
 // existed.
-func (db *DB) save(_ context.Context, id string, nu, old interface{}, typ string, table []byte) error {
+func (db *DB) save(ctx context.Context, id string, nu, old interface{}, typ string, table []byte) error {
 	var (
 		err  error
 		newB []byte
--- a/authority/admin/db/nosql/policy.go
+++ b/authority/admin/db/nosql/policy.go
@ -71,7 +71,7 @@ func (dbap *dbAuthorityPolicy) convert() *linkedca.Policy {
 	return dbToLinked(dbap.Policy)
 }

-func (db *DB) getDBAuthorityPolicyBytes(_ context.Context, authorityID string) ([]byte, error) {
+func (db *DB) getDBAuthorityPolicyBytes(ctx context.Context, authorityID string) ([]byte, error) {
 	data, err := db.db.Get(authorityPoliciesTable, []byte(authorityID))
 	if nosql.IsErrNotFound(err) {
 		return nil, admin.NewError(admin.ErrorNotFoundType, "authority policy not found")
--- a/authority/admin/db/nosql/provisioner.go
+++ b/authority/admin/db/nosql/provisioner.go
@ -70,7 +70,7 @@ func (dbp *dbProvisioner) convert2linkedca() (*linkedca.Provisioner, error) {
 	}, nil
 }

-func (db *DB) getDBProvisionerBytes(_ context.Context, id string) ([]byte, error) {
+func (db *DB) getDBProvisionerBytes(ctx context.Context, id string) ([]byte, error) {
 	data, err := db.db.Get(provisionersTable, []byte(id))
 	if nosql.IsErrNotFound(err) {
 		return nil, admin.NewError(admin.ErrorNotFoundType, "provisioner %s not found", id)
@ -132,7 +132,7 @@ func (db *DB) GetProvisioner(ctx context.Context, id string) (*linkedca.Provisio

 // GetProvisioners retrieves and unmarshals all active (not deleted) provisioners
 // from the database.
-func (db *DB) GetProvisioners(_ context.Context) ([]*linkedca.Provisioner, error) {
+func (db *DB) GetProvisioners(ctx context.Context) ([]*linkedca.Provisioner, error) {
 	dbEntries, err := db.db.List(provisionersTable)
 	if err != nil {
 		return nil, errors.Wrap(err, "error loading provisioners")
@ -145,10 +145,12 @@ func (db *DB) GetProvisioners(_ context.Context) ([]*linkedca.Provisioner, error
 			if errors.As(err, &ae) {
 				if ae.IsType(admin.ErrorDeletedType) || ae.IsType(admin.ErrorAuthorityMismatchType) {
 					continue
+				} else {
+					return nil, err
 				}
+			} else {
 				return nil, err
 			}
-			return nil, err
 		}
 		if prov.AuthorityId != db.authorityID {
 			continue
--- a/authority/admin/db/nosql/provisioner_test.go
+++ b/authority/admin/db/nosql/provisioner_test.go
@ -906,7 +906,7 @@ func TestDB_CreateProvisioner(t *testing.T) {
 						var _dbp = new(dbProvisioner)
 						assert.FatalError(t, json.Unmarshal(nu, _dbp))

-						assert.True(t, _dbp.ID != "" && _dbp.ID == string(key))
+						assert.True(t, len(_dbp.ID) > 0 && _dbp.ID == string(key))
 						assert.Equals(t, _dbp.AuthorityID, prov.AuthorityId)
 						assert.Equals(t, _dbp.Type, prov.Type)
 						assert.Equals(t, _dbp.Name, prov.Name)
@ -944,7 +944,7 @@ func TestDB_CreateProvisioner(t *testing.T) {
 						var _dbp = new(dbProvisioner)
 						assert.FatalError(t, json.Unmarshal(nu, _dbp))

-						assert.True(t, _dbp.ID != "" && _dbp.ID == string(key))
+						assert.True(t, len(_dbp.ID) > 0 && _dbp.ID == string(key))
 						assert.Equals(t, _dbp.AuthorityID, prov.AuthorityId)
 						assert.Equals(t, _dbp.Type, prov.Type)
 						assert.Equals(t, _dbp.Name, prov.Name)
@ -1093,7 +1093,7 @@ func TestDB_UpdateProvisioner(t *testing.T) {
 						var _dbp = new(dbProvisioner)
 						assert.FatalError(t, json.Unmarshal(nu, _dbp))

-						assert.True(t, _dbp.ID != "" && _dbp.ID == string(key))
+						assert.True(t, len(_dbp.ID) > 0 && _dbp.ID == string(key))
 						assert.Equals(t, _dbp.AuthorityID, prov.AuthorityId)
 						assert.Equals(t, _dbp.Type, prov.Type)
 						assert.Equals(t, _dbp.Name, prov.Name)
@ -1188,7 +1188,7 @@ func TestDB_UpdateProvisioner(t *testing.T) {
 						var _dbp = new(dbProvisioner)
 						assert.FatalError(t, json.Unmarshal(nu, _dbp))

-						assert.True(t, _dbp.ID != "" && _dbp.ID == string(key))
+						assert.True(t, len(_dbp.ID) > 0 && _dbp.ID == string(key))
 						assert.Equals(t, _dbp.AuthorityID, prov.AuthorityId)
 						assert.Equals(t, _dbp.Type, prov.Type)
 						assert.Equals(t, _dbp.Name, prov.Name)
--- a/authority/admin/errors.go
+++ b/authority/admin/errors.go
@ -205,8 +205,8 @@ func (e *Error) ToLog() (interface{}, error) {
 }

 // Render implements render.RenderableError for Error.
-func (e *Error) Render(w http.ResponseWriter, r *http.Request) {
+func (e *Error) Render(w http.ResponseWriter) {
 	e.Message = e.Err.Error()

-	render.JSONStatus(w, r, e, e.StatusCode())
+	render.JSONStatus(w, e, e.StatusCode())
 }
--- a/authority/authority.go
+++ b/authority/authority.go
@ -4,7 +4,6 @@ import (
 	"bytes"
 	"context"
 	"crypto"
-	"crypto/rsa"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/hex"
@ -62,10 +61,7 @@ type Authority struct {
 	x509Enforcers         []provisioner.CertificateEnforcer

 	// SCEP CA
-	scepOptions    *scep.Options
-	validateSCEP   bool
-	scepAuthority  *scep.Authority
-	scepKeyManager provisioner.SCEPKeyManager
+	scepService *scep.Service

 	// SSH CA
 	sshHostPassword         []byte
@ -77,11 +73,6 @@ type Authority struct {
 	sshCAUserFederatedCerts []ssh.PublicKey
 	sshCAHostFederatedCerts []ssh.PublicKey

-	// CRL vars
-	crlTicker  *time.Ticker
-	crlStopper chan struct{}
-	crlMutex   sync.Mutex
-
 	// If true, do not re-initialize
 	initOnce  bool
 	startTime time.Time
@ -105,9 +96,6 @@ type Authority struct {

 	// If true, do not output initialization logs
 	quietInit bool
-
-	// Called whenever applicable, in order to instrument the authority.
-	meter Meter
 }

 // Info contains information about the authority.
@ -129,8 +117,6 @@ func New(cfg *config.Config, opts ...Option) (*Authority, error) {
 	var a = &Authority{
 		config:       cfg,
 		certificates: new(sync.Map),
-		validateSCEP: true,
-		meter:        noopMeter{},
 	}

 	// Apply options.
@ -139,9 +125,6 @@ func New(cfg *config.Config, opts ...Option) (*Authority, error) {
 			return nil, err
 		}
 	}
-	if a.keyManager != nil {
-		a.keyManager = newInstrumentedKeyManager(a.keyManager, a.meter)
-	}

 	if !a.skipInit {
 		// Initialize authority from options or configuration.
@ -159,7 +142,6 @@ func NewEmbedded(opts ...Option) (*Authority, error) {
 	a := &Authority{
 		config:       &config.Config{},
 		certificates: new(sync.Map),
-		meter:        noopMeter{},
 	}

 	// Apply options.
@ -168,9 +150,6 @@ func NewEmbedded(opts ...Option) (*Authority, error) {
 			return nil, err
 		}
 	}
-	if a.keyManager != nil {
-		a.keyManager = newInstrumentedKeyManager(a.keyManager, a.meter)
-	}

 	// Validate required options
 	switch {
@ -213,14 +192,11 @@ func FromContext(ctx context.Context) (a *Authority, ok bool) {
 // MustFromContext returns the current authority from the given context. It will
 // panic if the authority is not in the context.
 func MustFromContext(ctx context.Context) *Authority {
-	var (
-		a  *Authority
-		ok bool
-	)
-	if a, ok = FromContext(ctx); !ok {
+	if a, ok := FromContext(ctx); !ok {
 		panic("authority is not in the context")
+	} else {
+		return a
 	}
-	return a
 }

 // ReloadAdminResources reloads admins and provisioners from the DB.
@ -280,24 +256,6 @@ func (a *Authority) ReloadAdminResources(ctx context.Context) error {
 	a.config.AuthorityConfig.Admins = adminList
 	a.admins = adminClxn

-	switch {
-	case a.requiresSCEP() && a.GetSCEP() == nil:
-		// TODO(hs): try to initialize SCEP here too? It's a bit
-		// problematic if this method is called as part of an update
-		// via Admin API and a password needs to be provided.
-	case a.requiresSCEP() && a.GetSCEP() != nil:
-		// update the SCEP Authority with the currently active SCEP
-		// provisioner names and revalidate the configuration.
-		a.scepAuthority.UpdateProvisioners(a.getSCEPProvisionerNames())
-		if err := a.scepAuthority.Validate(); err != nil {
-			log.Printf("failed validating SCEP authority: %v\n", err)
-		}
-	case !a.requiresSCEP() && a.GetSCEP() != nil:
-		// TODO(hs): don't remove the authority if we can't also
-		// reload it.
-		//a.scepAuthority = nil
-	}
-
 	return nil
 }

@ -349,8 +307,6 @@ func (a *Authority) init() error {
 		if err != nil {
 			return err
 		}
-
-		a.keyManager = newInstrumentedKeyManager(a.keyManager, a.meter)
 	}

 	// Initialize linkedca client if necessary. On a linked RA, the issuer
@ -447,19 +403,18 @@ func (a *Authority) init() error {
 				return err
 			}
 			a.rootX509Certs = append(a.rootX509Certs, resp.RootCertificate)
-			a.intermediateX509Certs = append(a.intermediateX509Certs, resp.IntermediateCertificates...)
 		}
 	}

 	// Read root certificates and store them in the certificates map.
 	if len(a.rootX509Certs) == 0 {
-		a.rootX509Certs = make([]*x509.Certificate, 0, len(a.config.Root))
-		for _, path := range a.config.Root {
-			crts, err := pemutil.ReadCertificateBundle(path)
+		a.rootX509Certs = make([]*x509.Certificate, len(a.config.Root))
+		for i, path := range a.config.Root {
+			crt, err := pemutil.ReadCertificate(path)
 			if err != nil {
 				return err
 			}
-			a.rootX509Certs = append(a.rootX509Certs, crts...)
+			a.rootX509Certs[i] = crt
 		}
 	}
 	for _, crt := range a.rootX509Certs {
@ -474,13 +429,13 @@ func (a *Authority) init() error {

 	// Read federated certificates and store them in the certificates map.
 	if len(a.federatedX509Certs) == 0 {
-		a.federatedX509Certs = make([]*x509.Certificate, 0, len(a.config.FederatedRoots))
-		for _, path := range a.config.FederatedRoots {
-			crts, err := pemutil.ReadCertificateBundle(path)
+		a.federatedX509Certs = make([]*x509.Certificate, len(a.config.FederatedRoots))
+		for i, path := range a.config.FederatedRoots {
+			crt, err := pemutil.ReadCertificate(path)
 			if err != nil {
 				return err
 			}
-			a.federatedX509Certs = append(a.federatedX509Certs, crts...)
+			a.federatedX509Certs[i] = crt
 		}
 	}
 	for _, crt := range a.federatedX509Certs {
@ -585,6 +540,50 @@ func (a *Authority) init() error {
 		tmplVars.SSH.UserFederatedKeys = append(tmplVars.SSH.UserFederatedKeys, a.sshCAUserFederatedCerts...)
 	}

+	// Check if a KMS with decryption capability is required and available
+	if a.requiresDecrypter() {
+		if _, ok := a.keyManager.(kmsapi.Decrypter); !ok {
+			return errors.New("keymanager doesn't provide crypto.Decrypter")
+		}
+	}
+
+	// TODO: decide if this is a good approach for providing the SCEP functionality
+	// It currently mirrors the logic for the x509CAService
+	if a.requiresSCEPService() && a.scepService == nil {
+		var options scep.Options
+
+		// Read intermediate and create X509 signer and decrypter for default CAS.
+		options.CertificateChain, err = pemutil.ReadCertificateBundle(a.config.IntermediateCert)
+		if err != nil {
+			return err
+		}
+		options.CertificateChain = append(options.CertificateChain, a.rootX509Certs...)
+		options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
+			SigningKey: a.config.IntermediateKey,
+			Password:   a.password,
+		})
+		if err != nil {
+			return err
+		}
+
+		if km, ok := a.keyManager.(kmsapi.Decrypter); ok {
+			options.Decrypter, err = km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
+				DecryptionKey: a.config.IntermediateKey,
+				Password:      a.password,
+			})
+			if err != nil {
+				return err
+			}
+		}
+
+		a.scepService, err = scep.NewService(ctx, options)
+		if err != nil {
+			return err
+		}
+
+		// TODO: mimick the x509CAService GetCertificateAuthority here too?
+	}
+
 	if a.config.AuthorityConfig.EnableAdmin {
 		// Initialize step-ca Admin Database if it's not already initialized using
 		// WithAdminDB.
@ -680,95 +679,6 @@ func (a *Authority) init() error {
 		return err
 	}

-	// The SCEP functionality is provided through an instance of
-	// scep.Authority. It is initialized when the CA is started and
-	// if it doesn't exist yet. It gets refreshed if it already
-	// exists. If the SCEP authority is no longer required on reload,
-	// it gets removed.
-	// TODO(hs): reloading through SIGHUP doesn't hit these cases. This
-	// is because an entirely new authority.Authority is created, including
-	// a new scep.Authority. Look into this to see if we want this to
-	// keep working like that, or want to reuse a single instance and
-	// update that.
-	switch {
-	case a.requiresSCEP() && a.GetSCEP() == nil:
-		if a.scepOptions == nil {
-			options := &scep.Options{
-				Roots:         a.rootX509Certs,
-				Intermediates: a.intermediateX509Certs,
-			}
-
-			// intermediate certificates can be empty in RA mode
-			if len(a.intermediateX509Certs) > 0 {
-				options.SignerCert = a.intermediateX509Certs[0]
-			}
-
-			// attempt to create the (default) SCEP signer if the intermediate
-			// key is configured.
-			if a.config.IntermediateKey != "" {
-				if options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
-					SigningKey: a.config.IntermediateKey,
-					Password:   a.password,
-				}); err != nil {
-					return err
-				}
-
-				// TODO(hs): instead of creating the decrypter here, pass the
-				// intermediate key + chain down to the SCEP authority,
-				// and only instantiate it when required there. Is that possible?
-				// Also with entering passwords?
-				// TODO(hs): if moving the logic, try improving the logic for the
-				// decrypter password too? Right now it needs to be entered multiple
-				// times; I've observed it to be three times maximum, every time
-				// the intermediate key is read.
-				_, isRSAKey := options.Signer.Public().(*rsa.PublicKey)
-				if km, ok := a.keyManager.(kmsapi.Decrypter); ok && isRSAKey {
-					if decrypter, err := km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
-						DecryptionKey: a.config.IntermediateKey,
-						Password:      a.password,
-					}); err == nil {
-						// only pass the decrypter down when it was successfully created,
-						// meaning it's an RSA key, and `CreateDecrypter` did not fail.
-						options.Decrypter = decrypter
-						options.DecrypterCert = options.Intermediates[0]
-					}
-				}
-			}
-
-			a.scepOptions = options
-		}
-
-		// provide the current SCEP provisioner names, so that the provisioners
-		// can be validated when the CA is started.
-		a.scepOptions.SCEPProvisionerNames = a.getSCEPProvisionerNames()
-
-		// create a new SCEP authority
-		scepAuthority, err := scep.New(a, *a.scepOptions)
-		if err != nil {
-			return err
-		}
-
-		if a.validateSCEP {
-			// validate the SCEP authority
-			if err := scepAuthority.Validate(); err != nil {
-				a.initLogf("failed validating SCEP authority: %v", err)
-			}
-		}
-
-		// set the SCEP authority
-		a.scepAuthority = scepAuthority
-	case !a.requiresSCEP() && a.GetSCEP() != nil:
-		// clear the SCEP authority if it's no longer required
-		a.scepAuthority = nil
-	case a.requiresSCEP() && a.GetSCEP() != nil:
-		// update the SCEP Authority with the currently active SCEP
-		// provisioner names and revalidate the configuration.
-		a.scepAuthority.UpdateProvisioners(a.getSCEPProvisionerNames())
-		if err := a.scepAuthority.Validate(); err != nil {
-			log.Printf("failed validating SCEP authority: %v\n", err)
-		}
-	}
-
 	// Load X509 constraints engine.
 	//
 	// This is currently only available in CA mode.
@ -801,18 +711,6 @@ func (a *Authority) init() error {
 		a.templates.Data["Step"] = tmplVars
 	}

-	// Start the CRL generator, we can assume the configuration is validated.
-	if a.config.CRL.IsEnabled() {
-		// Default cache duration to the default one
-		if v := a.config.CRL.CacheDuration; v == nil || v.Duration <= 0 {
-			a.config.CRL.CacheDuration = config.DefaultCRLCacheDuration
-		}
-		// Start CRL generator
-		if err := a.startCRLGenerator(); err != nil {
-			return err
-		}
-	}
-
 	// JWT numeric dates are seconds.
 	a.startTime = time.Now().Truncate(time.Second)
 	// Set flag indicating that initialization has been completed, and should
@ -879,11 +777,6 @@ func (a *Authority) IsAdminAPIEnabled() bool {

 // Shutdown safely shuts down any clients, databases, etc. held by the Authority.
 func (a *Authority) Shutdown() error {
-	if a.crlTicker != nil {
-		a.crlTicker.Stop()
-		close(a.crlStopper)
-	}
-
 	if err := a.keyManager.Close(); err != nil {
 		log.Printf("error closing the key manager: %v", err)
 	}
@ -892,11 +785,6 @@ func (a *Authority) Shutdown() error {

 // CloseForReload closes internal services, to allow a safe reload.
 func (a *Authority) CloseForReload() {
-	if a.crlTicker != nil {
-		a.crlTicker.Stop()
-		close(a.crlStopper)
-	}
-
 	if err := a.keyManager.Close(); err != nil {
 		log.Printf("error closing the key manager: %v", err)
 	}
@ -918,68 +806,30 @@ func (a *Authority) IsRevoked(sn string) (bool, error) {
 	return a.db.IsRevoked(sn)
 }

-// requiresSCEP iterates over the configured provisioners
-// and determines if at least one of them is a SCEP provisioner.
-func (a *Authority) requiresSCEP() bool {
-	for _, p := range a.config.AuthorityConfig.Provisioners {
-		if p.GetType() == provisioner.TypeSCEP {
-			return true
-		}
-	}
-	return false
+// requiresDecrypter returns whether the Authority
+// requires a KMS that provides a crypto.Decrypter
+// Currently this is only required when SCEP is
+// enabled.
+func (a *Authority) requiresDecrypter() bool {
+	return a.requiresSCEPService()
 }

-// getSCEPProvisionerNames returns the names of the SCEP provisioners
-// that are currently available in the CA.
-func (a *Authority) getSCEPProvisionerNames() (names []string) {
+// requiresSCEPService iterates over the configured provisioners
+// and determines if one of them is a SCEP provisioner.
+func (a *Authority) requiresSCEPService() bool {
 	for _, p := range a.config.AuthorityConfig.Provisioners {
 		if p.GetType() == provisioner.TypeSCEP {
-			names = append(names, p.GetName())
+			return true
 		}
 	}
-
-	return
-}
-
-// GetSCEP returns the configured SCEP Authority
-func (a *Authority) GetSCEP() *scep.Authority {
-	return a.scepAuthority
+	return false
 }

-func (a *Authority) startCRLGenerator() error {
-	if !a.config.CRL.IsEnabled() {
-		return nil
-	}
-
-	// Check that there is a valid CRL in the DB right now. If it doesn't exist
-	// or is expired, generate one now
-	_, ok := a.db.(db.CertificateRevocationListDB)
-	if !ok {
-		return errors.Errorf("CRL Generation requested, but database does not support CRL generation")
-	}
-
-	// Always create a new CRL on startup in case the CA has been down and the
-	// time to next expected CRL update is less than the cache duration.
-	if err := a.GenerateCertificateRevocationList(); err != nil {
-		return errors.Wrap(err, "could not generate a CRL")
-	}
-
-	a.crlStopper = make(chan struct{}, 1)
-	a.crlTicker = time.NewTicker(a.config.CRL.TickerDuration())
-
-	go func() {
-		for {
-			select {
-			case <-a.crlTicker.C:
-				log.Println("Regenerating CRL")
-				if err := a.GenerateCertificateRevocationList(); err != nil {
-					log.Printf("error regenerating the CRL: %v", err)
-				}
-			case <-a.crlStopper:
-				return
-			}
-		}
-	}()
-
-	return nil
+// GetSCEPService returns the configured SCEP Service
+// TODO: this function is intended to exist temporarily
+// in order to make SCEP work more easily. It can be
+// made more correct by using the right interfaces/abstractions
+// after it works as expected.
+func (a *Authority) GetSCEPService() *scep.Service {
+	return a.scepService
 }
--- a/authority/authority_test.go
+++ b/authority/authority_test.go
@ -1,16 +1,13 @@
 package authority

 import (
-	"context"
 	"crypto"
 	"crypto/rand"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/hex"
-	"encoding/pem"
 	"net"
 	"os"
-	"path/filepath"
 	"reflect"
 	"testing"
 	"time"
@ -21,7 +18,6 @@ import (
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
 	"go.step.sm/crypto/jose"
-	"go.step.sm/crypto/minica"
 	"go.step.sm/crypto/pemutil"
 )

@ -113,7 +109,7 @@ func TestAuthorityNew(t *testing.T) {
 			c.Root = []string{"foo"}
 			return &newTest{
 				config: c,
-				err:    errors.New(`error reading "foo": no such file or directory`),
+				err:    errors.New("error reading foo: no such file or directory"),
 			}
 		},
 		"fail bad password": func(t *testing.T) *newTest {
@ -131,7 +127,7 @@ func TestAuthorityNew(t *testing.T) {
 			c.IntermediateCert = "wrong"
 			return &newTest{
 				config: c,
-				err:    errors.New(`error reading "wrong": no such file or directory`),
+				err:    errors.New("error reading wrong: no such file or directory"),
 			}
 		},
 	}
@ -176,130 +172,6 @@ func TestAuthorityNew(t *testing.T) {
 	}
 }

-func TestAuthorityNew_bundles(t *testing.T) {
-	ca0, err := minica.New()
-	if err != nil {
-		t.Fatal(err)
-	}
-	ca1, err := minica.New()
-	if err != nil {
-		t.Fatal(err)
-	}
-	ca2, err := minica.New()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	rootPath := t.TempDir()
-	writeCert := func(fn string, certs ...*x509.Certificate) error {
-		var b []byte
-		for _, crt := range certs {
-			b = append(b, pem.EncodeToMemory(&pem.Block{
-				Type:  "CERTIFICATE",
-				Bytes: crt.Raw,
-			})...)
-		}
-		return os.WriteFile(filepath.Join(rootPath, fn), b, 0600)
-	}
-	writeKey := func(fn string, signer crypto.Signer) error {
-		_, err := pemutil.Serialize(signer, pemutil.ToFile(filepath.Join(rootPath, fn), 0600))
-		return err
-	}
-
-	if err := writeCert("root0.crt", ca0.Root); err != nil {
-		t.Fatal(err)
-	}
-	if err := writeCert("int0.crt", ca0.Intermediate); err != nil {
-		t.Fatal(err)
-	}
-	if err := writeKey("int0.key", ca0.Signer); err != nil {
-		t.Fatal(err)
-	}
-	if err := writeCert("root1.crt", ca1.Root); err != nil {
-		t.Fatal(err)
-	}
-	if err := writeCert("int1.crt", ca1.Intermediate); err != nil {
-		t.Fatal(err)
-	}
-	if err := writeKey("int1.key", ca1.Signer); err != nil {
-		t.Fatal(err)
-	}
-	if err := writeCert("bundle0.crt", ca0.Root, ca1.Root); err != nil {
-		t.Fatal(err)
-	}
-	if err := writeCert("bundle1.crt", ca1.Root, ca2.Root); err != nil {
-		t.Fatal(err)
-	}
-
-	tests := []struct {
-		name    string
-		config  *config.Config
-		wantErr bool
-	}{
-		{"ok ca0", &config.Config{
-			Address:          "127.0.0.1:443",
-			Root:             []string{filepath.Join(rootPath, "root0.crt")},
-			IntermediateCert: filepath.Join(rootPath, "int0.crt"),
-			IntermediateKey:  filepath.Join(rootPath, "int0.key"),
-			DNSNames:         []string{"127.0.0.1"},
-			AuthorityConfig:  &AuthConfig{},
-		}, false},
-		{"ok bundle", &config.Config{
-			Address:          "127.0.0.1:443",
-			Root:             []string{filepath.Join(rootPath, "bundle0.crt")},
-			IntermediateCert: filepath.Join(rootPath, "int0.crt"),
-			IntermediateKey:  filepath.Join(rootPath, "int0.key"),
-			DNSNames:         []string{"127.0.0.1"},
-			AuthorityConfig:  &AuthConfig{},
-		}, false},
-		{"ok federated ca1", &config.Config{
-			Address:          "127.0.0.1:443",
-			Root:             []string{filepath.Join(rootPath, "root0.crt")},
-			FederatedRoots:   []string{filepath.Join(rootPath, "root1.crt")},
-			IntermediateCert: filepath.Join(rootPath, "int0.crt"),
-			IntermediateKey:  filepath.Join(rootPath, "int0.key"),
-			DNSNames:         []string{"127.0.0.1"},
-			AuthorityConfig:  &AuthConfig{},
-		}, false},
-		{"ok federated bundle", &config.Config{
-			Address:          "127.0.0.1:443",
-			Root:             []string{filepath.Join(rootPath, "root0.crt")},
-			FederatedRoots:   []string{filepath.Join(rootPath, "bundle1.crt")},
-			IntermediateCert: filepath.Join(rootPath, "int0.crt"),
-			IntermediateKey:  filepath.Join(rootPath, "int0.key"),
-			DNSNames:         []string{"127.0.0.1"},
-			AuthorityConfig:  &AuthConfig{},
-		}, false},
-		{"fail root", &config.Config{
-			Address:          "127.0.0.1:443",
-			Root:             []string{filepath.Join(rootPath, "missing.crt")},
-			IntermediateCert: filepath.Join(rootPath, "int0.crt"),
-			IntermediateKey:  filepath.Join(rootPath, "int0.key"),
-			DNSNames:         []string{"127.0.0.1"},
-			AuthorityConfig:  &AuthConfig{},
-		}, true},
-		{"fail federated", &config.Config{
-			Address:          "127.0.0.1:443",
-			Root:             []string{filepath.Join(rootPath, "root0.crt")},
-			FederatedRoots:   []string{filepath.Join(rootPath, "missing.crt")},
-			IntermediateCert: filepath.Join(rootPath, "int0.crt"),
-			IntermediateKey:  filepath.Join(rootPath, "int0.key"),
-			DNSNames:         []string{"127.0.0.1"},
-			AuthorityConfig:  &AuthConfig{},
-		}, true},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			_, err := New(tt.config)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("New() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-		})
-	}
-}
-
 func TestAuthority_GetDatabase(t *testing.T) {
 	auth := testAuthority(t)
 	authWithDatabase, err := New(auth.config, WithDatabase(auth.db))
@ -415,7 +287,7 @@ func TestNewEmbedded_Sign(t *testing.T) {
 	csr, err := x509.ParseCertificateRequest(cr)
 	assert.FatalError(t, err)

-	cert, err := a.SignWithContext(context.Background(), csr, provisioner.SignOptions{})
+	cert, err := a.Sign(csr, provisioner.SignOptions{})
 	assert.FatalError(t, err)
 	assert.Equals(t, []string{"foo.bar.zar"}, cert[0].DNSNames)
 	assert.Equals(t, crt, cert[1])
@ -479,7 +351,7 @@ func testScepAuthority(t *testing.T, opts ...Option) *Authority {
 	return a
 }

-func TestAuthority_GetSCEP(t *testing.T) {
+func TestAuthority_GetSCEPService(t *testing.T) {
 	_ = testScepAuthority(t)
 	p := provisioner.List{
 		&provisioner.SCEP{
@ -543,7 +415,7 @@ func TestAuthority_GetSCEP(t *testing.T) {
 				return
 			}
 			if tt.wantService {
-				if got := a.GetSCEP(); (got != nil) != tt.wantService {
+				if got := a.GetSCEPService(); (got != nil) != tt.wantService {
 					t.Errorf("Authority.GetSCEPService() = %v, wantService %v", got, tt.wantService)
 				}
 			}
--- a/authority/authorize.go
+++ b/authority/authorize.go
@ -177,7 +177,7 @@ func (a *Authority) AuthorizeAdminToken(r *http.Request, token string) (*linkedc
 	if !adminFound {
 		return nil, admin.NewError(admin.ErrorUnauthorizedType,
 			"adminHandler.authorizeToken; unable to load admin with subject(s) %s and provisioner '%s'",
-			adminSANs, prov.GetName())
+			adminSANs, claims.Issuer)
 	}

 	if strings.HasPrefix(r.URL.Path, "/admin/admins") && (r.Method != "GET") && adm.Type != linkedca.Admin_SUPER_ADMIN {
@ -214,7 +214,7 @@ func (a *Authority) Authorize(ctx context.Context, token string) ([]provisioner.
 	var opts = []interface{}{errs.WithKeyVal("token", token)}

 	switch m := provisioner.MethodFromContext(ctx); m {
-	case provisioner.SignMethod, provisioner.SignIdentityMethod:
+	case provisioner.SignMethod:
 		signOpts, err := a.authorizeSign(ctx, token)
 		return signOpts, errs.Wrap(http.StatusInternalServerError, err, "authority.Authorize", opts...)
 	case provisioner.RevokeMethod:
@ -286,16 +286,16 @@ func (a *Authority) authorizeRevoke(ctx context.Context, token string) error {
 // extra extension cannot be found, authorize the renewal by default.
 //
 // TODO(mariano): should we authorize by default?
-func (a *Authority) authorizeRenew(ctx context.Context, cert *x509.Certificate) (provisioner.Interface, error) {
+func (a *Authority) authorizeRenew(cert *x509.Certificate) error {
 	serial := cert.SerialNumber.String()
 	var opts = []interface{}{errs.WithKeyVal("serialNumber", serial)}

 	isRevoked, err := a.IsRevoked(serial)
 	if err != nil {
-		return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
+		return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
 	}
 	if isRevoked {
-		return nil, errs.Unauthorized("authority.authorizeRenew: certificate has been revoked", opts...)
+		return errs.Unauthorized("authority.authorizeRenew: certificate has been revoked", opts...)
 	}
 	p, err := a.LoadProvisionerByCertificate(cert)
 	if err != nil {
@ -305,17 +305,17 @@ func (a *Authority) authorizeRenew(ctx context.Context, cert *x509.Certificate)
 		// returns the noop provisioner if this happens, and it allows
 		// certificate renewals.
 		if p, ok = a.provisioners.LoadByCertificate(cert); !ok {
-			return nil, errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
+			return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
 		}
 	}
-	if err := p.AuthorizeRenew(ctx, cert); err != nil {
-		return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
+	if err := p.AuthorizeRenew(context.Background(), cert); err != nil {
+		return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
 	}
-	return p, nil
+	return nil
 }

 // authorizeSSHCertificate returns an error if the given certificate is revoked.
-func (a *Authority) authorizeSSHCertificate(_ context.Context, cert *ssh.Certificate) error {
+func (a *Authority) authorizeSSHCertificate(ctx context.Context, cert *ssh.Certificate) error {
 	var err error
 	var isRevoked bool

@ -394,7 +394,7 @@ func (a *Authority) authorizeSSHRevoke(ctx context.Context, token string) error

 // AuthorizeRenewToken validates the renew token and returns the leaf
 // certificate in the x5cInsecure header.
-func (a *Authority) AuthorizeRenewToken(_ context.Context, ott string) (*x509.Certificate, error) {
+func (a *Authority) AuthorizeRenewToken(ctx context.Context, ott string) (*x509.Certificate, error) {
 	var claims jose.Claims
 	jwt, chain, err := jose.ParseX5cInsecure(ott, a.rootX509Certs)
 	if err != nil {
@ -434,7 +434,7 @@ func (a *Authority) AuthorizeRenewToken(_ context.Context, ott string) (*x509.Ce
 	}

 	audiences := a.config.GetAudiences().Renew
-	if !matchesAudience(claims.Audience, audiences) && !isRAProvisioner(p) {
+	if !matchesAudience(claims.Audience, audiences) {
 		return nil, errs.InternalServerErr(jose.ErrInvalidAudience, errs.WithMessage("error validating renew token: invalid audience claim (aud)"))
 	}

--- a/authority/authorize_test.go
+++ b/authority/authorize_test.go
@ -876,7 +876,7 @@ func TestAuthority_authorizeRenew(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			tc := genTestCase(t)

-			_, err := tc.auth.authorizeRenew(context.Background(), tc.cert)
+			err := tc.auth.authorizeRenew(tc.cert)
 			if err != nil {
 				if assert.NotNil(t, tc.err) {
 					var sc render.StatusCodedError
@ -1375,7 +1375,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
 	}

 	generateX5cToken := func(a *Authority, key crypto.Signer, claims jose.Claims, opts ...provisioner.SignOption) (string, *x509.Certificate) {
-		chain, err := a.SignWithContext(ctx, csr, provisioner.SignOptions{}, opts...)
+		chain, err := a.Sign(csr, provisioner.SignOptions{}, opts...)
 		if err != nil {
 			t.Fatal(err)
 		}
@ -1459,37 +1459,6 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
 		})
 		return nil
 	}))
-	a4 := testAuthority(t)
-	a4.db = &db.MockAuthDB{
-		MUseToken: func(id, tok string) (bool, error) {
-			return true, nil
-		},
-		MGetCertificateData: func(serialNumber string) (*db.CertificateData, error) {
-			return &db.CertificateData{
-				Provisioner: &db.ProvisionerData{ID: "Max:IMi94WBNI6gP5cNHXlZYNUzvMjGdHyBRmFoo-lCEaqk", Name: "Max"},
-				RaInfo:      &provisioner.RAInfo{ProvisionerName: "ra"},
-			}, nil
-		},
-	}
-	t4, c4 := generateX5cToken(a1, signer, jose.Claims{
-		Audience:  []string{"https://ra.example.com/1.0/renew"},
-		Subject:   "test.example.com",
-		Issuer:    "step-ca-client/1.0",
-		NotBefore: jose.NewNumericDate(now),
-		Expiry:    jose.NewNumericDate(now.Add(5 * time.Minute)),
-	}, provisioner.CertificateEnforcerFunc(func(cert *x509.Certificate) error {
-		cert.NotBefore = now
-		cert.NotAfter = now.Add(time.Hour)
-		b, err := asn1.Marshal(stepProvisionerASN1{int(provisioner.TypeJWK), []byte("step-cli"), nil, nil})
-		if err != nil {
-			return err
-		}
-		cert.ExtraExtensions = append(cert.ExtraExtensions, pkix.Extension{
-			Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64, 1},
-			Value: b,
-		})
-		return nil
-	}))
 	badSigner, _ := generateX5cToken(a1, otherSigner, jose.Claims{
 		Audience:  []string{"https://example.com/1.0/renew"},
 		Subject:   "test.example.com",
@ -1658,7 +1627,6 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
 		{"ok", a1, args{ctx, t1}, c1, false},
 		{"ok expired cert", a1, args{ctx, t2}, c2, false},
 		{"ok provisioner issuer", a1, args{ctx, t3}, c3, false},
-		{"ok ra provisioner", a4, args{ctx, t4}, c4, false},
 		{"fail token", a1, args{ctx, "not.a.token"}, nil, true},
 		{"fail token reuse", a1, args{ctx, t1}, nil, true},
 		{"fail token signature", a1, args{ctx, badSigner}, nil, true},
--- a/authority/config/config.go
+++ b/authority/config/config.go
@ -1,7 +1,6 @@
 package config

 import (
-	"bytes"
 	"encoding/json"
 	"fmt"
 	"net"
@ -36,30 +35,21 @@ var (
 	// DefaultEnableSSHCA enable SSH CA features per provisioner or globally
 	// for all provisioners.
 	DefaultEnableSSHCA = false
-	// DefaultDisableSmallstepExtensions is the default value for the
-	// DisableSmallstepExtensions provisioner claim.
-	DefaultDisableSmallstepExtensions = false
-	// DefaultCRLCacheDuration is the default cache duration for the CRL.
-	DefaultCRLCacheDuration = &provisioner.Duration{Duration: 24 * time.Hour}
-	// DefaultCRLExpiredDuration is the default duration in which expired
-	// certificates will remain in the CRL after expiration.
-	DefaultCRLExpiredDuration = time.Hour
-	// GlobalProvisionerClaims is the default duration that expired certificates
-	// remain in the CRL after expiration.
+	// GlobalProvisionerClaims default claims for the Authority. Can be overridden
+	// by provisioner specific claims.
 	GlobalProvisionerClaims = provisioner.Claims{
-		MinTLSDur:                  &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs
-		MaxTLSDur:                  &provisioner.Duration{Duration: 24 * time.Hour},
-		DefaultTLSDur:              &provisioner.Duration{Duration: 24 * time.Hour},
-		MinUserSSHDur:              &provisioner.Duration{Duration: 5 * time.Minute}, // User SSH certs
-		MaxUserSSHDur:              &provisioner.Duration{Duration: 24 * time.Hour},
-		DefaultUserSSHDur:          &provisioner.Duration{Duration: 16 * time.Hour},
-		MinHostSSHDur:              &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs
-		MaxHostSSHDur:              &provisioner.Duration{Duration: 30 * 24 * time.Hour},
-		DefaultHostSSHDur:          &provisioner.Duration{Duration: 30 * 24 * time.Hour},
-		EnableSSHCA:                &DefaultEnableSSHCA,
-		DisableRenewal:             &DefaultDisableRenewal,
-		AllowRenewalAfterExpiry:    &DefaultAllowRenewalAfterExpiry,
-		DisableSmallstepExtensions: &DefaultDisableSmallstepExtensions,
+		MinTLSDur:               &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs
+		MaxTLSDur:               &provisioner.Duration{Duration: 24 * time.Hour},
+		DefaultTLSDur:           &provisioner.Duration{Duration: 24 * time.Hour},
+		MinUserSSHDur:           &provisioner.Duration{Duration: 5 * time.Minute}, // User SSH certs
+		MaxUserSSHDur:           &provisioner.Duration{Duration: 24 * time.Hour},
+		DefaultUserSSHDur:       &provisioner.Duration{Duration: 16 * time.Hour},
+		MinHostSSHDur:           &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs
+		MaxHostSSHDur:           &provisioner.Duration{Duration: 30 * 24 * time.Hour},
+		DefaultHostSSHDur:       &provisioner.Duration{Duration: 30 * 24 * time.Hour},
+		EnableSSHCA:             &DefaultEnableSSHCA,
+		DisableRenewal:          &DefaultDisableRenewal,
+		AllowRenewalAfterExpiry: &DefaultAllowRenewalAfterExpiry,
 	}
 )

@ -82,64 +72,12 @@ type Config struct {
 	Password         string               `json:"password,omitempty"`
 	Templates        *templates.Templates `json:"templates,omitempty"`
 	CommonName       string               `json:"commonName,omitempty"`
-	CRL              *CRLConfig           `json:"crl,omitempty"`
-	MetricsAddress   string               `json:"metricsAddress,omitempty"`
 	SkipValidation   bool                 `json:"-"`

 	// Keeps record of the filename the Config is read from
 	loadedFromFilepath string
 }

-// CRLConfig represents config options for CRL generation
-type CRLConfig struct {
-	Enabled          bool                  `json:"enabled"`
-	GenerateOnRevoke bool                  `json:"generateOnRevoke,omitempty"`
-	CacheDuration    *provisioner.Duration `json:"cacheDuration,omitempty"`
-	RenewPeriod      *provisioner.Duration `json:"renewPeriod,omitempty"`
-	IDPurl           string                `json:"idpURL,omitempty"`
-}
-
-// IsEnabled returns if the CRL is enabled.
-func (c *CRLConfig) IsEnabled() bool {
-	return c != nil && c.Enabled
-}
-
-// Validate validates the CRL configuration.
-func (c *CRLConfig) Validate() error {
-	if c == nil {
-		return nil
-	}
-
-	if c.CacheDuration != nil && c.CacheDuration.Duration < 0 {
-		return errors.New("crl.cacheDuration must be greater than or equal to 0")
-	}
-
-	if c.RenewPeriod != nil && c.RenewPeriod.Duration < 0 {
-		return errors.New("crl.renewPeriod must be greater than or equal to 0")
-	}
-
-	if c.RenewPeriod != nil && c.CacheDuration != nil &&
-		c.RenewPeriod.Duration > c.CacheDuration.Duration {
-		return errors.New("crl.cacheDuration must be greater than or equal to crl.renewPeriod")
-	}
-
-	return nil
-}
-
-// TickerDuration the renewal ticker duration. This is set by renewPeriod, of it
-// is not set is ~2/3 of cacheDuration.
-func (c *CRLConfig) TickerDuration() time.Duration {
-	if !c.IsEnabled() {
-		return 0
-	}
-
-	if c.RenewPeriod != nil && c.RenewPeriod.Duration > 0 {
-		return c.RenewPeriod.Duration
-	}
-
-	return (c.CacheDuration.Duration / 3) * 2
-}
-
 // ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer
 // x509 Certificate blocks.
 type ASN1DN struct {
@ -188,7 +126,7 @@ func (c *AuthConfig) init() {
 }

 // Validate validates the authority configuration.
-func (c *AuthConfig) Validate(provisioner.Audiences) error {
+func (c *AuthConfig) Validate(audiences provisioner.Audiences) error {
 	if c == nil {
 		return errors.New("authority cannot be undefined")
 	}
@ -252,24 +190,20 @@ func (c *Config) Init() {
 	if c.CommonName == "" {
 		c.CommonName = "Step Online CA"
 	}
-	if c.CRL != nil && c.CRL.Enabled && c.CRL.CacheDuration == nil {
-		c.CRL.CacheDuration = DefaultCRLCacheDuration
-	}
 	c.AuthorityConfig.init()
 }

 // Save saves the configuration to the given filename.
 func (c *Config) Save(filename string) error {
-	var b bytes.Buffer
-	enc := json.NewEncoder(&b)
-	enc.SetIndent("", "\t")
-	if err := enc.Encode(c); err != nil {
-		return fmt.Errorf("error encoding configuration: %w", err)
-	}
-	if err := os.WriteFile(filename, b.Bytes(), 0600); err != nil {
-		return fmt.Errorf("error writing %q: %w", filename, err)
+	f, err := os.OpenFile(filename, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return errors.Wrapf(err, "error opening %s", filename)
 	}
-	return nil
+	defer f.Close()
+
+	enc := json.NewEncoder(f)
+	enc.SetIndent("", "\t")
+	return errors.Wrapf(enc.Encode(c), "error writing %s", filename)
 }

 // Commit saves the current configuration to the same
@ -328,12 +262,6 @@ func (c *Config) Validate() error {
 		return errors.Errorf("invalid address %s", c.Address)
 	}

-	if addr := c.MetricsAddress; addr != "" {
-		if _, _, err := net.SplitHostPort(addr); err != nil {
-			return errors.Errorf("invalid metrics address %q", c.Address)
-		}
-	}
-
 	if c.TLS == nil {
 		c.TLS = &DefaultTLSOptions
 	} else {
@ -372,11 +300,6 @@ func (c *Config) Validate() error {
 		return err
 	}

-	// Validate crl config: nil is ok
-	if err := c.CRL.Validate(); err != nil {
-		return err
-	}
-
 	return c.AuthorityConfig.Validate(c.GetAudiences())
 }

--- a/authority/internal/constraints/verify.go
+++ b/authority/internal/constraints/verify.go
@ -203,7 +203,7 @@ func matchURIConstraint(uri *url.URL, constraint string) (bool, error) {
 // domainToReverseLabels converts a textual domain name like foo.example.com to
 // the list of labels in reverse order, e.g. ["com", "example", "foo"].
 func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) {
-	for domain != "" {
+	for len(domain) > 0 {
 		if i := strings.LastIndexByte(domain, '.'); i == -1 {
 			reverseLabels = append(reverseLabels, domain)
 			domain = ""
@ -316,7 +316,7 @@ func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) {
 	} else {
 		// Atom ("." Atom)*
 	NextChar:
-		for in != "" {
+		for len(in) > 0 {
 			// atext from RFC 2822, Section 3.2.4
 			c := in[0]

--- a/authority/linkedca.go
+++ b/authority/linkedca.go
@ -110,7 +110,7 @@ func newLinkedCAClient(token string) (*linkedCaClient, error) {
 	tlsConfig.GetClientCertificate = renewer.GetClientCertificate

 	// Start mTLS client
-	conn, err := grpc.NewClient(u.Host, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)))
+	conn, err := grpc.Dial(u.Host, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)))
 	if err != nil {
 		return nil, errors.Wrapf(err, "error connecting %s", u.Host)
 	}
@ -265,20 +265,8 @@ func (c *linkedCaClient) GetCertificateData(serial string) (*db.CertificateData,
 			ID: p.Id, Name: p.Name, Type: p.Type.String(),
 		}
 	}
-
-	var raInfo *provisioner.RAInfo
-	if p := resp.RaProvisioner; p != nil && p.Provisioner != nil {
-		raInfo = &provisioner.RAInfo{
-			AuthorityID:     p.AuthorityId,
-			ProvisionerID:   p.Provisioner.Id,
-			ProvisionerType: p.Provisioner.Type.String(),
-			ProvisionerName: p.Provisioner.Name,
-		}
-	}
-
 	return &db.CertificateData{
 		Provisioner: pd,
-		RaInfo:      raInfo,
 	}, nil
 }

@ -381,19 +369,19 @@ func (c *linkedCaClient) IsSSHRevoked(serial string) (bool, error) {
 	return resp.Status != linkedca.RevocationStatus_ACTIVE, nil
 }

-func (c *linkedCaClient) CreateAuthorityPolicy(_ context.Context, _ *linkedca.Policy) error {
+func (c *linkedCaClient) CreateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy) error {
 	return errors.New("not implemented yet")
 }

-func (c *linkedCaClient) GetAuthorityPolicy(context.Context) (*linkedca.Policy, error) {
+func (c *linkedCaClient) GetAuthorityPolicy(ctx context.Context) (*linkedca.Policy, error) {
 	return nil, errors.New("not implemented yet")
 }

-func (c *linkedCaClient) UpdateAuthorityPolicy(_ context.Context, _ *linkedca.Policy) error {
+func (c *linkedCaClient) UpdateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy) error {
 	return errors.New("not implemented yet")
 }

-func (c *linkedCaClient) DeleteAuthorityPolicy(context.Context) error {
+func (c *linkedCaClient) DeleteAuthorityPolicy(ctx context.Context) error {
 	return errors.New("not implemented yet")
 }

@ -478,7 +466,10 @@ func getAuthority(sans []string) (string, error) {
 // getRootCertificate creates an insecure majordomo client and returns the
 // verified root certificate.
 func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error) {
-	conn, err := grpc.NewClient(endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
 		//nolint:gosec // used in bootstrap protocol
 		InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check]
 	})))
@ -486,7 +477,7 @@ func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error)
 		return nil, errors.Wrapf(err, "error connecting %s", endpoint)
 	}

-	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	ctx, cancel = context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()

 	client := linkedca.NewMajordomoClient(conn)
@ -528,7 +519,11 @@ func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error)
 // login creates a new majordomo client with just the root ca pool and returns
 // the signed certificate and tls configuration.
 func login(authority, token string, csr *x509.CertificateRequest, signer crypto.PrivateKey, endpoint string, rootCAs *x509.CertPool) (*tls.Certificate, *tls.Config, error) {
-	conn, err := grpc.NewClient(endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
+	// Connect to majordomo
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
 		MinVersion: tls.VersionTLS12,
 		RootCAs:    rootCAs,
 	})))
@ -537,7 +532,7 @@ func login(authority, token string, csr *x509.CertificateRequest, signer crypto.
 	}

 	// Login to get the signed certificate
-	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	ctx, cancel = context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()

 	client := linkedca.NewMajordomoClient(conn)
--- a/authority/meter.go
+++ b/authority/meter.go
@ -1,111 +0,0 @@
-package authority
-
-import (
-	"crypto"
-	"io"
-
-	"go.step.sm/crypto/kms"
-	kmsapi "go.step.sm/crypto/kms/apiv1"
-
-	"github.com/smallstep/certificates/authority/provisioner"
-)
-
-// Meter wraps the set of defined callbacks for metrics gatherers.
-type Meter interface {
-	// X509Signed is called whenever an X509 certificate is signed.
-	X509Signed(provisioner.Interface, error)
-
-	// X509Renewed is called whenever an X509 certificate is renewed.
-	X509Renewed(provisioner.Interface, error)
-
-	// X509Rekeyed is called whenever an X509 certificate is rekeyed.
-	X509Rekeyed(provisioner.Interface, error)
-
-	// X509WebhookAuthorized is called whenever an X509 authoring webhook is called.
-	X509WebhookAuthorized(provisioner.Interface, error)
-
-	// X509WebhookEnriched is called whenever an X509 enriching webhook is called.
-	X509WebhookEnriched(provisioner.Interface, error)
-
-	// SSHSigned is called whenever an SSH certificate is signed.
-	SSHSigned(provisioner.Interface, error)
-
-	// SSHRenewed is called whenever an SSH certificate is renewed.
-	SSHRenewed(provisioner.Interface, error)
-
-	// SSHRekeyed is called whenever an SSH certificate is rekeyed.
-	SSHRekeyed(provisioner.Interface, error)
-
-	// SSHWebhookAuthorized is called whenever an SSH authoring webhook is called.
-	SSHWebhookAuthorized(provisioner.Interface, error)
-
-	// SSHWebhookEnriched is called whenever an SSH enriching webhook is called.
-	SSHWebhookEnriched(provisioner.Interface, error)
-
-	// KMSSigned is called per KMS signer signature.
-	KMSSigned(error)
-}
-
-// noopMeter implements a noop [Meter].
-type noopMeter struct{}
-
-func (noopMeter) SSHRekeyed(provisioner.Interface, error)            {}
-func (noopMeter) SSHRenewed(provisioner.Interface, error)            {}
-func (noopMeter) SSHSigned(provisioner.Interface, error)             {}
-func (noopMeter) SSHWebhookAuthorized(provisioner.Interface, error)  {}
-func (noopMeter) SSHWebhookEnriched(provisioner.Interface, error)    {}
-func (noopMeter) X509Rekeyed(provisioner.Interface, error)           {}
-func (noopMeter) X509Renewed(provisioner.Interface, error)           {}
-func (noopMeter) X509Signed(provisioner.Interface, error)            {}
-func (noopMeter) X509WebhookAuthorized(provisioner.Interface, error) {}
-func (noopMeter) X509WebhookEnriched(provisioner.Interface, error)   {}
-func (noopMeter) KMSSigned(error)                                    {}
-
-type instrumentedKeyManager struct {
-	kms.KeyManager
-	meter Meter
-}
-
-type instrumentedKeyAndDecrypterManager struct {
-	kms.KeyManager
-	decrypter kmsapi.Decrypter
-	meter     Meter
-}
-
-func newInstrumentedKeyManager(k kms.KeyManager, m Meter) kms.KeyManager {
-	decrypter, isDecrypter := k.(kmsapi.Decrypter)
-	switch {
-	case isDecrypter:
-		return &instrumentedKeyAndDecrypterManager{&instrumentedKeyManager{k, m}, decrypter, m}
-	default:
-		return &instrumentedKeyManager{k, m}
-	}
-}
-
-func (i *instrumentedKeyManager) CreateSigner(req *kmsapi.CreateSignerRequest) (s crypto.Signer, err error) {
-	if s, err = i.KeyManager.CreateSigner(req); err == nil {
-		s = &instrumentedKMSSigner{s, i.meter}
-	}
-
-	return
-}
-
-func (i *instrumentedKeyAndDecrypterManager) CreateDecrypter(req *kmsapi.CreateDecrypterRequest) (s crypto.Decrypter, err error) {
-	return i.decrypter.CreateDecrypter(req)
-}
-
-type instrumentedKMSSigner struct {
-	crypto.Signer
-	meter Meter
-}
-
-func (i *instrumentedKMSSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) {
-	signature, err = i.Signer.Sign(rand, digest, opts)
-	i.meter.KMSSigned(err)
-
-	return
-}
-
-var _ kms.KeyManager = (*instrumentedKeyManager)(nil)
-var _ kms.KeyManager = (*instrumentedKeyAndDecrypterManager)(nil)
-var _ kmsapi.Decrypter = (*instrumentedKeyAndDecrypterManager)(nil)
--- a/authority/options.go
+++ b/authority/options.go
@ -18,7 +18,6 @@ import (
 	"github.com/smallstep/certificates/cas"
 	casapi "github.com/smallstep/certificates/cas/apiv1"
 	"github.com/smallstep/certificates/db"
-	"github.com/smallstep/certificates/scep"
 )

 // Option sets options to the Authority.
@ -167,15 +166,6 @@ func WithKeyManager(k kms.KeyManager) Option {
 	}
 }

-// WithX509CAService allows the consumer to provide an externally implemented
-// API implementation of apiv1.CertificateAuthorityService
-func WithX509CAService(svc casapi.CertificateAuthorityService) Option {
-	return func(a *Authority) error {
-		a.x509CAService = svc
-		return nil
-	}
-}
-
 // WithX509Signer defines the signer used to sign X509 certificates.
 func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option {
 	return WithX509SignerChain([]*x509.Certificate{crt}, s)
@ -215,27 +205,6 @@ func WithX509SignerFunc(fn func() ([]*x509.Certificate, crypto.Signer, error)) O
 	}
 }

-// WithFullSCEPOptions defines the options used for SCEP support.
-//
-// This feature is EXPERIMENTAL and might change at any time.
-func WithFullSCEPOptions(options *scep.Options) Option {
-	return func(a *Authority) error {
-		a.scepOptions = options
-		a.validateSCEP = false
-		return nil
-	}
-}
-
-// WithSCEPKeyManager defines the key manager used on SCEP provisioners.
-//
-// This feature is EXPERIMENTAL and might change at any time.
-func WithSCEPKeyManager(skm provisioner.SCEPKeyManager) Option {
-	return func(a *Authority) error {
-		a.scepKeyManager = skm
-		return nil
-	}
-}
-
 // WithSSHUserSigner defines the signer used to sign SSH user certificates.
 func WithSSHUserSigner(s crypto.Signer) Option {
 	return func(a *Authority) error {
@ -400,16 +369,3 @@ func readCertificateBundle(pemCerts []byte) ([]*x509.Certificate, error) {
 	}
 	return certs, nil
 }
-
-// WithMeter is an option that sets the authority's [Meter] to the provided one.
-func WithMeter(m Meter) Option {
-	if m == nil {
-		m = noopMeter{}
-	}
-
-	return func(a *Authority) (_ error) {
-		a.meter = m
-
-		return
-	}
-}
--- a/authority/policy.go
+++ b/authority/policy.go
@ -154,7 +154,7 @@ func (a *Authority) checkProvisionerPolicy(ctx context.Context, provName string,

 // checkPolicy checks if a new or updated policy configuration results in the user
 // locking themselves or other admins out of the CA.
-func (a *Authority) checkPolicy(_ context.Context, currentAdmin *linkedca.Admin, otherAdmins []*linkedca.Admin, p *linkedca.Policy) error {
+func (a *Authority) checkPolicy(ctx context.Context, currentAdmin *linkedca.Admin, otherAdmins []*linkedca.Admin, p *linkedca.Policy) error {
 	// convert the policy; return early if nil
 	policyOptions := authPolicy.LinkedToCertificates(p)
 	if policyOptions == nil {
@ -248,7 +248,7 @@ func isAllowed(engine authPolicy.X509Policy, sans []string) error {
 		if isNamePolicyError && policyErr.Reason == policy.NotAllowed {
 			return &PolicyError{
 				Typ: AdminLockOut,
-				Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please create an x509 policy to include %s as an allowed DNS name", sans, sans),
+				Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans),
 			}
 		}
 		return &PolicyError{
--- a/authority/policy/policy.go
+++ b/authority/policy/policy.go
@ -21,7 +21,6 @@ type HostPolicy policy.SSHNamePolicyEngine
 func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy, error) {
 	// return early if no policy engine options to configure
 	if policyOptions == nil {
-		//nolint:nilnil,nolintlint // expected values
 		return nil, nil
 	}

@ -51,7 +50,6 @@ func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy,

 	// ensure no policy engine is returned when no name options were provided
 	if len(options) == 0 {
-		//nolint:nilnil,nolintlint // expected values
 		return nil, nil
 	}

@ -95,7 +93,6 @@ func NewSSHHostPolicyEngine(policyOptions SSHPolicyOptionsInterface) (HostPolicy
 func newSSHPolicyEngine(policyOptions SSHPolicyOptionsInterface, typ sshPolicyEngineType) (policy.SSHNamePolicyEngine, error) {
 	// return early if no policy engine options to configure
 	if policyOptions == nil {
-		//nolint:nilnil,nolintlint // expected values
 		return nil, nil
 	}

@ -137,7 +134,6 @@ func newSSHPolicyEngine(policyOptions SSHPolicyOptionsInterface, typ sshPolicyEn

 	// ensure no policy engine is returned when no name options were provided
 	if len(options) == 0 {
-		//nolint:nilnil,nolintlint // expected values
 		return nil, nil
 	}

--- a/authority/policy_test.go
+++ b/authority/policy_test.go
@ -6,8 +6,8 @@ import (
 	"reflect"
 	"testing"

-	"github.com/go-jose/go-jose/v3"
 	"github.com/stretchr/testify/assert"
+	"gopkg.in/square/go-jose.v2"

 	"go.step.sm/linkedca"

@ -80,7 +80,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
 				},
 				err: &PolicyError{
 					Typ: AdminLockOut,
-					Err: errors.New("the provided policy would lock out [step] from the CA. Please create an x509 policy to include [step] as an allowed DNS name"),
+					Err: errors.New("the provided policy would lock out [step] from the CA. Please update your policy to include [step] as an allowed name"),
 				},
 			}
 		},
@ -127,7 +127,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
 				},
 				err: &PolicyError{
 					Typ: AdminLockOut,
-					Err: errors.New("the provided policy would lock out [otherAdmin] from the CA. Please create an x509 policy to include [otherAdmin] as an allowed DNS name"),
+					Err: errors.New("the provided policy would lock out [otherAdmin] from the CA. Please update your policy to include [otherAdmin] as an allowed name"),
 				},
 			}
 		},
--- a/authority/provisioner/acme.go
+++ b/authority/provisioner/acme.go
@ -48,7 +48,7 @@ func (c ACMEChallenge) Validate() error {
 type ACMEAttestationFormat string

 const (
-	// APPLE is the format used to enable device-attest-01 on Apple devices.
+	// APPLE is the format used to enable device-attest-01 on apple devices.
 	APPLE ACMEAttestationFormat = "apple"

 	// STEP is the format used to enable device-attest-01 on devices that
@ -57,7 +57,7 @@ const (
 	// TODO(mariano): should we rename this to something else.
 	STEP ACMEAttestationFormat = "step"

-	// TPM is the format used to enable device-attest-01 with TPMs.
+	// TPM is the format used to enable device-attest-01 on TPMs.
 	TPM ACMEAttestationFormat = "tpm"
 )

@ -84,17 +84,6 @@ type ACME struct {
 	Type    string `json:"type"`
 	Name    string `json:"name"`
 	ForceCN bool   `json:"forceCN,omitempty"`
-	// TermsOfService contains a URL pointing to the ACME server's
-	// terms of service. Defaults to empty.
-	TermsOfService string `json:"termsOfService,omitempty"`
-	// Website contains an URL pointing to more information about
-	// the ACME server. Defaults to empty.
-	Website string `json:"website,omitempty"`
-	// CaaIdentities is an array of hostnames that the ACME server
-	// identifies itself with. These hostnames can be used by ACME
-	// clients to determine the correct issuer domain name to use
-	// when configuring CAA records. Defaults to empty array.
-	CaaIdentities []string `json:"caaIdentities,omitempty"`
 	// RequireEAB makes the provisioner require ACME EAB to be provided
 	// by clients when creating a new Account. If set to true, the provided
 	// EAB will be verified. If set to false and an EAB is provided, it is
@ -133,7 +122,7 @@ func (p *ACME) GetIDForToken() string {
 }

 // GetTokenID returns the identifier of the token.
-func (p *ACME) GetTokenID(string) (string, error) {
+func (p *ACME) GetTokenID(ott string) (string, error) {
 	return "", errors.New("acme provisioner does not implement GetTokenID")
 }

@ -184,7 +173,7 @@ func (p *ACME) Init(config Config) (err error) {
 	}

 	// Parse attestation roots.
-	// The pool will be nil if there are no roots.
+	// The pool will be nil if the there are not roots.
 	if rest := p.AttestationRoots; len(rest) > 0 {
 		var block *pem.Block
 		var hasCert bool
@ -228,7 +217,7 @@ type ACMEIdentifier struct {

 // AuthorizeOrderIdentifier verifies the provisioner is allowed to issue a
 // certificate for an ACME Order Identifier.
-func (p *ACME) AuthorizeOrderIdentifier(_ context.Context, identifier ACMEIdentifier) error {
+func (p *ACME) AuthorizeOrderIdentifier(ctx context.Context, identifier ACMEIdentifier) error {
 	x509Policy := p.ctl.getPolicy().getX509()

 	// identifier is allowed if no policy is configured
@ -253,11 +242,11 @@ func (p *ACME) AuthorizeOrderIdentifier(_ context.Context, identifier ACMEIdenti
 // AuthorizeSign does not do any validation, because all validation is handled
 // in the ACME protocol. This method returns a list of modifiers / constraints
 // on the resulting certificate.
-func (p *ACME) AuthorizeSign(context.Context, string) ([]SignOption, error) {
+func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	opts := []SignOption{
 		p,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeACME, p.Name, "").WithControllerOptions(p.ctl),
+		newProvisionerExtensionOption(TypeACME, p.Name, ""),
 		newForceCNOption(p.ForceCN),
 		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
@ -274,7 +263,7 @@ func (p *ACME) AuthorizeSign(context.Context, string) ([]SignOption, error) {
 // the CA. It can be used to authorize revocation of a certificate. With the
 // ACME protocol, revocation authorization is specified and performed as part
 // of the client/server interaction, so this is a no-op.
-func (p *ACME) AuthorizeRevoke(context.Context, string) error {
+func (p *ACME) AuthorizeRevoke(ctx context.Context, token string) error {
 	return nil
 }

@ -289,7 +278,7 @@ func (p *ACME) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
 // IsChallengeEnabled checks if the given challenge is enabled. By default
 // http-01, dns-01 and tls-alpn-01 are enabled, to disable any of them the
 // Challenge provisioner property should have at least one element.
-func (p *ACME) IsChallengeEnabled(_ context.Context, challenge ACMEChallenge) bool {
+func (p *ACME) IsChallengeEnabled(ctx context.Context, challenge ACMEChallenge) bool {
 	enabledChallenges := []ACMEChallenge{
 		HTTP_01, DNS_01, TLS_ALPN_01,
 	}
@ -307,7 +296,7 @@ func (p *ACME) IsChallengeEnabled(_ context.Context, challenge ACMEChallenge) bo
 // IsAttestationFormatEnabled checks if the given attestation format is enabled.
 // By default apple, step and tpm are enabled, to disable any of them the
 // AttestationFormat provisioner property should have at least one element.
-func (p *ACME) IsAttestationFormatEnabled(_ context.Context, format ACMEAttestationFormat) bool {
+func (p *ACME) IsAttestationFormatEnabled(ctx context.Context, format ACMEAttestationFormat) bool {
 	enabledFormats := []ACMEAttestationFormat{
 		APPLE, STEP, TPM,
 	}
--- a/authority/provisioner/aws.go
+++ b/authority/provisioner/aws.go
@ -24,9 +24,6 @@ import (
 	"go.step.sm/linkedca"

 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/certificates/webhook"
-
-	_ "embed"
 )

 // awsIssuer is the string used as issuer in the generated tokens.
@ -52,10 +49,112 @@ const awsMetadataTokenHeader = "X-aws-ec2-metadata-token" //nolint:gosec // no c
 const awsMetadataTokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds" //nolint:gosec // no credentials here

 // awsCertificate is the certificate used to validate the instance identity
-// signature. It is embedded in the binary at compile time.
+// signature.
+//
+// The first certificate is used in:
+//
+//	ap-northeast-2, ap-south-1, ap-southeast-1, ap-southeast-2
+//	eu-central-1, eu-north-1, eu-west-1, eu-west-2, eu-west-3
+//	us-east-1, us-east-2, us-west-1, us-west-2
+//	ca-central-1, sa-east-1
+//
+// The second certificate is used in:
+//
+//	eu-south-1
+//
+// The third certificate is used in:
+//
+//	ap-east-1
+//
+// The fourth certificate is used in:
+//
+//	af-south-1
+//
+// The fifth certificate is used in:
 //
-//go:embed aws_certificates.pem
-var awsCertificate string
+//	me-south-1
+const awsCertificate = `-----BEGIN CERTIFICATE-----
+MIIDIjCCAougAwIBAgIJAKnL4UEDMN/FMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRgw
+FgYDVQQKEw9BbWF6b24uY29tIEluYy4xGjAYBgNVBAMTEWVjMi5hbWF6b25hd3Mu
+Y29tMB4XDTE0MDYwNTE0MjgwMloXDTI0MDYwNTE0MjgwMlowajELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxGDAWBgNV
+BAoTD0FtYXpvbi5jb20gSW5jLjEaMBgGA1UEAxMRZWMyLmFtYXpvbmF3cy5jb20w
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIe9GN//SRK2knbjySG0ho3yqQM3
+e2TDhWO8D2e8+XZqck754gFSo99AbT2RmXClambI7xsYHZFapbELC4H91ycihvrD
+jbST1ZjkLQgga0NE1q43eS68ZeTDccScXQSNivSlzJZS8HJZjgqzBlXjZftjtdJL
+XeE4hwvo0sD4f3j9AgMBAAGjgc8wgcwwHQYDVR0OBBYEFCXWzAgVyrbwnFncFFIs
+77VBdlE4MIGcBgNVHSMEgZQwgZGAFCXWzAgVyrbwnFncFFIs77VBdlE4oW6kbDBq
+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh
+dHRsZTEYMBYGA1UEChMPQW1hem9uLmNvbSBJbmMuMRowGAYDVQQDExFlYzIuYW1h
+em9uYXdzLmNvbYIJAKnL4UEDMN/FMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
+BQADgYEAFYcz1OgEhQBXIwIdsgCOS8vEtiJYF+j9uO6jz7VOmJqO+pRlAbRlvY8T
+C1haGgSI/A1uZUKs/Zfnph0oEI0/hu1IIJ/SKBDtN5lvmZ/IzbOPIJWirlsllQIQ
+7zvWbGd9c9+Rm3p04oTvhup99la7kZqevJK0QRdD/6NpCKsqP/0=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICNjCCAZ+gAwIBAgIJAOZ3GEIaDcugMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
+BAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0
+dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0xOTEwMjQx
+NTE5MDlaGA8yMTk5MDMyOTE1MTkwOVowXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgT
+EFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0Ft
+YXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQCjiPgW3vsXRj4JoA16WQDyoPc/eh3QBARaApJEc4nPIGoUolpAXcjFhWplo2O+
+ivgfCsc4AU9OpYdAPha3spLey/bhHPRi1JZHRNqScKP0hzsCNmKhfnZTIEQCFvsp
+DRp4zr91/WS06/flJFBYJ6JHhp0KwM81XQG59lV6kkoW7QIDAQABMA0GCSqGSIb3
+DQEBCwUAA4GBAGLLrY3P+HH6C57dYgtJkuGZGT2+rMkk2n81/abzTJvsqRqGRrWv
+XRKRXlKdM/dfiuYGokDGxiC0Mg6TYy6wvsR2qRhtXW1OtZkiHWcQCnOttz+8vpew
+wx8JGMvowtuKB1iMsbwyRqZkFYLcvH+Opfb/Aayi20/ChQLdI6M2R5VU
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICSzCCAbQCCQDtQvkVxRvK9TANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJV
+UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2VhdHRsZTEYMBYGA1UE
+ChMPQW1hem9uLmNvbSBJbmMuMRowGAYDVQQDExFlYzIuYW1hem9uYXdzLmNvbTAe
+Fw0xOTAyMDMwMzAwMDZaFw0yOTAyMDIwMzAwMDZaMGoxCzAJBgNVBAYTAlVTMRMw
+EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRgwFgYDVQQKEw9B
+bWF6b24uY29tIEluYy4xGjAYBgNVBAMTEWVjMi5hbWF6b25hd3MuY29tMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1kkHXYTfc7gY5Q55JJhjTieHAgacaQkiR
+Pity9QPDE3b+NXDh4UdP1xdIw73JcIIG3sG9RhWiXVCHh6KkuCTqJfPUknIKk8vs
+M3RXflUpBe8Pf+P92pxqPMCz1Fr2NehS3JhhpkCZVGxxwLC5gaG0Lr4rFORubjYY
+Rh84dK98VwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAA6xV9f0HMqXjPHuGILDyaNN
+dKcvplNFwDTydVg32MNubAGnecoEBtUPtxBsLoVYXCOb+b5/ZMDubPF9tU/vSXuo
+TpYM5Bq57gJzDRaBOntQbX9bgHiUxw6XZWaTS/6xjRJDT5p3S1E0mPI3lP/eJv4o
+Ezk5zb3eIf10/sqt4756
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICNjCCAZ+gAwIBAgIJAKumfZiRrNvHMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
+BAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0
+dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0xOTExMjcw
+NzE0MDVaGA8yMTk5MDUwMjA3MTQwNVowXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgT
+EFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0Ft
+YXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQDFd571nUzVtke3rPyRkYfvs3jh0C0EMzzG72boyUNjnfw1+m0TeFraTLKb9T6F
+7TuB/ZEN+vmlYqr2+5Va8U8qLbPF0bRH+FdaKjhgWZdYXxGzQzU3ioy5W5ZM1VyB
+7iUsxEAlxsybC3ziPYaHI42UiTkQNahmoroNeqVyHNnBpQIDAQABMA0GCSqGSIb3
+DQEBCwUAA4GBAAJLylWyElEgOpW4B1XPyRVD4pAds8Guw2+krgqkY0HxLCdjosuH
+RytGDGN+q75aAoXzW5a7SGpxLxk6Hfv0xp3RjDHsoeP0i1d8MD3hAC5ezxS4oukK
+s5gbPOnokhKTMPXbTdRn5ZifCbWlx+bYN/mTYKvxho7b5SVg2o1La9aK
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDPDCCAqWgAwIBAgIJAMl6uIV/zqJFMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMSAw
+HgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzEaMBgGA1UEAwwRZWMyLmFt
+YXpvbmF3cy5jb20wIBcNMTkwNDI2MTQzMjQ3WhgPMjE5ODA5MjkxNDMyNDdaMHIx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0
+dGxlMSAwHgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzEaMBgGA1UEAwwR
+ZWMyLmFtYXpvbmF3cy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALVN
+CDTZEnIeoX1SEYqq6k1BV0ZlpY5y3KnoOreCAE589TwS4MX5+8Fzd6AmACmugeBP
+Qk7Hm6b2+g/d4tWycyxLaQlcq81DB1GmXehRkZRgGeRge1ePWd1TUA0I8P/QBT7S
+gUePm/kANSFU+P7s7u1NNl+vynyi0wUUrw7/wIZTAgMBAAGjgdcwgdQwHQYDVR0O
+BBYEFILtMd+T4YgH1cgc+hVsVOV+480FMIGkBgNVHSMEgZwwgZmAFILtMd+T4YgH
+1cgc+hVsVOV+480FoXakdDByMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGlu
+Z3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEgMB4GA1UECgwXQW1hem9uIFdlYiBTZXJ2
+aWNlcyBMTEMxGjAYBgNVBAMMEWVjMi5hbWF6b25hd3MuY29tggkAyXq4hX/OokUw
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBhkNTBIFgWFd+ZhC/LhRUY
+4OjEiykmbEp6hlzQ79T0Tfbn5A4NYDI2icBP0+hmf6qSnIhwJF6typyd1yPK5Fqt
+NTpxxcXmUKquX+pHmIkK1LKDO8rNE84jqxrxRsfDi6by82fjVYf2pgjJW8R1FAw+
+mL5WQRFexbfB5aXhcMo0AA==
+-----END CERTIFICATE-----`

 // awsSignatureAlgorithm is the signature algorithm used to verify the identity
 // document signature.
@ -363,7 +462,7 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 				net.ParseIP(doc.PrivateIP),
 			}),
 			emailAddressesValidator(nil),
-			newURIsValidator(ctx, nil),
+			urisValidator(nil),
 		)

 		// Template options
@ -379,18 +478,14 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 		p,
 		templateOptions,
 		// modifiers / withOptions
-		newProvisionerExtensionOption(TypeAWS, p.Name, doc.AccountID, "InstanceID", doc.InstanceID).WithControllerOptions(p.ctl),
+		newProvisionerExtensionOption(TypeAWS, p.Name, doc.AccountID, "InstanceID", doc.InstanceID),
 		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
 		defaultPublicKeyValidator{},
 		commonNameValidator(payload.Claims.Subject),
 		newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
 		newX509NamePolicyValidator(p.ctl.getPolicy().getX509()),
-		p.ctl.newWebhookController(
-			data,
-			linkedca.Webhook_X509,
-			webhook.WithAuthorizationPrincipal(doc.InstanceID),
-		),
+		p.ctl.newWebhookController(data, linkedca.Webhook_X509),
 	), nil
 }

@ -613,7 +708,7 @@ func (p *AWS) authorizeToken(token string) (*awsPayload, error) {
 }

 // AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
-func (p *AWS) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) {
+func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
 	if !p.ctl.Claimer.IsSSHCAEnabled() {
 		return nil, errs.Unauthorized("aws.AuthorizeSSHSign; ssh ca is disabled for aws provisioner '%s'", p.GetName())
 	}
@ -673,10 +768,6 @@ func (p *AWS) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 		// Ensure that all principal names are allowed
 		newSSHNamePolicyValidator(p.ctl.getPolicy().getSSHHost(), nil),
 		// Call webhooks
-		p.ctl.newWebhookController(
-			data,
-			linkedca.Webhook_SSH,
-			webhook.WithAuthorizationPrincipal(doc.InstanceID),
-		),
+		p.ctl.newWebhookController(data, linkedca.Webhook_SSH),
 	), nil
 }
--- a/Show More
+++ b/Show More