Merge branch 'master' into wire-acme-extensions

Merge pull request #1689 from smallstep/beltram/wire-acme-extensions
Use two separate Wire identifier types
160 changed files with 8137 additions and 5411 deletions
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@ -6,6 +6,17 @@ permissions:
  pull-requests: write

 jobs:
-  dependabot-auto-merge:
-    uses: smallstep/workflows/.github/workflows/dependabot-auto-merge.yml@main
-    secrets: inherit
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v1.6.0
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Enable auto-merge for Dependabot PRs
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -45,12 +45,12 @@ jobs:
          echo "DOCKER_TAGS_HSM=${{ env.DOCKER_TAGS_HSM }},${{ env.DOCKER_IMAGE }}:hsm" >> "${GITHUB_ENV}"
      - name: Create Release
        id: create_release
-        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
+        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: ${{ github.ref }}
-          name: Release ${{ github.ref }}
+          release_name: Release ${{ github.ref }}
          draft: false
          prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}

--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -98,7 +98,7 @@ signs:
 - cmd: cosign
  signature: "${artifact}.sig"
  certificate: "${artifact}.pem"
-  args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}", "--yes"]
+  args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"]
  artifacts: all

 snapshot:
@ -180,7 +180,7 @@ release:

    Those were the changes on {{ .Tag }}!

-    Come join us on [Discord](https://discord.gg/X2RKGwEbV9) to ask questions, chat about PKI, or get a sneak peek at the freshest PKI memes.
+    Come join us on [Discord](https://discord.gg/X2RKGwEbV9) to ask questions, chat about PKI, or get a sneak peak at the freshest PKI memes.

  # You can disable this pipe in order to not upload any artifacts.
  # Defaults to false.
@ -268,7 +268,7 @@ winget:
    # Release notes URL.
    #
    # Templates: allowed
-    release_notes_url: "https://github.com/smallstep/certificates/releases/tag/{{ .Tag }}"
+    release_notes_url: "https://github.com/smallstep/certificates/releases/tag/{{.Version}}"

    # Create the PR - for testing
    skip_upload: auto
@ -283,7 +283,7 @@ winget:
    repository:
      owner: smallstep
      name: winget-pkgs
-      branch: "step-ca-{{.Version}}"
+      branch: step

      # Optionally a token can be provided, if it differs from the token
      # provided to GoReleaser
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -25,63 +25,6 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.

 ---

-## [0.26.2] - 2024-06-13
-
-### Added
-
- Add provisionerID to ACME accounts (smallstep/certificates#1830)
- Enable verifying ACME provisioner using provisionerID if available (smallstep/certificates#1844)
- Add methods to Authority to get intermediate certificates (smallstep/certificates#1848)
- Add GetX509Signer method (smallstep/certificates#1850)
-
-### Changed
-
- Make ISErrNotFound more flexible (smallstep/certificates#1819)
- Log errors using slog.Logger (smallstep/certificates#1849)
- Update hardcoded AWS certificates (smallstep/certificates#1881)
-
-
-## [0.26.1] - 2024-04-22
-
-### Added
-
- Allow configuration of a custom SCEP key manager (smallstep/certificates#1797)
-
-### Fixed
-
- id-scep-failInfoText OID (smallstep/certificates#1794)
- CA startup with Vault RA configuration (smallstep/certificates#1803)
-
-
-## [0.26.0] - 2024-03-28
-
-### Added 
-
- [TPM KMS](https://github.com/smallstep/crypto/tree/master/kms/tpmkms) support for CA keys (smallstep/certificates#1772)
- Propagation of HTTP request identifier using X-Request-Id header (smallstep/certificates#1743, smallstep/certificates#1542)
- Expires header in CRL response (smallstep/certificates#1708)
- Support for providing TLS configuration programmatically (smallstep/certificates#1685)
- Support for providing external CAS implementation (smallstep/certificates#1684)
- AWS `ca-west-1` identity document root certificate (smallstep/certificates#1715)
- [COSE RS1](https://www.rfc-editor.org/rfc/rfc8812.html#section-2) as a supported algorithm with ACME `device-attest-01` challenge (smallstep/certificates#1663)
-
-### Changed 
-
- In an RA setup, let the CA decide the RA certificate lifetime (smallstep/certificates#1764)
- Use Debian Bookworm in Docker containers (smallstep/certificates#1615)
- Error message for CSR validation (smallstep/certificates#1665)
- Updated dependencies
-
-### Fixed
-
- Stop CA when any of the required servers fails to start (smallstep/certificates#1751). Before the fix, the CA would continue running and only log the server failure when stopped.
- Configuration loading errors when not using context were not returned. Fixed in [cli-utils/109](https://github.com/smallstep/cli-utils/pull/109).
- HTTP_PROXY and HTTPS_PROXY support for ACME validation client (smallstep/certificates#1658).
-
-### Security
-
- Upgrade to using cosign v2 for signing artifacts
-
 ## [0.25.1] - 2023-11-28

 ### Added
@ -93,7 +36,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.

 - Generation of first provisioner name on `step ca init` in (smallstep/certificates#1566)
 - Processing of SCEP Get PKIOperation requests in (smallstep/certificates#1570)
- Support for signing identity certificate during SSH sign by skipping URI validation in (smallstep/certificates#1572)
+- Support for signing identity certificate during SSH sign by skipping URI validation in  (smallstep/certificates#1572)
 - Dependency on `micromdm/scep` and `go.mozilla.org/pkcs7` to use Smallstep forks in (smallstep/certificates#1600)
 - Make the Common Name validator for JWK provisioners accept values from SANs too in (smallstep/certificates#1609)

--- a/README.md
+++ b/README.md
@ -1,62 +1,49 @@
-# step-ca
+# Step Certificates

-[![GitHub release](https://img.shields.io/github/release/smallstep/certificates.svg)](https://github.com/smallstep/certificates/releases/latest)
-[![Go Report Card](https://goreportcard.com/badge/github.com/smallstep/certificates)](https://goreportcard.com/report/github.com/smallstep/certificates)
-[![Build Status](https://github.com/smallstep/certificates/actions/workflows/test.yml/badge.svg)](https://github.com/smallstep/certificates)
-[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
-[![CLA assistant](https://cla-assistant.io/readme/badge/smallstep/certificates)](https://cla-assistant.io/smallstep/certificates)
+`step-ca` is an online certificate authority for secure, automated certificate management. It's the server counterpart to the [`step` CLI tool](https://github.com/smallstep/cli).

-`step-ca` is an online certificate authority for secure, automated certificate management for DevOps.
-It's the server counterpart to the [`step` CLI tool](https://github.com/smallstep/cli) for working with certificates and keys.
-Both projects are maintained by [Smallstep Labs](https://smallstep.com).
-
-You can use `step-ca` to:
- Issue HTTPS server and client certificates that [work in browsers](https://smallstep.com/blog/step-v0-8-6-valid-HTTPS-certificates-for-dev-pre-prod.html) ([RFC5280](https://tools.ietf.org/html/rfc5280) and [CA/Browser Forum](https://cabforum.org/baseline-requirements-documents/) compliance)
- Issue TLS certificates for DevOps: VMs, containers, APIs, database connections, Kubernetes pods...
+You can use it to:
+- Issue X.509 certificates for your internal infrastructure:
+  - HTTPS certificates that [work in browsers](https://smallstep.com/blog/step-v0-8-6-valid-HTTPS-certificates-for-dev-pre-prod.html) ([RFC5280](https://tools.ietf.org/html/rfc5280) and [CA/Browser Forum](https://cabforum.org/baseline-requirements-documents/) compliance)
+  - TLS certificates for VMs, containers, APIs, mobile clients, database connections, printers, wifi networks, toaster ovens...
+  - Client certificates to [enable mutual TLS (mTLS)](https://smallstep.com/hello-mtls) in your infra. mTLS is an optional feature in TLS where both client and server authenticate each other. Why add the complexity of a VPN when you can safely use mTLS over the public internet?
 - Issue SSH certificates:
-  - For people, in exchange for single sign-on identity tokens
+  - For people, in exchange for single sign-on ID tokens
  - For hosts, in exchange for cloud instance identity documents
 - Easily automate certificate management:
-  - It's an [ACME server](https://smallstep.com/docs/step-ca/acme-basics/) that supports all [popular ACME challenge types](https://smallstep.com/docs/step-ca/acme-basics/#acme-challenge-types)
+  - It's an ACME v2 server
+  - It has a JSON API
  - It comes with a [Go wrapper](./examples#user-content-basic-client-usage)
  - ... and there's a [command-line client](https://github.com/smallstep/cli) you can use in scripts!

---
-
-### Comparison with Smallstep's commercial product
-
-`step-ca` is optimized for a two-tier PKI serving common DevOps use cases.
-
-As you design your PKI, if you need any of the following, [consider our commerical CA](http://smallstep.com):
- Multiple certificate authorities
- Active revocation (CRL, OSCP)
- Turnkey high-volume, high availability CA
- An API for seamless IaC management of your PKI
- Integrated support for SCEP & NDES, for migrating from legacy Active Directory Certificate Services deployments
- Device identity — cross-platform device inventory and attestation using Secure Enclave & TPM 2.0
- Highly automated PKI — managed certificate renewal, monitoring, TPM-based attested enrollment
- Seamless client deployments of EAP-TLS Wi-Fi, VPN, SSH, and browser certificates
- Jamf, Intune, or other MDM for root distribution and client enrollment
- Web Admin UI — history, issuance, and metrics
- ACME External Account Binding (EAB)
- Deep integration with an identity provider
- Fine-grained, role-based access control
- FIPS-compliant software
- HSM-bound private keys
+Whatever your use case, `step-ca` is easy to use and hard to misuse, thanks to [safe, sane defaults](https://smallstep.com/docs/step-ca/certificate-authority-server-production#sane-cryptographic-defaults).

-See our [full feature comparison](https://smallstep.com/step-ca-vs-smallstep-certificate-manager/) for more.
+---

-You can [start a free trial](https://smallstep.com/signup) or [set up a call with us](https://go.smallstep.com/request-demo) to learn more.
+**Don't want to run your own CA?**
+To get up and running quickly, or as an alternative to running your own `step-ca` server, consider creating a [free hosted smallstep Certificate Manager authority](https://info.smallstep.com/certificate-manager-early-access-mvp/).

 ---

 **Questions? Find us in [Discussions](https://github.com/smallstep/certificates/discussions) or [Join our Discord](https://u.step.sm/discord).**

 [Website](https://smallstep.com/certificates) |
-[Documentation](https://smallstep.com/docs/step-ca) |
+[Documentation](https://smallstep.com/docs) |
 [Installation](https://smallstep.com/docs/step-ca/installation) |
+[Getting Started](https://smallstep.com/docs/step-ca/getting-started) |
 [Contributor's Guide](./CONTRIBUTING.md)

+[![GitHub release](https://img.shields.io/github/release/smallstep/certificates.svg)](https://github.com/smallstep/certificates/releases/latest)
+[![Go Report Card](https://goreportcard.com/badge/github.com/smallstep/certificates)](https://goreportcard.com/report/github.com/smallstep/certificates)
+[![Build Status](https://github.com/smallstep/certificates/actions/workflows/test.yml/badge.svg)](https://github.com/smallstep/certificates)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+[![CLA assistant](https://cla-assistant.io/readme/badge/smallstep/certificates)](https://cla-assistant.io/smallstep/certificates)
+
+[![GitHub stars](https://img.shields.io/github/stars/smallstep/certificates.svg?style=social)](https://github.com/smallstep/certificates/stargazers)
+[![Twitter followers](https://img.shields.io/twitter/follow/smallsteplabs.svg?label=Follow&style=social)](https://twitter.com/intent/follow?screen_name=smallsteplabs)
+
+![star us](https://github.com/smallstep/certificates/raw/master/docs/images/star.gif)
+
 ## Features

 ### 🦾 A fast, stable, flexible private CA
@ -65,6 +52,7 @@ Setting up a *public key infrastructure* (PKI) is out of reach for many small te

 - Choose key types (RSA, ECDSA, EdDSA) and lifetimes to suit your needs
 - [Short-lived certificates](https://smallstep.com/blog/passive-revocation.html) with automated enrollment, renewal, and passive revocation
+- Capable of high availability (HA) deployment using [root federation](https://smallstep.com/blog/step-v0.8.3-federation-root-rotation.html) and/or multiple intermediaries
 - Can operate as [an online intermediate CA for an existing root CA](https://smallstep.com/docs/tutorials/intermediate-ca-new-ca)
 - [Badger, BoltDB, Postgres, and MySQL database backends](https://smallstep.com/docs/step-ca/configuration#databases)

@ -139,5 +127,5 @@ and visiting http://localhost:8080.

 ## Feedback?

-* Tell us what you like and don't like about managing your PKI - we're eager to help solve problems in this space. [Join our Discord](https://u.step.sm/discord) or [GitHub Discussions](https://github.com/smallstep/certificates/discussions)
-* Tell us about a feature you'd like to see! [Request a Feature](https://github.com/smallstep/certificates/issues/new?assignees=&labels=enhancement%2C+needs+triage&template=enhancement.md&title=)
+* Tell us what you like and don't like about managing your PKI - we're eager to help solve problems in this space.
+* Tell us about a feature you'd like to see! [Add a feature request Issue](https://github.com/smallstep/certificates/issues/new?assignees=&labels=enhancement%2C+needs+triage&template=enhancement.md&title=), [ask on Discussions](https://github.com/smallstep/certificates/discussions), or hit us up on [Twitter](https://twitter.com/smallsteplabs).
--- a/acme/account.go
+++ b/acme/account.go
@ -21,7 +21,6 @@ type Account struct {
 	OrdersURL              string           `json:"orders"`
 	ExternalAccountBinding interface{}      `json:"externalAccountBinding,omitempty"`
 	LocationPrefix         string           `json:"-"`
-	ProvisionerID          string           `json:"-"`
 	ProvisionerName        string           `json:"-"`
 }

--- a/acme/api/account.go
+++ b/acme/api/account.go
@ -82,23 +82,23 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {

 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	var nar NewAccountRequest
 	if err := json.Unmarshal(payload.value, &nar); err != nil {
-		render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err,
+		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err,
 			"failed to unmarshal new-account request payload"))
 		return
 	}
 	if err := nar.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	prov, err := acmeProvisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -108,26 +108,26 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {
 		var acmeErr *acme.Error
 		if !errors.As(err, &acmeErr) || acmeErr.Status != http.StatusBadRequest {
 			// Something went wrong ...
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

 		// Account does not exist //
 		if nar.OnlyReturnExisting {
-			render.Error(w, r, acme.NewError(acme.ErrorAccountDoesNotExistType,
+			render.Error(w, acme.NewError(acme.ErrorAccountDoesNotExistType,
 				"account does not exist"))
 			return
 		}

 		jwk, err := jwkFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

 		eak, err := validateExternalAccountBinding(ctx, &nar)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

@ -136,21 +136,20 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {
 			Contact:         nar.Contact,
 			Status:          acme.StatusValid,
 			LocationPrefix:  getAccountLocationPath(ctx, linker, ""),
-			ProvisionerID:   prov.ID,
-			ProvisionerName: prov.Name,
+			ProvisionerName: prov.GetName(),
 		}
 		if err := db.CreateAccount(ctx, acc); err != nil {
-			render.Error(w, r, acme.WrapErrorISE(err, "error creating account"))
+			render.Error(w, acme.WrapErrorISE(err, "error creating account"))
 			return
 		}

 		if eak != nil { // means that we have a (valid) External Account Binding key that should be bound, updated and sent in the response
 			if err := eak.BindTo(acc); err != nil {
-				render.Error(w, r, err)
+				render.Error(w, err)
 				return
 			}
 			if err := db.UpdateExternalAccountKey(ctx, prov.ID, eak); err != nil {
-				render.Error(w, r, acme.WrapErrorISE(err, "error updating external account binding key"))
+				render.Error(w, acme.WrapErrorISE(err, "error updating external account binding key"))
 				return
 			}
 			acc.ExternalAccountBinding = nar.ExternalAccountBinding
@ -163,7 +162,7 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {
 	linker.LinkAccount(ctx, acc)

 	w.Header().Set("Location", getAccountLocationPath(ctx, linker, acc.ID))
-	render.JSONStatus(w, r, acc, httpStatus)
+	render.JSONStatus(w, acc, httpStatus)
 }

 // GetOrUpdateAccount is the api for updating an ACME account.
@ -174,12 +173,12 @@ func GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {

 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -188,12 +187,12 @@ func GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {
 	if !payload.isPostAsGet {
 		var uar UpdateAccountRequest
 		if err := json.Unmarshal(payload.value, &uar); err != nil {
-			render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err,
+			render.Error(w, acme.WrapError(acme.ErrorMalformedType, err,
 				"failed to unmarshal new-account request payload"))
 			return
 		}
 		if err := uar.Validate(); err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		if len(uar.Status) > 0 || len(uar.Contact) > 0 {
@ -204,7 +203,7 @@ func GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {
 			}

 			if err := db.UpdateAccount(ctx, acc); err != nil {
-				render.Error(w, r, acme.WrapErrorISE(err, "error updating account"))
+				render.Error(w, acme.WrapErrorISE(err, "error updating account"))
 				return
 			}
 		}
@ -213,7 +212,7 @@ func GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {
 	linker.LinkAccount(ctx, acc)

 	w.Header().Set("Location", linker.GetLink(ctx, acme.AccountLinkType, acc.ID))
-	render.JSON(w, r, acc)
+	render.JSON(w, acc)
 }

 func logOrdersByAccount(w http.ResponseWriter, oids []string) {
@ -233,23 +232,23 @@ func GetOrdersByAccountID(w http.ResponseWriter, r *http.Request) {

 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	accID := chi.URLParam(r, "accID")
 	if acc.ID != accID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType, "account ID '%s' does not match url param '%s'", acc.ID, accID))
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType, "account ID '%s' does not match url param '%s'", acc.ID, accID))
 		return
 	}

 	orders, err := db.GetOrdersByAccountID(ctx, acc.ID)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	linker.LinkOrdersByAccountID(ctx, orders)

-	render.JSON(w, r, orders)
+	render.JSON(w, orders)
 	logOrdersByAccount(w, orders)
 }
--- a/acme/api/account_test.go
+++ b/acme/api/account_test.go
@ -14,7 +14,6 @@ import (
 	"time"

 	"github.com/go-chi/chi/v5"
-	"github.com/google/uuid"
 	"github.com/pkg/errors"

 	"go.step.sm/crypto/jose"
@ -25,12 +24,14 @@ import (
 )

 var (
-	defaultDisableRenewal   = false
-	globalProvisionerClaims = provisioner.Claims{
-		MinTLSDur:      &provisioner.Duration{Duration: 5 * time.Minute},
-		MaxTLSDur:      &provisioner.Duration{Duration: 24 * time.Hour},
-		DefaultTLSDur:  &provisioner.Duration{Duration: 24 * time.Hour},
-		DisableRenewal: &defaultDisableRenewal,
+	defaultDisableRenewal             = false
+	defaultDisableSmallstepExtensions = false
+	globalProvisionerClaims           = provisioner.Claims{
+		MinTLSDur:                  &provisioner.Duration{Duration: 5 * time.Minute},
+		MaxTLSDur:                  &provisioner.Duration{Duration: 24 * time.Hour},
+		DefaultTLSDur:              &provisioner.Duration{Duration: 24 * time.Hour},
+		DisableRenewal:             &defaultDisableRenewal,
+		DisableSmallstepExtensions: &defaultDisableSmallstepExtensions,
 	}
 )

@ -67,19 +68,6 @@ func newProv() acme.Provisioner {
 	return p
 }

-func newProvWithID() acme.Provisioner {
-	// Initialize provisioners
-	p := &provisioner.ACME{
-		ID:   uuid.NewString(),
-		Type: "ACME",
-		Name: "test@acme-<test>provisioner.com",
-	}
-	if err := p.Init(provisioner.Config{Claims: globalProvisionerClaims}); err != nil {
-		fmt.Printf("%v", err)
-	}
-	return p
-}
-
 func newProvWithOptions(options *provisioner.Options) acme.Provisioner {
 	// Initialize provisioners
 	p := &provisioner.ACME{
--- a/acme/api/handler.go
+++ b/acme/api/handler.go
@ -223,13 +223,13 @@ func GetDirectory(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	acmeProv, err := acmeProvisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	linker := acme.MustLinkerFromContext(ctx)

-	render.JSON(w, r, &Directory{
+	render.JSON(w, &Directory{
 		NewNonce:   linker.GetLink(ctx, acme.NewNonceLinkType),
 		NewAccount: linker.GetLink(ctx, acme.NewAccountLinkType),
 		NewOrder:   linker.GetLink(ctx, acme.NewOrderLinkType),
@ -273,8 +273,8 @@ func shouldAddMetaObject(p *provisioner.ACME) bool {

 // NotImplemented returns a 501 and is generally a placeholder for functionality which
 // MAY be added at some point in the future but is not in any way a guarantee of such.
-func NotImplemented(w http.ResponseWriter, r *http.Request) {
-	render.Error(w, r, acme.NewError(acme.ErrorNotImplementedType, "this API is not implemented"))
+func NotImplemented(w http.ResponseWriter, _ *http.Request) {
+	render.Error(w, acme.NewError(acme.ErrorNotImplementedType, "this API is not implemented"))
 }

 // GetAuthorization ACME api for retrieving an Authz.
@ -285,28 +285,28 @@ func GetAuthorization(w http.ResponseWriter, r *http.Request) {

 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	az, err := db.GetAuthorization(ctx, chi.URLParam(r, "authzID"))
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving authorization"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving authorization"))
 		return
 	}
 	if acc.ID != az.AccountID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own authorization '%s'", acc.ID, az.ID))
 		return
 	}
 	if err = az.UpdateStatus(ctx, db); err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error updating authorization status"))
+		render.Error(w, acme.WrapErrorISE(err, "error updating authorization status"))
 		return
 	}

 	linker.LinkAuthorization(ctx, az)

 	w.Header().Set("Location", linker.GetLink(ctx, acme.AuthzLinkType, az.ID))
-	render.JSON(w, r, az)
+	render.JSON(w, az)
 }

 // GetChallenge ACME api for retrieving a Challenge.
@ -317,13 +317,13 @@ func GetChallenge(w http.ResponseWriter, r *http.Request) {

 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -336,22 +336,22 @@ func GetChallenge(w http.ResponseWriter, r *http.Request) {
 	azID := chi.URLParam(r, "authzID")
 	ch, err := db.GetChallenge(ctx, chi.URLParam(r, "chID"), azID)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving challenge"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving challenge"))
 		return
 	}
 	ch.AuthorizationID = azID
 	if acc.ID != ch.AccountID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own challenge '%s'", acc.ID, ch.ID))
 		return
 	}
 	jwk, err := jwkFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	if err = ch.Validate(ctx, db, jwk, payload.value); err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error validating challenge"))
+		render.Error(w, acme.WrapErrorISE(err, "error validating challenge"))
 		return
 	}

@ -359,7 +359,7 @@ func GetChallenge(w http.ResponseWriter, r *http.Request) {

 	w.Header().Add("Link", link(linker.GetLink(ctx, acme.AuthzLinkType, azID), "up"))
 	w.Header().Set("Location", linker.GetLink(ctx, acme.ChallengeLinkType, azID, ch.ID))
-	render.JSON(w, r, ch)
+	render.JSON(w, ch)
 }

 // GetCertificate ACME api for retrieving a Certificate.
@ -369,18 +369,18 @@ func GetCertificate(w http.ResponseWriter, r *http.Request) {

 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	certID := chi.URLParam(r, "certID")
 	cert, err := db.GetCertificate(ctx, certID)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving certificate"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving certificate"))
 		return
 	}
 	if cert.AccountID != acc.ID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own certificate '%s'", acc.ID, certID))
 		return
 	}
--- a/acme/api/middleware.go
+++ b/acme/api/middleware.go
@ -36,7 +36,7 @@ func addNonce(next nextHTTP) nextHTTP {
 		db := acme.MustDatabaseFromContext(r.Context())
 		nonce, err := db.CreateNonce(r.Context())
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		w.Header().Set("Replay-Nonce", string(nonce))
@ -64,7 +64,7 @@ func verifyContentType(next nextHTTP) nextHTTP {
 	return func(w http.ResponseWriter, r *http.Request) {
 		p, err := provisionerFromContext(r.Context())
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

@ -88,7 +88,7 @@ func verifyContentType(next nextHTTP) nextHTTP {
 				return
 			}
 		}
-		render.Error(w, r, acme.NewError(acme.ErrorMalformedType,
+		render.Error(w, acme.NewError(acme.ErrorMalformedType,
 			"expected content-type to be in %s, but got %s", expected, ct))
 	}
 }
@ -98,12 +98,12 @@ func parseJWS(next nextHTTP) nextHTTP {
 	return func(w http.ResponseWriter, r *http.Request) {
 		body, err := io.ReadAll(r.Body)
 		if err != nil {
-			render.Error(w, r, acme.WrapErrorISE(err, "failed to read request body"))
+			render.Error(w, acme.WrapErrorISE(err, "failed to read request body"))
 			return
 		}
 		jws, err := jose.ParseJWS(string(body))
 		if err != nil {
-			render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err, "failed to parse JWS from request body"))
+			render.Error(w, acme.WrapError(acme.ErrorMalformedType, err, "failed to parse JWS from request body"))
 			return
 		}
 		ctx := context.WithValue(r.Context(), jwsContextKey, jws)
@ -133,26 +133,26 @@ func validateJWS(next nextHTTP) nextHTTP {

 		jws, err := jwsFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		if len(jws.Signatures) == 0 {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "request body does not contain a signature"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "request body does not contain a signature"))
 			return
 		}
 		if len(jws.Signatures) > 1 {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "request body contains more than one signature"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "request body contains more than one signature"))
 			return
 		}

 		sig := jws.Signatures[0]
 		uh := sig.Unprotected
-		if uh.KeyID != "" ||
+		if len(uh.KeyID) > 0 ||
 			uh.JSONWebKey != nil ||
-			uh.Algorithm != "" ||
-			uh.Nonce != "" ||
+			len(uh.Algorithm) > 0 ||
+			len(uh.Nonce) > 0 ||
 			len(uh.ExtraHeaders) > 0 {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "unprotected header must not be used"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "unprotected header must not be used"))
 			return
 		}
 		hdr := sig.Protected
@ -162,13 +162,13 @@ func validateJWS(next nextHTTP) nextHTTP {
 				switch k := hdr.JSONWebKey.Key.(type) {
 				case *rsa.PublicKey:
 					if k.Size() < keyutil.MinRSAKeyBytes {
-						render.Error(w, r, acme.NewError(acme.ErrorMalformedType,
+						render.Error(w, acme.NewError(acme.ErrorMalformedType,
 							"rsa keys must be at least %d bits (%d bytes) in size",
 							8*keyutil.MinRSAKeyBytes, keyutil.MinRSAKeyBytes))
 						return
 					}
 				default:
-					render.Error(w, r, acme.NewError(acme.ErrorMalformedType,
+					render.Error(w, acme.NewError(acme.ErrorMalformedType,
 						"jws key type and algorithm do not match"))
 					return
 				}
@ -176,35 +176,35 @@ func validateJWS(next nextHTTP) nextHTTP {
 		case jose.ES256, jose.ES384, jose.ES512, jose.EdDSA:
 			// we good
 		default:
-			render.Error(w, r, acme.NewError(acme.ErrorBadSignatureAlgorithmType, "unsuitable algorithm: %s", hdr.Algorithm))
+			render.Error(w, acme.NewError(acme.ErrorBadSignatureAlgorithmType, "unsuitable algorithm: %s", hdr.Algorithm))
 			return
 		}

 		// Check the validity/freshness of the Nonce.
 		if err := db.DeleteNonce(ctx, acme.Nonce(hdr.Nonce)); err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

 		// Check that the JWS url matches the requested url.
 		jwsURL, ok := hdr.ExtraHeaders["url"].(string)
 		if !ok {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "jws missing url protected header"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "jws missing url protected header"))
 			return
 		}
 		reqURL := &url.URL{Scheme: "https", Host: r.Host, Path: r.URL.Path}
 		if jwsURL != reqURL.String() {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType,
+			render.Error(w, acme.NewError(acme.ErrorMalformedType,
 				"url header in JWS (%s) does not match request url (%s)", jwsURL, reqURL))
 			return
 		}

-		if hdr.JSONWebKey != nil && hdr.KeyID != "" {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "jwk and kid are mutually exclusive"))
+		if hdr.JSONWebKey != nil && len(hdr.KeyID) > 0 {
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "jwk and kid are mutually exclusive"))
 			return
 		}
 		if hdr.JSONWebKey == nil && hdr.KeyID == "" {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "either jwk or kid must be defined in jws protected header"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "either jwk or kid must be defined in jws protected header"))
 			return
 		}
 		next(w, r)
@ -221,23 +221,23 @@ func extractJWK(next nextHTTP) nextHTTP {

 		jws, err := jwsFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		jwk := jws.Signatures[0].Protected.JSONWebKey
 		if jwk == nil {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "jwk expected in protected header"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "jwk expected in protected header"))
 			return
 		}
 		if !jwk.Valid() {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "invalid jwk in protected header"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "invalid jwk in protected header"))
 			return
 		}

 		// Overwrite KeyID with the JWK thumbprint.
 		jwk.KeyID, err = acme.KeyToID(jwk)
 		if err != nil {
-			render.Error(w, r, acme.WrapErrorISE(err, "error getting KeyID from JWK"))
+			render.Error(w, acme.WrapErrorISE(err, "error getting KeyID from JWK"))
 			return
 		}

@ -247,15 +247,15 @@ func extractJWK(next nextHTTP) nextHTTP {
 		// Get Account OR continue to generate a new one OR continue Revoke with certificate private key
 		acc, err := db.GetAccountByKeyID(ctx, jwk.KeyID)
 		switch {
-		case acme.IsErrNotFound(err):
+		case errors.Is(err, acme.ErrNotFound):
 			// For NewAccount and Revoke requests ...
 			break
 		case err != nil:
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		default:
 			if !acc.IsValid() {
-				render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType, "account is not active"))
+				render.Error(w, acme.NewError(acme.ErrorUnauthorizedType, "account is not active"))
 				return
 			}
 			ctx = context.WithValue(ctx, accContextKey, acc)
@ -274,11 +274,11 @@ func checkPrerequisites(next nextHTTP) nextHTTP {
 		if ok {
 			ok, err := checkFunc(ctx)
 			if err != nil {
-				render.Error(w, r, acme.WrapErrorISE(err, "error checking acme provisioner prerequisites"))
+				render.Error(w, acme.WrapErrorISE(err, "error checking acme provisioner prerequisites"))
 				return
 			}
 			if !ok {
-				render.Error(w, r, acme.NewError(acme.ErrorNotImplementedType, "acme provisioner configuration lacks prerequisites"))
+				render.Error(w, acme.NewError(acme.ErrorNotImplementedType, "acme provisioner configuration lacks prerequisites"))
 				return
 			}
 		}
@ -296,13 +296,13 @@ func lookupJWK(next nextHTTP) nextHTTP {

 		jws, err := jwsFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

 		kid := jws.Signatures[0].Protected.KeyID
 		if kid == "" {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "signature missing 'kid'"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "signature missing 'kid'"))
 			return
 		}

@ -310,14 +310,14 @@ func lookupJWK(next nextHTTP) nextHTTP {
 		acc, err := db.GetAccount(ctx, accID)
 		switch {
 		case acme.IsErrNotFound(err):
-			render.Error(w, r, acme.NewError(acme.ErrorAccountDoesNotExistType, "account with ID '%s' not found", accID))
+			render.Error(w, acme.NewError(acme.ErrorAccountDoesNotExistType, "account with ID '%s' not found", accID))
 			return
 		case err != nil:
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		default:
 			if !acc.IsValid() {
-				render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType, "account is not active"))
+				render.Error(w, acme.NewError(acme.ErrorUnauthorizedType, "account is not active"))
 				return
 			}

@ -325,7 +325,7 @@ func lookupJWK(next nextHTTP) nextHTTP {
 				if kid != storedLocation {
 					// ACME accounts should have a stored location equivalent to the
 					// kid in the ACME request.
-					render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+					render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 						"kid does not match stored account location; expected %s, but got %s",
 						storedLocation, kid))
 					return
@ -334,16 +334,14 @@ func lookupJWK(next nextHTTP) nextHTTP {
 				// Verify that the provisioner with which the account was created
 				// matches the provisioner in the request URL.
 				reqProv := acme.MustProvisionerFromContext(ctx)
-				switch {
-				case acc.ProvisionerID == "" && acc.ProvisionerName != reqProv.GetName():
-					render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
-						"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
-						acc.ProvisionerName, reqProv.GetName()))
-					return
-				case acc.ProvisionerID != "" && acc.ProvisionerID != reqProv.GetID():
-					render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+				reqProvName := reqProv.GetName()
+				accProvName := acc.ProvisionerName
+				if reqProvName != accProvName {
+					// Provisioner in the URL must match the provisioner with
+					// which the account was created.
+					render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 						"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
-						acc.ProvisionerID, reqProv.GetID()))
+						accProvName, reqProvName))
 					return
 				}
 			} else {
@ -355,7 +353,7 @@ func lookupJWK(next nextHTTP) nextHTTP {
 				linker := acme.MustLinkerFromContext(ctx)
 				kidPrefix := linker.GetLink(ctx, acme.AccountLinkType, "")
 				if !strings.HasPrefix(kid, kidPrefix) {
-					render.Error(w, r, acme.NewError(acme.ErrorMalformedType,
+					render.Error(w, acme.NewError(acme.ErrorMalformedType,
 						"kid does not have required prefix; expected %s, but got %s",
 						kidPrefix, kid))
 					return
@ -376,7 +374,7 @@ func extractOrLookupJWK(next nextHTTP) nextHTTP {
 		ctx := r.Context()
 		jws, err := jwsFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

@ -412,16 +410,16 @@ func verifyAndExtractJWSPayload(next nextHTTP) nextHTTP {
 		ctx := r.Context()
 		jws, err := jwsFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		jwk, err := jwkFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		if jwk.Algorithm != "" && jwk.Algorithm != jws.Signatures[0].Protected.Algorithm {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "verifier and signature algorithm do not match"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "verifier and signature algorithm do not match"))
 			return
 		}

@ -430,11 +428,11 @@ func verifyAndExtractJWSPayload(next nextHTTP) nextHTTP {
 		case errors.Is(err, jose.ErrCryptoFailure):
 			payload, err = retryVerificationWithPatchedSignatures(jws, jwk)
 			if err != nil {
-				render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err, "error verifying jws with patched signature(s)"))
+				render.Error(w, acme.WrapError(acme.ErrorMalformedType, err, "error verifying jws with patched signature(s)"))
 				return
 			}
 		case err != nil:
-			render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err, "error verifying jws"))
+			render.Error(w, acme.WrapError(acme.ErrorMalformedType, err, "error verifying jws"))
 			return
 		}

@ -551,11 +549,11 @@ func isPostAsGet(next nextHTTP) nextHTTP {
 	return func(w http.ResponseWriter, r *http.Request) {
 		payload, err := payloadFromContext(r.Context())
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		if !payload.isPostAsGet {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "expected POST-as-GET"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "expected POST-as-GET"))
 			return
 		}
 		next(w, r)
--- a/acme/api/middleware_test.go
+++ b/acme/api/middleware_test.go
@ -15,7 +15,6 @@ import (
 	"strings"
 	"testing"

-	"github.com/google/uuid"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/acme"
 	tassert "github.com/stretchr/testify/assert"
@ -832,37 +831,8 @@ func TestHandler_lookupJWK(t *testing.T) {
 				},
 				statusCode: http.StatusUnauthorized,
 				err: acme.NewError(acme.ErrorUnauthorizedType,
-					"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
-					"other", prov.GetName()),
-			}
-		},
-		"fail/account-with-location-prefix/bad-provisioner-id": func(t *testing.T) test {
-			p := newProvWithID()
-			acc := &acme.Account{LocationPrefix: prefix + accID, Status: "valid", Key: jwk, ProvisionerID: uuid.NewString()}
-			ctx := acme.NewProvisionerContext(context.Background(), p)
-			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
-			return test{
-				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
-				db: &acme.MockDB{
-					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
-						assert.Equals(t, id, accID)
-						return acc, nil
-					},
-				},
-				ctx: ctx,
-				next: func(w http.ResponseWriter, r *http.Request) {
-					_acc, err := accountFromContext(r.Context())
-					assert.FatalError(t, err)
-					assert.Equals(t, _acc, acc)
-					_jwk, err := jwkFromContext(r.Context())
-					assert.FatalError(t, err)
-					assert.Equals(t, _jwk, jwk)
-					w.Write(testBody)
-				},
-				statusCode: http.StatusUnauthorized,
-				err: acme.NewError(acme.ErrorUnauthorizedType,
-					"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
-					acc.ProvisionerID, p.GetID()),
+					"account provisioner does not match requested provisioner; account provisioner = %s, reqested provisioner = %s",
+					prov.GetName(), "other"),
 			}
 		},
 		"ok/account-with-location-prefix": func(t *testing.T) test {
@ -915,32 +885,6 @@ func TestHandler_lookupJWK(t *testing.T) {
 				statusCode: 200,
 			}
 		},
-		"ok/account-with-provisioner-id": func(t *testing.T) test {
-			p := newProvWithID()
-			acc := &acme.Account{LocationPrefix: prefix + accID, Status: "valid", Key: jwk, ProvisionerID: p.GetID()}
-			ctx := acme.NewProvisionerContext(context.Background(), p)
-			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
-			return test{
-				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
-				db: &acme.MockDB{
-					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
-						assert.Equals(t, id, accID)
-						return acc, nil
-					},
-				},
-				ctx: ctx,
-				next: func(w http.ResponseWriter, r *http.Request) {
-					_acc, err := accountFromContext(r.Context())
-					assert.FatalError(t, err)
-					assert.Equals(t, _acc, acc)
-					_jwk, err := jwkFromContext(r.Context())
-					assert.FatalError(t, err)
-					assert.Equals(t, _jwk, jwk)
-					w.Write(testBody)
-				},
-				statusCode: 200,
-			}
-		},
 	}
 	for name, run := range tests {
 		tc := run(t)
--- a/acme/api/order.go
+++ b/acme/api/order.go
@ -16,6 +16,7 @@ import (
 	"go.step.sm/crypto/x509util"

 	"github.com/smallstep/certificates/acme"
+	"github.com/smallstep/certificates/acme/wire"
 	"github.com/smallstep/certificates/api/render"
 	"github.com/smallstep/certificates/authority/policy"
 	"github.com/smallstep/certificates/authority/provisioner"
@ -48,6 +49,19 @@ func (n *NewOrderRequest) Validate() error {
 			if id.Value == "" {
 				return acme.NewError(acme.ErrorMalformedType, "permanent identifier cannot be empty")
 			}
+		case acme.WireUser:
+			_, err := wire.ParseUserID([]byte(id.Value))
+			if err != nil {
+				return acme.WrapError(acme.ErrorMalformedType, err, "failed parsing Wire ID")
+			}
+		case acme.WireDevice:
+			wireID, err := wire.ParseDeviceID([]byte(id.Value))
+			if err != nil {
+				return acme.WrapError(acme.ErrorMalformedType, err, "failed parsing Wire ID")
+			}
+			if _, err := wire.ParseClientID(wireID.ClientID); err != nil {
+				return acme.WrapError(acme.ErrorMalformedType, err, "invalid Wire client ID %q", wireID.ClientID)
+			}
 		default:
 			return acme.NewError(acme.ErrorMalformedType, "identifier type unsupported: %s", id.Type)
 		}
@ -55,6 +69,7 @@ func (n *NewOrderRequest) Validate() error {
 		// TODO(hs): add some validations for DNS domains?
 		// TODO(hs): combine the errors from this with allow/deny policy, like example error in https://datatracker.ietf.org/doc/html/rfc8555#section-6.7.1
 	}
+
 	return nil
 }

@ -99,29 +114,29 @@ func NewOrder(w http.ResponseWriter, r *http.Request) {

 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	prov, err := provisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	var nor NewOrderRequest
 	if err := json.Unmarshal(payload.value, &nor); err != nil {
-		render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err,
+		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err,
 			"failed to unmarshal new-order request payload"))
 		return
 	}

 	if err := nor.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -130,39 +145,39 @@ func NewOrder(w http.ResponseWriter, r *http.Request) {

 	acmeProv, err := acmeProvisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	var eak *acme.ExternalAccountKey
 	if acmeProv.RequireEAB {
 		if eak, err = db.GetExternalAccountKeyByAccountID(ctx, prov.GetID(), acc.ID); err != nil {
-			render.Error(w, r, acme.WrapErrorISE(err, "error retrieving external account binding key"))
+			render.Error(w, acme.WrapErrorISE(err, "error retrieving external account binding key"))
 			return
 		}
 	}

 	acmePolicy, err := newACMEPolicyEngine(eak)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error creating ACME policy engine"))
+		render.Error(w, acme.WrapErrorISE(err, "error creating ACME policy engine"))
 		return
 	}

 	for _, identifier := range nor.Identifiers {
 		// evaluate the ACME account level policy
 		if err = isIdentifierAllowed(acmePolicy, identifier); err != nil {
-			render.Error(w, r, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
+			render.Error(w, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
 			return
 		}
 		// evaluate the provisioner level policy
 		orderIdentifier := provisioner.ACMEIdentifier{Type: provisioner.ACMEIdentifierType(identifier.Type), Value: identifier.Value}
 		if err = prov.AuthorizeOrderIdentifier(ctx, orderIdentifier); err != nil {
-			render.Error(w, r, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
+			render.Error(w, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
 			return
 		}
 		// evaluate the authority level policy
 		if err = ca.AreSANsAllowed(ctx, []string{identifier.Value}); err != nil {
-			render.Error(w, r, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
+			render.Error(w, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
 			return
 		}
 	}
@ -188,7 +203,7 @@ func NewOrder(w http.ResponseWriter, r *http.Request) {
 			Status:     acme.StatusPending,
 		}
 		if err := newAuthorization(ctx, az); err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		o.AuthorizationIDs[i] = az.ID
@ -207,14 +222,14 @@ func NewOrder(w http.ResponseWriter, r *http.Request) {
 	}

 	if err := db.CreateOrder(ctx, o); err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error creating order"))
+		render.Error(w, acme.WrapErrorISE(err, "error creating order"))
 		return
 	}

 	linker.LinkOrder(ctx, o)

 	w.Header().Set("Location", linker.GetLink(ctx, acme.OrderLinkType, o.ID))
-	render.JSONStatus(w, r, o, http.StatusCreated)
+	render.JSONStatus(w, o, http.StatusCreated)
 }

 func isIdentifierAllowed(acmePolicy policy.X509Policy, identifier acme.Identifier) error {
@ -226,7 +241,6 @@ func isIdentifierAllowed(acmePolicy policy.X509Policy, identifier acme.Identifie

 func newACMEPolicyEngine(eak *acme.ExternalAccountKey) (policy.X509Policy, error) {
 	if eak == nil {
-		//nolint:nilnil,nolintlint // expected values
 		return nil, nil
 	}
 	return policy.NewX509PolicyEngine(eak.Policy)
@ -263,12 +277,59 @@ func newAuthorization(ctx context.Context, az *acme.Authorization) error {
 			continue
 		}

+		var target string
+		switch az.Identifier.Type {
+		case acme.WireUser:
+			wireOptions, err := prov.GetOptions().GetWireOptions()
+			if err != nil {
+				return acme.WrapErrorISE(err, "failed getting Wire options")
+			}
+			var targetProvider interface{ EvaluateTarget(string) (string, error) }
+			switch typ {
+			case acme.WIREOIDC01:
+				targetProvider = wireOptions.GetOIDCOptions()
+			default:
+				return acme.NewError(acme.ErrorMalformedType, "unsupported type %q", typ)
+			}
+
+			target, err = targetProvider.EvaluateTarget("")
+			if err != nil {
+				return acme.WrapError(acme.ErrorMalformedType, err, "invalid Go template registered for 'target'")
+			}
+		case acme.WireDevice:
+			wireID, err := wire.ParseDeviceID([]byte(az.Identifier.Value))
+			if err != nil {
+				return acme.WrapError(acme.ErrorMalformedType, err, "failed parsing WireUser")
+			}
+			clientID, err := wire.ParseClientID(wireID.ClientID)
+			if err != nil {
+				return acme.WrapError(acme.ErrorMalformedType, err, "failed parsing ClientID")
+			}
+			wireOptions, err := prov.GetOptions().GetWireOptions()
+			if err != nil {
+				return acme.WrapErrorISE(err, "failed getting Wire options")
+			}
+			var targetProvider interface{ EvaluateTarget(string) (string, error) }
+			switch typ {
+			case acme.WIREDPOP01:
+				targetProvider = wireOptions.GetDPOPOptions()
+			default:
+				return acme.NewError(acme.ErrorMalformedType, "unsupported type %q", typ)
+			}
+
+			target, err = targetProvider.EvaluateTarget(clientID.DeviceID)
+			if err != nil {
+				return acme.WrapError(acme.ErrorMalformedType, err, "invalid Go template registered for 'target'")
+			}
+		}
+
 		ch := &acme.Challenge{
 			AccountID: az.AccountID,
 			Value:     az.Identifier.Value,
 			Type:      typ,
 			Token:     az.Token,
 			Status:    acme.StatusPending,
+			Target:    target,
 		}
 		if err := db.CreateChallenge(ctx, ch); err != nil {
 			return acme.WrapErrorISE(err, "error creating challenge")
@ -289,39 +350,39 @@ func GetOrder(w http.ResponseWriter, r *http.Request) {

 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	prov, err := provisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	o, err := db.GetOrder(ctx, chi.URLParam(r, "ordID"))
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving order"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving order"))
 		return
 	}
 	if acc.ID != o.AccountID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own order '%s'", acc.ID, o.ID))
 		return
 	}
 	if prov.GetID() != o.ProvisionerID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"provisioner '%s' does not own order '%s'", prov.GetID(), o.ID))
 		return
 	}
 	if err = o.UpdateStatus(ctx, db); err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error updating order status"))
+		render.Error(w, acme.WrapErrorISE(err, "error updating order status"))
 		return
 	}

 	linker.LinkOrder(ctx, o)

 	w.Header().Set("Location", linker.GetLink(ctx, acme.OrderLinkType, o.ID))
-	render.JSON(w, r, o)
+	render.JSON(w, o)
 }

 // FinalizeOrder attempts to finalize an order and create a certificate.
@ -332,56 +393,56 @@ func FinalizeOrder(w http.ResponseWriter, r *http.Request) {

 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	prov, err := provisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	var fr FinalizeRequest
 	if err := json.Unmarshal(payload.value, &fr); err != nil {
-		render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err,
+		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err,
 			"failed to unmarshal finalize-order request payload"))
 		return
 	}
 	if err := fr.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	o, err := db.GetOrder(ctx, chi.URLParam(r, "ordID"))
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving order"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving order"))
 		return
 	}
 	if acc.ID != o.AccountID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own order '%s'", acc.ID, o.ID))
 		return
 	}
 	if prov.GetID() != o.ProvisionerID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"provisioner '%s' does not own order '%s'", prov.GetID(), o.ID))
 		return
 	}

 	ca := mustAuthority(ctx)
 	if err = o.Finalize(ctx, db, fr.csr, ca, prov); err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error finalizing order"))
+		render.Error(w, acme.WrapErrorISE(err, "error finalizing order"))
 		return
 	}

 	linker.LinkOrder(ctx, o)

 	w.Header().Set("Location", linker.GetLink(ctx, acme.OrderLinkType, o.ID))
-	render.JSON(w, r, o)
+	render.JSON(w, o)
 }

 // challengeTypes determines the types of challenges that should be used
@ -400,6 +461,10 @@ func challengeTypes(az *acme.Authorization) []acme.ChallengeType {
 		}
 	case acme.PermanentIdentifier:
 		chTypes = []acme.ChallengeType{acme.DEVICEATTEST01}
+	case acme.WireUser:
+		chTypes = []acme.ChallengeType{acme.WIREOIDC01}
+	case acme.WireDevice:
+		chTypes = []acme.ChallengeType{acme.WIREDPOP01}
 	default:
 		chTypes = []acme.ChallengeType{}
 	}
--- a/acme/api/order_test.go
+++ b/acme/api/order_test.go
@ -24,6 +24,7 @@ import (
 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/certificates/authority/policy"
 	"github.com/smallstep/certificates/authority/provisioner"
+	"github.com/smallstep/certificates/authority/provisioner/wire"
 )

 func TestNewOrderRequest_Validate(t *testing.T) {
@ -80,7 +81,7 @@ func TestNewOrderRequest_Validate(t *testing.T) {
 				err: acme.NewError(acme.ErrorMalformedType, "invalid DNS name: *.example.com:8080"),
 			}
 		},
-		"fail/bad-ip": func(t *testing.T) test {
+		"fail/bad-identifier/ip": func(t *testing.T) test {
 			nbf := time.Now().UTC().Add(time.Minute)
 			naf := time.Now().UTC().Add(5 * time.Minute)
 			return test{
@ -96,6 +97,36 @@ func TestNewOrderRequest_Validate(t *testing.T) {
 				err: acme.NewError(acme.ErrorMalformedType, "invalid IP address: %s", "192.168.42.1000"),
 			}
 		},
+		"fail/bad-identifier/wireapp-invalid-uri": func(t *testing.T) test {
+			return test{
+				nor: &NewOrderRequest{
+					Identifiers: []acme.Identifier{
+						{Type: "wireapp-device", Value: "{}"},
+					},
+				},
+				err: acme.NewError(acme.ErrorMalformedType, `invalid Wire client ID "": invalid Wire client ID URI "": error parsing : scheme is missing`),
+			}
+		},
+		"fail/bad-identifier/wireapp-wrong-scheme": func(t *testing.T) test {
+			return test{
+				nor: &NewOrderRequest{
+					Identifiers: []acme.Identifier{
+						{Type: "wireapp-device", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "nowireapp://example.com", "handle": "wireapp://%40alice.smith.qa@example.com"}`},
+					},
+				},
+				err: acme.NewError(acme.ErrorMalformedType, `invalid Wire client ID "nowireapp://example.com": invalid Wire client ID scheme "nowireapp"; expected "wireapp"`),
+			}
+		},
+		"fail/bad-identifier/wireapp-invalid-user-parts": func(t *testing.T) test {
+			return test{
+				nor: &NewOrderRequest{
+					Identifiers: []acme.Identifier{
+						{Type: "wireapp-device", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "wireapp://user-device@example.com", "handle": "wireapp://%40alice.smith.qa@example.com"}`},
+					},
+				},
+				err: acme.NewError(acme.ErrorMalformedType, `invalid Wire client ID "wireapp://user-device@example.com": invalid Wire client ID username "user-device"`),
+			}
+		},
 		"ok": func(t *testing.T) test {
 			nbf := time.Now().UTC().Add(time.Minute)
 			naf := time.Now().UTC().Add(5 * time.Minute)
@ -174,6 +205,36 @@ func TestNewOrderRequest_Validate(t *testing.T) {
 				naf: naf,
 			}
 		},
+		"ok/wireapp-user": func(t *testing.T) test {
+			nbf := time.Now().UTC().Add(time.Minute)
+			naf := time.Now().UTC().Add(5 * time.Minute)
+			return test{
+				nor: &NewOrderRequest{
+					Identifiers: []acme.Identifier{
+						{Type: "wireapp-user", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "handle": "wireapp://%40alice.smith.qa@example.com"}`},
+					},
+					NotAfter:  naf,
+					NotBefore: nbf,
+				},
+				nbf: nbf,
+				naf: naf,
+			}
+		},
+		"ok/wireapp-device": func(t *testing.T) test {
+			nbf := time.Now().UTC().Add(time.Minute)
+			naf := time.Now().UTC().Add(5 * time.Minute)
+			return test{
+				nor: &NewOrderRequest{
+					Identifiers: []acme.Identifier{
+						{Type: "wireapp-device", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "wireapp://lJGYPz0ZRq2kvc_XpdaDlA!ed416ce8ecdd9fad@example.com", "handle": "wireapp://%40alice.smith.qa@example.com"}`},
+					},
+					NotAfter:  naf,
+					NotBefore: nbf,
+				},
+				nbf: nbf,
+				naf: naf,
+			}
+		},
 	}
 	for name, run := range tests {
 		tc := run(t)
@ -755,6 +816,53 @@ func TestHandler_newAuthorization(t *testing.T) {
 				az: az,
 			}
 		},
+		"ok/wire": func(t *testing.T) test {
+			az := &acme.Authorization{
+				AccountID: "accID",
+				Identifier: acme.Identifier{
+					Type:  "wireapp",
+					Value: "wireapp://user!client@domain",
+				},
+				Status:    acme.StatusPending,
+				ExpiresAt: clock.Now(),
+			}
+			count := 0
+			var ch1 **acme.Challenge
+			return test{
+				prov: defaultProvisioner,
+				db: &acme.MockDB{
+					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
+						switch count {
+						case 0:
+							ch.ID = "wireapp"
+							assert.Equals(t, ch.Type, acme.WIREOIDC01)
+							ch1 = &ch
+						default:
+							assert.FatalError(t, errors.New("test logic error"))
+							return errors.New("force")
+						}
+						count++
+						assert.Equals(t, ch.AccountID, az.AccountID)
+						assert.Equals(t, ch.Token, az.Token)
+						assert.Equals(t, ch.Status, acme.StatusPending)
+						assert.Equals(t, ch.Value, az.Identifier.Value)
+						return nil
+					},
+					MockCreateAuthorization: func(ctx context.Context, _az *acme.Authorization) error {
+						assert.Equals(t, _az.AccountID, az.AccountID)
+						assert.Equals(t, _az.Token, az.Token)
+						assert.Equals(t, _az.Status, acme.StatusPending)
+						assert.Equals(t, _az.Identifier, az.Identifier)
+						assert.Equals(t, _az.ExpiresAt, az.ExpiresAt)
+						_ = ch1
+						// assert.Equals(t, _az.Challenges, []*acme.Challenge{*ch1})
+						assert.Equals(t, _az.Wildcard, false)
+						return nil
+					},
+				},
+				az: az,
+			}
+		},
 	}
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
@ -781,7 +889,6 @@ func TestHandler_newAuthorization(t *testing.T) {
 				assert.Nil(t, tc.err)
 			}
 		})
-
 	}
 }

@ -793,6 +900,10 @@ func TestHandler_NewOrder(t *testing.T) {
 	u := fmt.Sprintf("%s/acme/%s/order/ordID",
 		baseURL.String(), escProvName)

+	fakeWireSigningKey := `-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
+-----END PUBLIC KEY-----`
+
 	type test struct {
 		ca         acme.CertificateAuthority
 		db         acme.DB
@ -1623,6 +1734,214 @@ func TestHandler_NewOrder(t *testing.T) {
 				},
 			}
 		},
+		"ok/default-naf-nbf-wireapp-user": func(t *testing.T) test {
+			acmeWireProv := newWireProvisionerWithOptions(t, &provisioner.Options{
+				Wire: &wire.Options{
+					OIDC: &wire.OIDCOptions{
+						Provider: &wire.Provider{
+							IssuerURL:   "https://issuer.example.com",
+							AuthURL:     "",
+							TokenURL:    "",
+							JWKSURL:     "",
+							UserInfoURL: "",
+							Algorithms:  []string{"ES256"},
+						},
+						Config: &wire.Config{
+							ClientID:                   "integration test",
+							SignatureAlgorithms:        []string{"ES256"},
+							SkipClientIDCheck:          true,
+							SkipExpiryCheck:            true,
+							SkipIssuerCheck:            true,
+							InsecureSkipSignatureCheck: true,
+							Now:                        time.Now,
+						},
+					},
+					DPOP: &wire.DPOPOptions{
+						SigningKey: []byte(fakeWireSigningKey),
+					},
+				},
+			})
+			acc := &acme.Account{ID: "accID"}
+			nor := &NewOrderRequest{
+				Identifiers: []acme.Identifier{
+					{Type: "wireapp-user", Value: `{"name": "Alice Smith", "handle": "wireapp://%40alice.smith.qa@example.com"}`},
+				},
+			}
+			b, err := json.Marshal(nor)
+			assert.FatalError(t, err)
+			ctx := acme.NewProvisionerContext(context.Background(), acmeWireProv)
+			ctx = context.WithValue(ctx, accContextKey, acc)
+			ctx = context.WithValue(ctx, payloadContextKey, &payloadInfo{value: b})
+			var (
+				ch1   **acme.Challenge
+				az1ID *string
+			)
+			return test{
+				ctx:        ctx,
+				statusCode: 201,
+				nor:        nor,
+				ca:         &mockCA{},
+				db: &acme.MockDB{
+					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
+						ch.ID = "wireapp-oidc"
+						assert.Equals(t, ch.Type, acme.WIREOIDC01)
+						ch1 = &ch
+						assert.Equals(t, ch.AccountID, "accID")
+						assert.NotEquals(t, ch.Token, "")
+						assert.Equals(t, ch.Status, acme.StatusPending)
+						assert.Equals(t, ch.Value, `{"name": "Alice Smith", "handle": "wireapp://%40alice.smith.qa@example.com"}`)
+						return nil
+					},
+					MockCreateAuthorization: func(ctx context.Context, az *acme.Authorization) error {
+						az.ID = "az1ID"
+						az1ID = &az.ID
+						assert.Equals(t, az.AccountID, "accID")
+						assert.NotEquals(t, az.Token, "")
+						assert.Equals(t, az.Status, acme.StatusPending)
+						assert.Equals(t, az.Identifier, nor.Identifiers[0])
+						assert.Equals(t, az.Challenges, []*acme.Challenge{*ch1})
+						assert.Equals(t, az.Wildcard, false)
+						return nil
+					},
+					MockCreateOrder: func(ctx context.Context, o *acme.Order) error {
+						o.ID = "ordID"
+						assert.Equals(t, o.AccountID, "accID")
+						assert.Equals(t, o.ProvisionerID, prov.GetID())
+						assert.Equals(t, o.Status, acme.StatusPending)
+						assert.Equals(t, o.Identifiers, nor.Identifiers)
+						assert.Equals(t, o.AuthorizationIDs, []string{*az1ID})
+						return nil
+					},
+					MockGetExternalAccountKeyByAccountID: func(ctx context.Context, provisionerID, accountID string) (*acme.ExternalAccountKey, error) {
+						assert.Equals(t, prov.GetID(), provisionerID)
+						assert.Equals(t, "accID", accountID)
+						return nil, nil
+					},
+				},
+				vr: func(t *testing.T, o *acme.Order) {
+					now := clock.Now()
+					testBufferDur := 5 * time.Second
+					orderExpiry := now.Add(defaultOrderExpiry)
+					expNbf := now.Add(-defaultOrderBackdate)
+					expNaf := now.Add(prov.DefaultTLSCertDuration())
+
+					assert.Equals(t, o.ID, "ordID")
+					assert.Equals(t, o.Status, acme.StatusPending)
+					assert.Equals(t, o.Identifiers, nor.Identifiers)
+					assert.Equals(t, o.AuthorizationURLs, []string{fmt.Sprintf("%s/acme/%s/authz/az1ID", baseURL.String(), escProvName)})
+					assert.True(t, o.NotBefore.Add(-testBufferDur).Before(expNbf))
+					assert.True(t, o.NotBefore.Add(testBufferDur).After(expNbf))
+					assert.True(t, o.NotAfter.Add(-testBufferDur).Before(expNaf))
+					assert.True(t, o.NotAfter.Add(testBufferDur).After(expNaf))
+					assert.True(t, o.ExpiresAt.Add(-testBufferDur).Before(orderExpiry))
+					assert.True(t, o.ExpiresAt.Add(testBufferDur).After(orderExpiry))
+				},
+			}
+		},
+		"ok/default-naf-nbf-wireapp-device": func(t *testing.T) test {
+			acmeWireProv := newWireProvisionerWithOptions(t, &provisioner.Options{
+				Wire: &wire.Options{
+					OIDC: &wire.OIDCOptions{
+						Provider: &wire.Provider{
+							IssuerURL:   "https://issuer.example.com",
+							AuthURL:     "",
+							TokenURL:    "",
+							JWKSURL:     "",
+							UserInfoURL: "",
+							Algorithms:  []string{"ES256"},
+						},
+						Config: &wire.Config{
+							ClientID:                   "integration test",
+							SignatureAlgorithms:        []string{"ES256"},
+							SkipClientIDCheck:          true,
+							SkipExpiryCheck:            true,
+							SkipIssuerCheck:            true,
+							InsecureSkipSignatureCheck: true,
+							Now:                        time.Now,
+						},
+					},
+					DPOP: &wire.DPOPOptions{
+						SigningKey: []byte(fakeWireSigningKey),
+					},
+				},
+			})
+			acc := &acme.Account{ID: "accID"}
+			nor := &NewOrderRequest{
+				Identifiers: []acme.Identifier{
+					{Type: "wireapp-device", Value: `{"client-id": "wireapp://user!client@domain"}`},
+				},
+			}
+			b, err := json.Marshal(nor)
+			assert.FatalError(t, err)
+			ctx := acme.NewProvisionerContext(context.Background(), acmeWireProv)
+			ctx = context.WithValue(ctx, accContextKey, acc)
+			ctx = context.WithValue(ctx, payloadContextKey, &payloadInfo{value: b})
+			var (
+				ch1   **acme.Challenge
+				az1ID *string
+			)
+			return test{
+				ctx:        ctx,
+				statusCode: 201,
+				nor:        nor,
+				ca:         &mockCA{},
+				db: &acme.MockDB{
+					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
+						ch.ID = "wireapp-dpop"
+						assert.Equals(t, ch.Type, acme.WIREDPOP01)
+						ch1 = &ch
+						assert.Equals(t, ch.AccountID, "accID")
+						assert.NotEquals(t, ch.Token, "")
+						assert.Equals(t, ch.Status, acme.StatusPending)
+						assert.Equals(t, ch.Value, `{"client-id": "wireapp://user!client@domain"}`)
+						return nil
+					},
+					MockCreateAuthorization: func(ctx context.Context, az *acme.Authorization) error {
+						az.ID = "az1ID"
+						az1ID = &az.ID
+						assert.Equals(t, az.AccountID, "accID")
+						assert.NotEquals(t, az.Token, "")
+						assert.Equals(t, az.Status, acme.StatusPending)
+						assert.Equals(t, az.Identifier, nor.Identifiers[0])
+						assert.Equals(t, az.Challenges, []*acme.Challenge{*ch1})
+						assert.Equals(t, az.Wildcard, false)
+						return nil
+					},
+					MockCreateOrder: func(ctx context.Context, o *acme.Order) error {
+						o.ID = "ordID"
+						assert.Equals(t, o.AccountID, "accID")
+						assert.Equals(t, o.ProvisionerID, prov.GetID())
+						assert.Equals(t, o.Status, acme.StatusPending)
+						assert.Equals(t, o.Identifiers, nor.Identifiers)
+						assert.Equals(t, o.AuthorizationIDs, []string{*az1ID})
+						return nil
+					},
+					MockGetExternalAccountKeyByAccountID: func(ctx context.Context, provisionerID, accountID string) (*acme.ExternalAccountKey, error) {
+						assert.Equals(t, prov.GetID(), provisionerID)
+						assert.Equals(t, "accID", accountID)
+						return nil, nil
+					},
+				},
+				vr: func(t *testing.T, o *acme.Order) {
+					now := clock.Now()
+					testBufferDur := 5 * time.Second
+					orderExpiry := now.Add(defaultOrderExpiry)
+					expNbf := now.Add(-defaultOrderBackdate)
+					expNaf := now.Add(prov.DefaultTLSCertDuration())
+
+					assert.Equals(t, o.ID, "ordID")
+					assert.Equals(t, o.Status, acme.StatusPending)
+					assert.Equals(t, o.Identifiers, nor.Identifiers)
+					assert.Equals(t, o.AuthorizationURLs, []string{fmt.Sprintf("%s/acme/%s/authz/az1ID", baseURL.String(), escProvName)})
+					assert.True(t, o.NotBefore.Add(-testBufferDur).Before(expNbf))
+					assert.True(t, o.NotBefore.Add(testBufferDur).After(expNbf))
+					assert.True(t, o.NotAfter.Add(-testBufferDur).Before(expNaf))
+					assert.True(t, o.NotAfter.Add(testBufferDur).After(expNaf))
+					assert.True(t, o.ExpiresAt.Add(-testBufferDur).Before(orderExpiry))
+					assert.True(t, o.ExpiresAt.Add(testBufferDur).After(orderExpiry))
+				},
+			}
+		},
 		"ok/naf-nbf": func(t *testing.T) test {
 			now := clock.Now()
 			expNbf := now.Add(5 * time.Minute)
--- a/acme/api/revoke.go
+++ b/acme/api/revoke.go
@ -33,65 +33,65 @@ func RevokeCert(w http.ResponseWriter, r *http.Request) {

 	jws, err := jwsFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	prov, err := provisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	var p revokePayload
 	err = json.Unmarshal(payload.value, &p)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error unmarshaling payload"))
+		render.Error(w, acme.WrapErrorISE(err, "error unmarshaling payload"))
 		return
 	}

 	certBytes, err := base64.RawURLEncoding.DecodeString(p.Certificate)
 	if err != nil {
 		// in this case the most likely cause is a client that didn't properly encode the certificate
-		render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err, "error base64url decoding payload certificate property"))
+		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err, "error base64url decoding payload certificate property"))
 		return
 	}

 	certToBeRevoked, err := x509.ParseCertificate(certBytes)
 	if err != nil {
 		// in this case a client may have encoded something different than a certificate
-		render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err, "error parsing certificate"))
+		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err, "error parsing certificate"))
 		return
 	}

 	serial := certToBeRevoked.SerialNumber.String()
 	dbCert, err := db.GetCertificateBySerial(ctx, serial)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving certificate by serial"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving certificate by serial"))
 		return
 	}

 	if !bytes.Equal(dbCert.Leaf.Raw, certToBeRevoked.Raw) {
 		// this should never happen
-		render.Error(w, r, acme.NewErrorISE("certificate raw bytes are not equal"))
+		render.Error(w, acme.NewErrorISE("certificate raw bytes are not equal"))
 		return
 	}

 	if shouldCheckAccountFrom(jws) {
 		account, err := accountFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		acmeErr := isAccountAuthorized(ctx, dbCert, certToBeRevoked, account)
 		if acmeErr != nil {
-			render.Error(w, r, acmeErr)
+			render.Error(w, acmeErr)
 			return
 		}
 	} else {
@ -100,7 +100,7 @@ func RevokeCert(w http.ResponseWriter, r *http.Request) {
 		_, err := jws.Verify(certToBeRevoked.PublicKey)
 		if err != nil {
 			// TODO(hs): possible to determine an error vs. unauthorized and thus provide an ISE vs. Unauthorized?
-			render.Error(w, r, wrapUnauthorizedError(certToBeRevoked, nil, "verification of jws using certificate public key failed", err))
+			render.Error(w, wrapUnauthorizedError(certToBeRevoked, nil, "verification of jws using certificate public key failed", err))
 			return
 		}
 	}
@ -108,19 +108,19 @@ func RevokeCert(w http.ResponseWriter, r *http.Request) {
 	ca := mustAuthority(ctx)
 	hasBeenRevokedBefore, err := ca.IsRevoked(serial)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving revocation status of certificate"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving revocation status of certificate"))
 		return
 	}

 	if hasBeenRevokedBefore {
-		render.Error(w, r, acme.NewError(acme.ErrorAlreadyRevokedType, "certificate was already revoked"))
+		render.Error(w, acme.NewError(acme.ErrorAlreadyRevokedType, "certificate was already revoked"))
 		return
 	}

 	reasonCode := p.ReasonCode
 	acmeErr := validateReasonCode(reasonCode)
 	if acmeErr != nil {
-		render.Error(w, r, acmeErr)
+		render.Error(w, acmeErr)
 		return
 	}

@ -128,14 +128,14 @@ func RevokeCert(w http.ResponseWriter, r *http.Request) {
 	ctx = provisioner.NewContextWithMethod(ctx, provisioner.RevokeMethod)
 	err = prov.AuthorizeRevoke(ctx, "")
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error authorizing revocation on provisioner"))
+		render.Error(w, acme.WrapErrorISE(err, "error authorizing revocation on provisioner"))
 		return
 	}

 	options := revokeOptions(serial, certToBeRevoked, reasonCode)
 	err = ca.Revoke(ctx, options)
 	if err != nil {
-		render.Error(w, r, wrapRevokeErr(err))
+		render.Error(w, wrapRevokeErr(err))
 		return
 	}

--- a/acme/api/revoke_test.go
+++ b/acme/api/revoke_test.go
@ -281,7 +281,7 @@ type mockCA struct {
 	MockAreSANsallowed func(ctx context.Context, sans []string) error
 }

-func (m *mockCA) SignWithContext(context.Context, *x509.CertificateRequest, provisioner.SignOptions, ...provisioner.SignOption) ([]*x509.Certificate, error) {
+func (m *mockCA) Sign(*x509.CertificateRequest, provisioner.SignOptions, ...provisioner.SignOption) ([]*x509.Certificate, error) {
 	return nil, nil
 }

--- a/acme/api/wire_integration_test.go
+++ b/acme/api/wire_integration_test.go
@ -0,0 +1,607 @@
+package api
+
+import (
+	"bytes"
+	"context"
+	"crypto/ed25519"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"encoding/base64"
+	"encoding/json"
+	"encoding/pem"
+	"errors"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/smallstep/certificates/acme"
+	"github.com/smallstep/certificates/acme/db/nosql"
+	"github.com/smallstep/certificates/authority"
+	"github.com/smallstep/certificates/authority/provisioner"
+	"github.com/smallstep/certificates/authority/provisioner/wire"
+	nosqlDB "github.com/smallstep/nosql"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.step.sm/crypto/jose"
+	"go.step.sm/crypto/minica"
+	"go.step.sm/crypto/pemutil"
+	"go.step.sm/crypto/x509util"
+)
+
+const (
+	baseURL      = "test.ca.smallstep.com"
+	linkerPrefix = "acme"
+)
+
+func newWireProvisionerWithOptions(t *testing.T, options *provisioner.Options) *provisioner.ACME {
+	p := newProvWithOptions(options)
+	a, ok := p.(*provisioner.ACME)
+	if !ok {
+		t.Fatal("not a valid ACME provisioner")
+	}
+	a.Challenges = []provisioner.ACMEChallenge{
+		provisioner.WIREOIDC_01,
+		provisioner.WIREDPOP_01,
+	}
+	return a
+}
+
+// TODO(hs): replace with test CA server + acmez based test client for
+// more realistic integration test?
+func TestWireIntegration(t *testing.T) {
+	accessTokenSignerJWK, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
+	require.NoError(t, err)
+
+	accessTokenSignerPEMBlock, err := pemutil.Serialize(accessTokenSignerJWK.Public().Key)
+	require.NoError(t, err)
+	accessTokenSignerPEMBytes := pem.EncodeToMemory(accessTokenSignerPEMBlock)
+
+	accessTokenSigner, err := jose.NewSigner(jose.SigningKey{
+		Algorithm: jose.SignatureAlgorithm(accessTokenSignerJWK.Algorithm),
+		Key:       accessTokenSignerJWK,
+	}, new(jose.SignerOptions))
+	require.NoError(t, err)
+
+	oidcTokenSignerJWK, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
+	require.NoError(t, err)
+	oidcTokenSigner, err := jose.NewSigner(jose.SigningKey{
+		Algorithm: jose.SignatureAlgorithm(oidcTokenSignerJWK.Algorithm),
+		Key:       oidcTokenSignerJWK,
+	}, new(jose.SignerOptions))
+	require.NoError(t, err)
+
+	prov := newWireProvisionerWithOptions(t, &provisioner.Options{
+		X509: &provisioner.X509Options{
+			Template: `{
+				"subject": {
+					"organization": "WireTest",
+					"commonName": {{ toJson .Oidc.name }}
+				},
+				"uris": [{{ toJson .Oidc.preferred_username }}, {{ toJson .Dpop.sub }}],
+				"keyUsage": ["digitalSignature"],
+				"extKeyUsage": ["clientAuth"]
+			}`,
+		},
+		Wire: &wire.Options{
+			OIDC: &wire.OIDCOptions{
+				Provider: &wire.Provider{
+					IssuerURL:   "https://issuer.example.com",
+					AuthURL:     "",
+					TokenURL:    "",
+					JWKSURL:     "",
+					UserInfoURL: "",
+					Algorithms:  []string{"ES256"},
+				},
+				Config: &wire.Config{
+					ClientID:                   "integration test",
+					SignatureAlgorithms:        []string{"ES256"},
+					SkipClientIDCheck:          true,
+					SkipExpiryCheck:            true,
+					SkipIssuerCheck:            true,
+					InsecureSkipSignatureCheck: true, // NOTE: this skips actual token verification
+					Now:                        time.Now,
+				},
+				TransformTemplate: "",
+			},
+			DPOP: &wire.DPOPOptions{
+				SigningKey: accessTokenSignerPEMBytes,
+			},
+		},
+	})
+
+	// mock provisioner and linker
+	ctx := context.Background()
+	ctx = acme.NewProvisionerContext(ctx, prov)
+	ctx = acme.NewLinkerContext(ctx, acme.NewLinker(baseURL, linkerPrefix))
+
+	// create temporary BoltDB file
+	file, err := os.CreateTemp(os.TempDir(), "integration-db-")
+	require.NoError(t, err)
+
+	t.Log("database file name:", file.Name())
+	dbFn := file.Name()
+	err = file.Close()
+	require.NoError(t, err)
+
+	// open BoltDB
+	rawDB, err := nosqlDB.New(nosqlDB.BBoltDriver, dbFn)
+	require.NoError(t, err)
+
+	// create tables
+	db, err := nosql.New(rawDB)
+	require.NoError(t, err)
+
+	// make DB available to handlers
+	ctx = acme.NewDatabaseContext(ctx, db)
+
+	// simulate signed payloads by making the signing key available in ctx
+	jwk, err := jose.GenerateJWK("OKP", "", "EdDSA", "sig", "", 0)
+	require.NoError(t, err)
+
+	ed25519PrivKey, ok := jwk.Key.(ed25519.PrivateKey)
+	require.True(t, ok)
+
+	dpopSigner, err := jose.NewSigner(jose.SigningKey{
+		Algorithm: jose.SignatureAlgorithm(jwk.Algorithm),
+		Key:       jwk,
+	}, new(jose.SignerOptions))
+	require.NoError(t, err)
+
+	ed25519PubKey, ok := ed25519PrivKey.Public().(ed25519.PublicKey)
+	require.True(t, ok)
+
+	jwk.Key = ed25519PubKey
+	ctx = context.WithValue(ctx, jwkContextKey, jwk)
+
+	// get directory
+	dir := func(ctx context.Context) (dir Directory) {
+		req := httptest.NewRequest(http.MethodGet, "/foo/bar", http.NoBody)
+		req = req.WithContext(ctx)
+		w := httptest.NewRecorder()
+
+		GetDirectory(w, req)
+		res := w.Result()
+		require.Equal(t, http.StatusOK, res.StatusCode)
+
+		body, err := io.ReadAll(res.Body)
+		require.NoError(t, err)
+
+		err = json.Unmarshal(bytes.TrimSpace(body), &dir)
+		require.NoError(t, err)
+
+		return
+	}(ctx)
+	t.Log("directory:", dir)
+
+	// get nonce
+	nonce := func(ctx context.Context) (nonce string) {
+		req := httptest.NewRequest(http.MethodGet, dir.NewNonce, http.NoBody).WithContext(ctx)
+		w := httptest.NewRecorder()
+		addNonce(GetNonce)(w, req)
+		res := w.Result()
+		require.Equal(t, http.StatusNoContent, res.StatusCode)
+
+		nonce = res.Header["Replay-Nonce"][0]
+		return
+	}(ctx)
+	t.Log("nonce:", nonce)
+
+	// create new account
+	acc := func(ctx context.Context) (acc *acme.Account) {
+		// create payload
+		nar := &NewAccountRequest{
+			Contact: []string{"foo", "bar"},
+		}
+		rawNar, err := json.Marshal(nar)
+		require.NoError(t, err)
+
+		// create account
+		ctx = context.WithValue(ctx, payloadContextKey, &payloadInfo{value: rawNar})
+		req := httptest.NewRequest(http.MethodGet, dir.NewAccount, http.NoBody).WithContext(ctx)
+		w := httptest.NewRecorder()
+		NewAccount(w, req)
+
+		res := w.Result()
+		require.Equal(t, http.StatusCreated, res.StatusCode)
+
+		body, err := io.ReadAll(res.Body)
+		defer res.Body.Close()
+		require.NoError(t, err)
+
+		err = json.Unmarshal(bytes.TrimSpace(body), &acc)
+		require.NoError(t, err)
+
+		locationParts := strings.Split(res.Header["Location"][0], "/")
+		acc, err = db.GetAccount(ctx, locationParts[len(locationParts)-1])
+		require.NoError(t, err)
+
+		return
+	}(ctx)
+	ctx = context.WithValue(ctx, accContextKey, acc)
+	t.Log("account ID:", acc.ID)
+
+	// new order
+	order := func(ctx context.Context) (order *acme.Order) {
+		mockMustAuthority(t, &mockCA{})
+		nor := &NewOrderRequest{
+			Identifiers: []acme.Identifier{
+				{
+					Type:  "wireapp-user",
+					Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "handle": "wireapp://%40alice.smith.qa@example.com"}`,
+				},
+				{
+					Type:  "wireapp-device",
+					Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "wireapp://lJGYPz0ZRq2kvc_XpdaDlA!ed416ce8ecdd9fad@example.com", "handle": "wireapp://%40alice.smith.qa@example.com"}`,
+				},
+			},
+		}
+		b, err := json.Marshal(nor)
+		require.NoError(t, err)
+
+		ctx = context.WithValue(ctx, payloadContextKey, &payloadInfo{value: b})
+		req := httptest.NewRequest("POST", "https://random.local/", http.NoBody)
+		req = req.WithContext(ctx)
+		w := httptest.NewRecorder()
+		NewOrder(w, req)
+
+		res := w.Result()
+		require.Equal(t, http.StatusCreated, res.StatusCode)
+
+		body, err := io.ReadAll(res.Body)
+		defer res.Body.Close()
+		require.NoError(t, err)
+
+		err = json.Unmarshal(bytes.TrimSpace(body), &order)
+		require.NoError(t, err)
+
+		order, err = db.GetOrder(ctx, order.ID)
+		require.NoError(t, err)
+
+		return
+	}(ctx)
+	t.Log("authzs IDs:", order.AuthorizationIDs)
+
+	// get authorization
+	getAuthz := func(ctx context.Context, authzID string) (az *acme.Authorization) {
+		chiCtx := chi.NewRouteContext()
+		chiCtx.URLParams.Add("authzID", authzID)
+		ctx = context.WithValue(ctx, chi.RouteCtxKey, chiCtx)
+
+		req := httptest.NewRequest(http.MethodGet, "https://random.local/", http.NoBody).WithContext(ctx)
+		w := httptest.NewRecorder()
+		GetAuthorization(w, req)
+
+		res := w.Result()
+		require.Equal(t, http.StatusOK, res.StatusCode)
+
+		body, err := io.ReadAll(res.Body)
+		defer res.Body.Close()
+		require.NoError(t, err)
+
+		err = json.Unmarshal(bytes.TrimSpace(body), &az)
+		require.NoError(t, err)
+
+		az, err = db.GetAuthorization(ctx, authzID)
+		require.NoError(t, err)
+
+		return
+	}
+	var azs []*acme.Authorization
+	for _, azID := range order.AuthorizationIDs {
+		az := getAuthz(ctx, azID)
+		azs = append(azs, az)
+		for _, challenge := range az.Challenges {
+			chiCtx := chi.NewRouteContext()
+			chiCtx.URLParams.Add("chID", challenge.ID)
+			ctx = context.WithValue(ctx, chi.RouteCtxKey, chiCtx)
+
+			var payload []byte
+			switch challenge.Type {
+			case acme.WIREDPOP01:
+				dpopBytes, err := json.Marshal(struct {
+					jose.Claims
+					Challenge string `json:"chal,omitempty"`
+					Handle    string `json:"handle,omitempty"`
+					Nonce     string `json:"nonce,omitempty"`
+					HTU       string `json:"htu,omitempty"`
+				}{
+					Claims: jose.Claims{
+						Subject: "wireapp://lJGYPz0ZRq2kvc_XpdaDlA!ed416ce8ecdd9fad@example.com",
+					},
+					Challenge: "token",
+					Handle:    "wireapp://%40alice.smith.qa@example.com",
+					Nonce:     "nonce",
+					HTU:       "http://issuer.example.com",
+				})
+				require.NoError(t, err)
+				dpop, err := dpopSigner.Sign(dpopBytes)
+				require.NoError(t, err)
+				proof, err := dpop.CompactSerialize()
+				require.NoError(t, err)
+				tokenBytes, err := json.Marshal(struct {
+					jose.Claims
+					Challenge string `json:"chal,omitempty"`
+					Cnf       struct {
+						Kid string `json:"kid,omitempty"`
+					} `json:"cnf"`
+					Proof      string `json:"proof,omitempty"`
+					ClientID   string `json:"client_id"`
+					APIVersion int    `json:"api_version"`
+					Scope      string `json:"scope"`
+				}{
+					Claims: jose.Claims{
+						Issuer:   "http://issuer.example.com",
+						Audience: []string{"test"},
+						Expiry:   jose.NewNumericDate(time.Now().Add(1 * time.Minute)),
+					},
+					Challenge: "token",
+					Cnf: struct {
+						Kid string `json:"kid,omitempty"`
+					}{
+						Kid: jwk.KeyID,
+					},
+					Proof:      proof,
+					ClientID:   "wireapp://lJGYPz0ZRq2kvc_XpdaDlA!ed416ce8ecdd9fad@example.com",
+					APIVersion: 5,
+					Scope:      "wire_client_id",
+				})
+
+				require.NoError(t, err)
+				signed, err := accessTokenSigner.Sign(tokenBytes)
+				require.NoError(t, err)
+				accessToken, err := signed.CompactSerialize()
+				require.NoError(t, err)
+
+				p, err := json.Marshal(struct {
+					AccessToken string `json:"access_token"`
+				}{
+					AccessToken: accessToken,
+				})
+				require.NoError(t, err)
+				payload = p
+			case acme.WIREOIDC01:
+				keyAuth, err := acme.KeyAuthorization("token", jwk)
+				require.NoError(t, err)
+				tokenBytes, err := json.Marshal(struct {
+					jose.Claims
+					Name              string `json:"name,omitempty"`
+					PreferredUsername string `json:"preferred_username,omitempty"`
+					KeyAuth           string `json:"keyauth"`
+				}{
+					Claims: jose.Claims{
+						Issuer:   "https://issuer.example.com",
+						Audience: []string{"test"},
+						Expiry:   jose.NewNumericDate(time.Now().Add(1 * time.Minute)),
+					},
+					Name:              "Alice Smith",
+					PreferredUsername: "wireapp://%40alice_wire@wire.com",
+					KeyAuth:           keyAuth,
+				})
+				require.NoError(t, err)
+				signed, err := oidcTokenSigner.Sign(tokenBytes)
+				require.NoError(t, err)
+				idToken, err := signed.CompactSerialize()
+				require.NoError(t, err)
+				p, err := json.Marshal(struct {
+					IDToken string `json:"id_token"`
+				}{
+					IDToken: idToken,
+				})
+				require.NoError(t, err)
+				payload = p
+			default:
+				require.Fail(t, "unexpected challenge payload type")
+			}
+
+			ctx = context.WithValue(ctx, payloadContextKey, &payloadInfo{value: payload})
+
+			req := httptest.NewRequest(http.MethodGet, "https://random.local/", http.NoBody).WithContext(ctx)
+			w := httptest.NewRecorder()
+			GetChallenge(w, req)
+
+			res := w.Result()
+			require.Equal(t, http.StatusOK, res.StatusCode)
+
+			body, err := io.ReadAll(res.Body)
+			defer res.Body.Close() //nolint:gocritic // close the body
+			require.NoError(t, err)
+
+			err = json.Unmarshal(bytes.TrimSpace(body), &challenge)
+			require.NoError(t, err)
+
+			t.Log("challenge:", challenge.ID, challenge.Status)
+		}
+	}
+
+	// get/validate challenge simulation
+	updateAz := func(ctx context.Context, az *acme.Authorization) (updatedAz *acme.Authorization) {
+		now := clock.Now().Format(time.RFC3339)
+		for _, challenge := range az.Challenges {
+			challenge.Status = acme.StatusValid
+			challenge.ValidatedAt = now
+			err := db.UpdateChallenge(ctx, challenge)
+			if err != nil {
+				t.Error("updating challenge", challenge.ID, ":", err)
+			}
+		}
+
+		updatedAz, err = db.GetAuthorization(ctx, az.ID)
+		require.NoError(t, err)
+
+		return
+	}
+	for _, az := range azs {
+		updatedAz := updateAz(ctx, az)
+		for _, challenge := range updatedAz.Challenges {
+			t.Log("updated challenge:", challenge.ID, challenge.Status)
+			switch challenge.Type {
+			case acme.WIREOIDC01:
+				err = db.CreateOidcToken(ctx, order.ID, map[string]any{"name": "Smith, Alice M (QA)", "preferred_username": "wireapp://%40alice.smith.qa@example.com"})
+				require.NoError(t, err)
+			case acme.WIREDPOP01:
+				err = db.CreateDpopToken(ctx, order.ID, map[string]any{"sub": "wireapp://lJGYPz0ZRq2kvc_XpdaDlA!ed416ce8ecdd9fad@example.com"})
+				require.NoError(t, err)
+			default:
+				require.Fail(t, "unexpected challenge type")
+			}
+		}
+	}
+
+	// get order
+	updatedOrder := func(ctx context.Context) (updatedOrder *acme.Order) {
+		chiCtx := chi.NewRouteContext()
+		chiCtx.URLParams.Add("ordID", order.ID)
+		ctx = context.WithValue(ctx, chi.RouteCtxKey, chiCtx)
+
+		req := httptest.NewRequest(http.MethodGet, "https://random.local/", http.NoBody).WithContext(ctx)
+		w := httptest.NewRecorder()
+		GetOrder(w, req)
+
+		res := w.Result()
+		require.Equal(t, http.StatusOK, res.StatusCode)
+
+		body, err := io.ReadAll(res.Body)
+		defer res.Body.Close()
+		require.NoError(t, err)
+
+		err = json.Unmarshal(bytes.TrimSpace(body), &updatedOrder)
+		require.NoError(t, err)
+
+		require.Equal(t, acme.StatusReady, updatedOrder.Status)
+
+		return
+	}(ctx)
+	t.Log("updated order status:", updatedOrder.Status)
+
+	// finalize order
+	finalizedOrder := func(ctx context.Context) (finalizedOrder *acme.Order) {
+		ca, err := minica.New(minica.WithName("WireTestCA"))
+		require.NoError(t, err)
+		mockMustAuthority(t, &mockCASigner{
+			signer: func(csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+				var (
+					certOptions []x509util.Option
+				)
+				for _, op := range extraOpts {
+					if k, ok := op.(provisioner.CertificateOptions); ok {
+						certOptions = append(certOptions, k.Options(signOpts)...)
+					}
+				}
+
+				x509utilTemplate, err := x509util.NewCertificate(csr, certOptions...)
+				require.NoError(t, err)
+
+				template := x509utilTemplate.GetCertificate()
+				require.NotNil(t, template)
+
+				cert, err := ca.Sign(template)
+				require.NoError(t, err)
+
+				u1, err := url.Parse("wireapp://%40alice.smith.qa@example.com")
+				require.NoError(t, err)
+				u2, err := url.Parse("wireapp://lJGYPz0ZRq2kvc_XpdaDlA%21ed416ce8ecdd9fad@example.com")
+				require.NoError(t, err)
+				assert.Equal(t, []*url.URL{u1, u2}, cert.URIs)
+				assert.Equal(t, "Smith, Alice M (QA)", cert.Subject.CommonName)
+
+				return []*x509.Certificate{cert, ca.Intermediate}, nil
+			},
+		})
+
+		qUserID, err := url.Parse("wireapp://lJGYPz0ZRq2kvc_XpdaDlA!ed416ce8ecdd9fad@example.com")
+		require.NoError(t, err)
+
+		qUserName, err := url.Parse("wireapp://%40alice.smith.qa@example.com")
+		require.NoError(t, err)
+
+		_, priv, err := ed25519.GenerateKey(rand.Reader)
+		require.NoError(t, err)
+
+		csrTemplate := &x509.CertificateRequest{
+			Subject: pkix.Name{
+				Organization: []string{"example.com"},
+				ExtraNames: []pkix.AttributeTypeAndValue{
+					{
+						Type:  asn1.ObjectIdentifier{2, 16, 840, 1, 113730, 3, 1, 241},
+						Value: "Smith, Alice M (QA)",
+					},
+				},
+			},
+			URIs: []*url.URL{
+				qUserName,
+				qUserID,
+			},
+			SignatureAlgorithm: x509.PureEd25519,
+		}
+
+		csr, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, priv)
+		require.NoError(t, err)
+
+		fr := FinalizeRequest{CSR: base64.RawURLEncoding.EncodeToString(csr)}
+		frRaw, err := json.Marshal(fr)
+		require.NoError(t, err)
+
+		ctx = context.WithValue(ctx, payloadContextKey, &payloadInfo{value: frRaw})
+
+		chiCtx := chi.NewRouteContext()
+		chiCtx.URLParams.Add("ordID", order.ID)
+		ctx = context.WithValue(ctx, chi.RouteCtxKey, chiCtx)
+
+		req := httptest.NewRequest(http.MethodGet, "https://random.local/", http.NoBody).WithContext(ctx)
+		w := httptest.NewRecorder()
+		FinalizeOrder(w, req)
+
+		res := w.Result()
+		require.Equal(t, http.StatusOK, res.StatusCode)
+
+		body, err := io.ReadAll(res.Body)
+		defer res.Body.Close()
+		require.NoError(t, err)
+
+		err = json.Unmarshal(bytes.TrimSpace(body), &finalizedOrder)
+		require.NoError(t, err)
+
+		require.Equal(t, acme.StatusValid, finalizedOrder.Status)
+
+		finalizedOrder, err = db.GetOrder(ctx, order.ID)
+		require.NoError(t, err)
+
+		return
+	}(ctx)
+	t.Log("finalized order status:", finalizedOrder.Status)
+}
+
+type mockCASigner struct {
+	signer func(*x509.CertificateRequest, provisioner.SignOptions, ...provisioner.SignOption) ([]*x509.Certificate, error)
+}
+
+func (m *mockCASigner) Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+	if m.signer == nil {
+		return nil, errors.New("unimplemented")
+	}
+	return m.signer(cr, opts, signOpts...)
+}
+
+func (m *mockCASigner) AreSANsAllowed(ctx context.Context, sans []string) error {
+	return nil
+}
+
+func (m *mockCASigner) IsRevoked(sn string) (bool, error) {
+	return false, nil
+}
+
+func (m *mockCASigner) Revoke(ctx context.Context, opts *authority.RevokeOptions) error {
+	return nil
+}
+
+func (m *mockCASigner) LoadProvisionerByName(string) (provisioner.Interface, error) {
+	return nil, nil
+}
--- a/acme/challenge.go
+++ b/acme/challenge.go
@ -25,18 +25,19 @@ import (
 	"strings"
 	"time"

+	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/fxamacker/cbor/v2"
 	"github.com/google/go-tpm/legacy/tpm2"
-	"golang.org/x/exp/slices"
-
 	"github.com/smallstep/go-attestation/attest"
-
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
+	"golang.org/x/exp/slices"

+	"github.com/smallstep/certificates/acme/wire"
 	"github.com/smallstep/certificates/authority/provisioner"
+	wireprovisioner "github.com/smallstep/certificates/authority/provisioner/wire"
 )

 type ChallengeType string
@ -50,6 +51,10 @@ const (
 	TLSALPN01 ChallengeType = "tls-alpn-01"
 	// DEVICEATTEST01 is the device-attest-01 ACME challenge type
 	DEVICEATTEST01 ChallengeType = "device-attest-01"
+	// WIREOIDC01 is the Wire OIDC challenge type
+	WIREOIDC01 ChallengeType = "wire-oidc-01"
+	// WIREDPOP01 is the Wire DPoP challenge type
+	WIREDPOP01 ChallengeType = "wire-dpop-01"
 )

 var (
@ -75,6 +80,7 @@ type Challenge struct {
 	Token           string        `json:"token"`
 	ValidatedAt     string        `json:"validated,omitempty"`
 	URL             string        `json:"url"`
+	Target          string        `json:"target,omitempty"`
 	Error           *Error        `json:"error,omitempty"`
 }

@ -104,8 +110,12 @@ func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey,
 		return tlsalpn01Validate(ctx, ch, db, jwk)
 	case DEVICEATTEST01:
 		return deviceAttest01Validate(ctx, ch, db, jwk, payload)
+	case WIREOIDC01:
+		return wireOIDC01Validate(ctx, ch, db, jwk, payload)
+	case WIREDPOP01:
+		return wireDPOP01Validate(ctx, ch, db, jwk, payload)
 	default:
-		return NewErrorISE("unexpected challenge type '%s'", ch.Type)
+		return NewErrorISE("unexpected challenge type %q", ch.Type)
 	}
 }

@ -342,6 +352,378 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK
 	return nil
 }

+type wireOidcPayload struct {
+	// IDToken contains the OIDC identity token
+	IDToken string `json:"id_token"`
+}
+
+func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, payload []byte) error {
+	prov, ok := ProvisionerFromContext(ctx)
+	if !ok {
+		return NewErrorISE("missing provisioner")
+	}
+	linker, ok := LinkerFromContext(ctx)
+	if !ok {
+		return NewErrorISE("missing linker")
+	}
+
+	var oidcPayload wireOidcPayload
+	err := json.Unmarshal(payload, &oidcPayload)
+	if err != nil {
+		return WrapError(ErrorMalformedType, err, "error unmarshalling Wire OIDC challenge payload")
+	}
+
+	wireID, err := wire.ParseUserID([]byte(ch.Value))
+	if err != nil {
+		return WrapErrorISE(err, "error unmarshalling challenge data")
+	}
+
+	wireOptions, err := prov.GetOptions().GetWireOptions()
+	if err != nil {
+		return WrapErrorISE(err, "failed getting Wire options")
+	}
+
+	oidcOptions := wireOptions.GetOIDCOptions()
+	verifier := oidcOptions.GetProvider(ctx).Verifier(oidcOptions.GetConfig())
+	idToken, err := verifier.Verify(ctx, oidcPayload.IDToken)
+	if err != nil {
+		return storeError(ctx, db, ch, true, WrapError(ErrorRejectedIdentifierType, err,
+			"error verifying ID token signature"))
+	}
+
+	var claims struct {
+		Name         string `json:"preferred_username,omitempty"`
+		Handle       string `json:"name"`
+		Issuer       string `json:"iss,omitempty"`
+		GivenName    string `json:"given_name,omitempty"`
+		KeyAuth      string `json:"keyauth"`
+		ACMEAudience string `json:"acme_aud,omitempty"`
+	}
+	if err := idToken.Claims(&claims); err != nil {
+		return storeError(ctx, db, ch, true, WrapError(ErrorRejectedIdentifierType, err,
+			"error retrieving claims from ID token"))
+	}
+
+	// TODO(hs): move this into validation below?
+	expectedKeyAuth, err := KeyAuthorization(ch.Token, jwk)
+	if err != nil {
+		return WrapErrorISE(err, "error determining key authorization")
+	}
+	if expectedKeyAuth != claims.KeyAuth {
+		return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType,
+			"keyAuthorization does not match; expected %q, but got %q", expectedKeyAuth, claims.KeyAuth))
+	}
+
+	// audience is the full URL to the challenge
+	acmeAudience := linker.GetLink(ctx, ChallengeLinkType, ch.AuthorizationID, ch.ID)
+	if claims.ACMEAudience != acmeAudience {
+		return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType,
+			"invalid 'acme_aud' %q", claims.ACMEAudience))
+	}
+
+	transformedIDToken, err := validateWireOIDCClaims(oidcOptions, idToken, wireID)
+	if err != nil {
+		return storeError(ctx, db, ch, true, WrapError(ErrorRejectedIdentifierType, err, "claims in OIDC ID token don't match"))
+	}
+
+	// Update and store the challenge.
+	ch.Status = StatusValid
+	ch.Error = nil
+	ch.ValidatedAt = clock.Now().Format(time.RFC3339)
+
+	if err = db.UpdateChallenge(ctx, ch); err != nil {
+		return WrapErrorISE(err, "error updating challenge")
+	}
+
+	orders, err := db.GetAllOrdersByAccountID(ctx, ch.AccountID)
+	if err != nil {
+		return WrapErrorISE(err, "could not retrieve current order by account id")
+	}
+	if len(orders) == 0 {
+		return NewErrorISE("there are not enough orders for this account for this custom OIDC challenge")
+	}
+
+	order := orders[len(orders)-1]
+	if err := db.CreateOidcToken(ctx, order, transformedIDToken); err != nil {
+		return WrapErrorISE(err, "failed storing OIDC id token")
+	}
+
+	return nil
+}
+
+func validateWireOIDCClaims(o *wireprovisioner.OIDCOptions, token *oidc.IDToken, wireID wire.UserID) (map[string]any, error) {
+	var m map[string]any
+	if err := token.Claims(&m); err != nil {
+		return nil, fmt.Errorf("failed extracting OIDC ID token claims: %w", err)
+	}
+	transformed, err := o.Transform(m)
+	if err != nil {
+		return nil, fmt.Errorf("failed transforming OIDC ID token: %w", err)
+	}
+
+	name, ok := transformed["name"]
+	if !ok {
+		return nil, fmt.Errorf("transformed OIDC ID token does not contain 'name'")
+	}
+	if wireID.Name != name {
+		return nil, fmt.Errorf("invalid 'name' %q after transformation", name)
+	}
+
+	preferredUsername, ok := transformed["preferred_username"]
+	if !ok {
+		return nil, fmt.Errorf("transformed OIDC ID token does not contain 'preferred_username'")
+	}
+	if wireID.Handle != preferredUsername {
+		return nil, fmt.Errorf("invalid 'preferred_username' %q after transformation", preferredUsername)
+	}
+
+	return transformed, nil
+}
+
+type wireDpopPayload struct {
+	// AccessToken is the token generated by wire-server
+	AccessToken string `json:"access_token"`
+}
+
+func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, accountJWK *jose.JSONWebKey, payload []byte) error {
+	prov, ok := ProvisionerFromContext(ctx)
+	if !ok {
+		return NewErrorISE("missing provisioner")
+	}
+	linker, ok := LinkerFromContext(ctx)
+	if !ok {
+		return NewErrorISE("missing linker")
+	}
+
+	var dpopPayload wireDpopPayload
+	if err := json.Unmarshal(payload, &dpopPayload); err != nil {
+		return WrapError(ErrorMalformedType, err, "error unmarshalling Wire DPoP challenge payload")
+	}
+
+	wireID, err := wire.ParseDeviceID([]byte(ch.Value))
+	if err != nil {
+		return WrapErrorISE(err, "error unmarshalling challenge data")
+	}
+
+	clientID, err := wire.ParseClientID(wireID.ClientID)
+	if err != nil {
+		return WrapErrorISE(err, "error parsing device id")
+	}
+
+	wireOptions, err := prov.GetOptions().GetWireOptions()
+	if err != nil {
+		return WrapErrorISE(err, "failed getting Wire options")
+	}
+
+	dpopOptions := wireOptions.GetDPOPOptions()
+	issuer, err := dpopOptions.EvaluateTarget(clientID.DeviceID)
+	if err != nil {
+		return WrapErrorISE(err, "invalid Go template registered for 'target'")
+	}
+
+	// audience is the full URL to the challenge
+	audience := linker.GetLink(ctx, ChallengeLinkType, ch.AuthorizationID, ch.ID)
+
+	params := wireVerifyParams{
+		token:     dpopPayload.AccessToken,
+		tokenKey:  dpopOptions.GetSigningKey(),
+		dpopKey:   accountJWK.Public(),
+		dpopKeyID: accountJWK.KeyID,
+		issuer:    issuer,
+		audience:  audience,
+		wireID:    wireID,
+		chToken:   ch.Token,
+		t:         clock.Now().UTC(),
+	}
+	_, dpop, err := parseAndVerifyWireAccessToken(params)
+	if err != nil {
+		return storeError(ctx, db, ch, true, WrapError(ErrorRejectedIdentifierType, err,
+			"failed validating Wire access token"))
+	}
+
+	// Update and store the challenge.
+	ch.Status = StatusValid
+	ch.Error = nil
+	ch.ValidatedAt = clock.Now().Format(time.RFC3339)
+
+	if err = db.UpdateChallenge(ctx, ch); err != nil {
+		return WrapErrorISE(err, "error updating challenge")
+	}
+
+	orders, err := db.GetAllOrdersByAccountID(ctx, ch.AccountID)
+	if err != nil {
+		return WrapErrorISE(err, "could not find current order by account id")
+	}
+	if len(orders) == 0 {
+		return NewErrorISE("there are not enough orders for this account for this custom OIDC challenge")
+	}
+
+	order := orders[len(orders)-1]
+	if err := db.CreateDpopToken(ctx, order, map[string]any(*dpop)); err != nil {
+		return WrapErrorISE(err, "failed storing DPoP token")
+	}
+
+	return nil
+}
+
+type wireCnf struct {
+	Kid string `json:"kid"`
+}
+
+type wireAccessToken struct {
+	jose.Claims
+	Challenge  string  `json:"chal"`
+	Nonce      string  `json:"nonce"`
+	Cnf        wireCnf `json:"cnf"`
+	Proof      string  `json:"proof"`
+	ClientID   string  `json:"client_id"`
+	APIVersion int     `json:"api_version"`
+	Scope      string  `json:"scope"`
+}
+
+type wireDpopJwt struct {
+	jose.Claims
+	ClientID  string `json:"client_id"`
+	Challenge string `json:"chal"`
+	Nonce     string `json:"nonce"`
+	HTU       string `json:"htu"`
+}
+
+type wireDpopToken map[string]any
+
+type wireVerifyParams struct {
+	token     string
+	tokenKey  crypto.PublicKey
+	dpopKey   crypto.PublicKey
+	dpopKeyID string
+	issuer    string
+	audience  string
+	wireID    wire.DeviceID
+	chToken   string
+	t         time.Time
+}
+
+func parseAndVerifyWireAccessToken(v wireVerifyParams) (*wireAccessToken, *wireDpopToken, error) {
+	jwt, err := jose.ParseSigned(v.token)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed parsing token: %w", err)
+	}
+
+	if len(jwt.Headers) != 1 {
+		return nil, nil, fmt.Errorf("token has wrong number of headers %d", len(jwt.Headers))
+	}
+	keyID, err := KeyToID(&jose.JSONWebKey{Key: v.tokenKey})
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed calculating token key ID: %w", err)
+	}
+	jwtKeyID := jwt.Headers[0].KeyID
+	if jwtKeyID == "" {
+		if jwtKeyID, err = KeyToID(jwt.Headers[0].JSONWebKey); err != nil {
+			return nil, nil, fmt.Errorf("failed extracting token key ID: %w", err)
+		}
+	}
+	if jwtKeyID != keyID {
+		return nil, nil, fmt.Errorf("invalid token key ID %q", jwtKeyID)
+	}
+
+	var accessToken wireAccessToken
+	if err = jwt.Claims(v.tokenKey, &accessToken); err != nil {
+		return nil, nil, fmt.Errorf("failed validating Wire DPoP token claims: %w", err)
+	}
+
+	if err := accessToken.ValidateWithLeeway(jose.Expected{
+		Time:     v.t,
+		Issuer:   v.issuer,
+		Audience: jose.Audience{v.audience},
+	}, 1*time.Minute); err != nil {
+		return nil, nil, fmt.Errorf("failed validation: %w", err)
+	}
+
+	if accessToken.Challenge == "" {
+		return nil, nil, errors.New("access token challenge must not be empty")
+	}
+	if accessToken.Cnf.Kid == "" || accessToken.Cnf.Kid != v.dpopKeyID {
+		return nil, nil, fmt.Errorf("expected kid %q; got %q", v.dpopKeyID, accessToken.Cnf.Kid)
+	}
+	if accessToken.ClientID != v.wireID.ClientID {
+		return nil, nil, fmt.Errorf("invalid Wire client ID %q", accessToken.ClientID)
+	}
+	if accessToken.Expiry.Time().After(v.t.Add(time.Hour)) {
+		return nil, nil, fmt.Errorf("'exp' %s is too far into the future", accessToken.Expiry.Time().String())
+	}
+	if accessToken.Scope != "wire_client_id" {
+		return nil, nil, fmt.Errorf("invalid Wire scope %q", accessToken.Scope)
+	}
+
+	dpopJWT, err := jose.ParseSigned(accessToken.Proof)
+	if err != nil {
+		return nil, nil, fmt.Errorf("invalid Wire DPoP token: %w", err)
+	}
+	if len(dpopJWT.Headers) != 1 {
+		return nil, nil, fmt.Errorf("DPoP token has wrong number of headers %d", len(jwt.Headers))
+	}
+	dpopJwtKeyID := dpopJWT.Headers[0].KeyID
+	if dpopJwtKeyID == "" {
+		if dpopJwtKeyID, err = KeyToID(dpopJWT.Headers[0].JSONWebKey); err != nil {
+			return nil, nil, fmt.Errorf("failed extracting DPoP token key ID: %w", err)
+		}
+	}
+	if dpopJwtKeyID != v.dpopKeyID {
+		return nil, nil, fmt.Errorf("invalid DPoP token key ID %q", dpopJWT.Headers[0].KeyID)
+	}
+
+	var wireDpop wireDpopJwt
+	if err := dpopJWT.Claims(v.dpopKey, &wireDpop); err != nil {
+		return nil, nil, fmt.Errorf("failed validating Wire DPoP token claims: %w", err)
+	}
+
+	if err := wireDpop.ValidateWithLeeway(jose.Expected{
+		Time:     v.t,
+		Audience: jose.Audience{v.audience},
+	}, 1*time.Minute); err != nil {
+		return nil, nil, fmt.Errorf("failed DPoP validation: %w", err)
+	}
+	if wireDpop.HTU == "" || wireDpop.HTU != v.issuer { // DPoP doesn't contains "iss" claim, but has it in the "htu" claim
+		return nil, nil, fmt.Errorf("DPoP contains invalid issuer (htu) %q", wireDpop.HTU)
+	}
+	if wireDpop.Expiry.Time().After(v.t.Add(time.Hour)) {
+		return nil, nil, fmt.Errorf("'exp' %s is too far into the future", wireDpop.Expiry.Time().String())
+	}
+	if wireDpop.Subject != v.wireID.ClientID {
+		return nil, nil, fmt.Errorf("DPoP contains invalid Wire client ID %q", wireDpop.ClientID)
+	}
+	if wireDpop.Nonce == "" || wireDpop.Nonce != accessToken.Nonce {
+		return nil, nil, fmt.Errorf("DPoP contains invalid nonce %q", wireDpop.Nonce)
+	}
+	if wireDpop.Challenge == "" || wireDpop.Challenge != accessToken.Challenge {
+		return nil, nil, fmt.Errorf("DPoP contains invalid challenge %q", wireDpop.Challenge)
+	}
+
+	// TODO(hs): can we use the wireDpopJwt and map that instead of doing Claims() twice?
+	var dpopToken wireDpopToken
+	if err := dpopJWT.Claims(v.dpopKey, &dpopToken); err != nil {
+		return nil, nil, fmt.Errorf("failed validating Wire DPoP token claims: %w", err)
+	}
+
+	challenge, ok := dpopToken["chal"].(string)
+	if !ok {
+		return nil, nil, fmt.Errorf("invalid challenge in Wire DPoP token")
+	}
+	if challenge == "" || challenge != v.chToken {
+		return nil, nil, fmt.Errorf("invalid Wire DPoP challenge %q", challenge)
+	}
+
+	handle, ok := dpopToken["handle"].(string)
+	if !ok {
+		return nil, nil, fmt.Errorf("invalid handle in Wire DPoP token")
+	}
+	if handle == "" || handle != v.wireID.Handle {
+		return nil, nil, fmt.Errorf("invalid Wire client handle %q", handle)
+	}
+
+	return &accessToken, &dpopToken, nil
+}
+
 type payloadType struct {
 	AttObj string `json:"attObj"`
 	Error  string `json:"error"`
@ -726,7 +1108,7 @@ var (
 	oidTCGKpAIKCertificate       = asn1.ObjectIdentifier{2, 23, 133, 8, 3}
 )

-// validateAKCertificate validates the X.509 AK certificate to be
+// validateAKCertifiate validates the X.509 AK certificate to be
 // in accordance with the required properties. The requirements come from:
 // https://www.w3.org/TR/webauthn-2/#sctn-tpm-cert-requirements.
 //
@ -735,7 +1117,7 @@ var (
 //   - The Subject Alternative Name extension MUST be set as defined
 //     in [TPMv2-EK-Profile] section 3.2.9.
 //   - The Extended Key Usage extension MUST contain the OID 2.23.133.8.3
-//     ("joint-iso-itu-t(2) international-organizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)").
+//     ("joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)").
 //   - The Basic Constraints extension MUST have the CA component set to false.
 //   - An Authority Information Access (AIA) extension with entry id-ad-ocsp
 //     and a CRL Distribution Point extension [RFC5280] are both OPTIONAL as
--- a/acme/challenge_test.go
+++ b/acme/challenge_test.go
@ -33,11 +33,13 @@ import (
 	"github.com/fxamacker/cbor/v2"
 	"github.com/smallstep/certificates/authority/config"
 	"github.com/smallstep/certificates/authority/provisioner"
+	wireprovisioner "github.com/smallstep/certificates/authority/provisioner/wire"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/minica"
+	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 )

@ -196,6 +198,25 @@ func mustAttestYubikey(t *testing.T, _, keyAuthorization string, serial int) ([]
 	return payload, leaf, ca.Root
 }

+func newWireProvisionerWithOptions(t *testing.T, options *provisioner.Options) *provisioner.ACME {
+	t.Helper()
+	prov := &provisioner.ACME{
+		Type:    "ACME",
+		Name:    "wire",
+		Options: options,
+		Challenges: []provisioner.ACMEChallenge{
+			provisioner.WIREOIDC_01,
+			provisioner.WIREDPOP_01,
+		},
+	}
+	if err := prov.Init(provisioner.Config{
+		Claims: config.GlobalProvisionerClaims,
+	}); err != nil {
+		t.Fatal(err)
+	}
+	return prov
+}
+
 func Test_storeError(t *testing.T) {
 	type test struct {
 		ch          *Challenge
@ -396,6 +417,9 @@ func TestKeyAuthorization(t *testing.T) {
 }

 func TestChallenge_Validate(t *testing.T) {
+	fakeKey := `-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
+-----END PUBLIC KEY-----`
 	type test struct {
 		ch      *Challenge
 		vc      Client
@ -430,7 +454,7 @@ func TestChallenge_Validate(t *testing.T) {
 			}
 			return test{
 				ch:  ch,
-				err: NewErrorISE("unexpected challenge type 'foo'"),
+				err: NewErrorISE(`unexpected challenge type "foo"`),
 			}
 		},
 		"fail/http-01": func(t *testing.T) test {
@ -853,6 +877,261 @@ func TestChallenge_Validate(t *testing.T) {
 				},
 			}
 		},
+		"ok/wire-oidc-01": func(t *testing.T) test {
+			jwk, keyAuth := mustAccountAndKeyAuthorization(t, "token")
+			signerJWK, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
+			require.NoError(t, err)
+			signer, err := jose.NewSigner(jose.SigningKey{
+				Algorithm: jose.SignatureAlgorithm(signerJWK.Algorithm),
+				Key:       signerJWK,
+			}, new(jose.SignerOptions))
+			require.NoError(t, err)
+			srv := mustJWKServer(t, signerJWK.Public())
+			tokenBytes, err := json.Marshal(struct {
+				jose.Claims
+				Name              string `json:"name,omitempty"`
+				PreferredUsername string `json:"preferred_username,omitempty"`
+				KeyAuth           string `json:"keyauth"`
+				ACMEAudience      string `json:"acme_aud"`
+			}{
+				Claims: jose.Claims{
+					Issuer:   srv.URL,
+					Audience: []string{"test"},
+					Expiry:   jose.NewNumericDate(time.Now().Add(1 * time.Minute)),
+				},
+				Name:              "Alice Smith",
+				PreferredUsername: "wireapp://%40alice_wire@wire.com",
+				KeyAuth:           keyAuth,
+				ACMEAudience:      "https://ca.example.com/acme/wire/challenge/azID/chID",
+			})
+			require.NoError(t, err)
+			signed, err := signer.Sign(tokenBytes)
+			require.NoError(t, err)
+			idToken, err := signed.CompactSerialize()
+			require.NoError(t, err)
+			payload, err := json.Marshal(struct {
+				IDToken string `json:"id_token"`
+			}{
+				IDToken: idToken,
+			})
+			require.NoError(t, err)
+			valueBytes, err := json.Marshal(struct {
+				Name     string `json:"name,omitempty"`
+				Domain   string `json:"domain,omitempty"`
+				ClientID string `json:"client-id,omitempty"`
+				Handle   string `json:"handle,omitempty"`
+			}{
+				Name:     "Alice Smith",
+				Domain:   "wire.com",
+				ClientID: "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
+				Handle:   "wireapp://%40alice_wire@wire.com",
+			})
+			require.NoError(t, err)
+			ctx := NewProvisionerContext(context.Background(), newWireProvisionerWithOptions(t, &provisioner.Options{
+				Wire: &wireprovisioner.Options{
+					OIDC: &wireprovisioner.OIDCOptions{
+						Provider: &wireprovisioner.Provider{
+							IssuerURL:  srv.URL,
+							JWKSURL:    srv.URL + "/keys",
+							Algorithms: []string{"ES256"},
+						},
+						Config: &wireprovisioner.Config{
+							ClientID:            "test",
+							SignatureAlgorithms: []string{"ES256"},
+							Now:                 time.Now,
+						},
+						TransformTemplate: "",
+					},
+					DPOP: &wireprovisioner.DPOPOptions{
+						SigningKey: []byte(fakeKey),
+					},
+				},
+			}))
+			ctx = NewLinkerContext(ctx, NewLinker("ca.example.com", "acme"))
+			return test{
+				ch: &Challenge{
+					ID:              "chID",
+					AuthorizationID: "azID",
+					AccountID:       "accID",
+					Token:           "token",
+					Type:            "wire-oidc-01",
+					Status:          StatusPending,
+					Value:           string(valueBytes),
+				},
+				srv:     srv,
+				payload: payload,
+				ctx:     ctx,
+				jwk:     jwk,
+				db: &MockDB{
+					MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
+						assert.Equal(t, "chID", updch.ID)
+						assert.Equal(t, "token", updch.Token)
+						assert.Equal(t, StatusValid, updch.Status)
+						assert.Equal(t, ChallengeType("wire-oidc-01"), updch.Type)
+						assert.Equal(t, string(valueBytes), updch.Value)
+						return nil
+					},
+					MockGetAllOrdersByAccountID: func(ctx context.Context, accountID string) ([]string, error) {
+						assert.Equal(t, "accID", accountID)
+						return []string{"orderID"}, nil
+					},
+					MockCreateOidcToken: func(ctx context.Context, orderID string, idToken map[string]interface{}) error {
+						assert.Equal(t, "orderID", orderID)
+						assert.Equal(t, "Alice Smith", idToken["name"].(string))
+						assert.Equal(t, "wireapp://%40alice_wire@wire.com", idToken["preferred_username"].(string))
+						return nil
+					},
+				},
+			}
+		},
+		"ok/wire-dpop-01": func(t *testing.T) test {
+			jwk, keyAuth := mustAccountAndKeyAuthorization(t, "token")
+			_ = keyAuth // TODO(hs): keyAuth (not) required for DPoP? Or needs to be added to validation?
+			dpopSigner, err := jose.NewSigner(jose.SigningKey{
+				Algorithm: jose.SignatureAlgorithm(jwk.Algorithm),
+				Key:       jwk,
+			}, new(jose.SignerOptions))
+			require.NoError(t, err)
+			signerJWK, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
+			require.NoError(t, err)
+			signer, err := jose.NewSigner(jose.SigningKey{
+				Algorithm: jose.SignatureAlgorithm(signerJWK.Algorithm),
+				Key:       signerJWK,
+			}, new(jose.SignerOptions))
+			require.NoError(t, err)
+			signerPEMBlock, err := pemutil.Serialize(signerJWK.Public().Key)
+			require.NoError(t, err)
+			signerPEMBytes := pem.EncodeToMemory(signerPEMBlock)
+			dpopBytes, err := json.Marshal(struct {
+				jose.Claims
+				Challenge string `json:"chal,omitempty"`
+				Handle    string `json:"handle,omitempty"`
+				Nonce     string `json:"nonce,omitempty"`
+				HTU       string `json:"htu,omitempty"`
+			}{
+				Claims: jose.Claims{
+					Subject:  "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
+					Audience: jose.Audience{"https://ca.example.com/acme/wire/challenge/azID/chID"},
+				},
+				Challenge: "token",
+				Handle:    "wireapp://%40alice_wire@wire.com",
+				Nonce:     "nonce",
+				HTU:       "http://issuer.example.com",
+			})
+			require.NoError(t, err)
+			dpop, err := dpopSigner.Sign(dpopBytes)
+			require.NoError(t, err)
+			proof, err := dpop.CompactSerialize()
+			require.NoError(t, err)
+			tokenBytes, err := json.Marshal(struct {
+				jose.Claims
+				Challenge string `json:"chal,omitempty"`
+				Nonce     string `json:"nonce,omitempty"`
+				Cnf       struct {
+					Kid string `json:"kid,omitempty"`
+				} `json:"cnf"`
+				Proof      string `json:"proof,omitempty"`
+				ClientID   string `json:"client_id"`
+				APIVersion int    `json:"api_version"`
+				Scope      string `json:"scope"`
+			}{
+				Claims: jose.Claims{
+					Issuer:   "http://issuer.example.com",
+					Audience: jose.Audience{"https://ca.example.com/acme/wire/challenge/azID/chID"},
+					Expiry:   jose.NewNumericDate(time.Now().Add(1 * time.Minute)),
+				},
+				Challenge: "token",
+				Nonce:     "nonce",
+				Cnf: struct {
+					Kid string `json:"kid,omitempty"`
+				}{
+					Kid: jwk.KeyID,
+				},
+				Proof:      proof,
+				ClientID:   "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
+				APIVersion: 5,
+				Scope:      "wire_client_id",
+			})
+			require.NoError(t, err)
+			signed, err := signer.Sign(tokenBytes)
+			require.NoError(t, err)
+			accessToken, err := signed.CompactSerialize()
+			require.NoError(t, err)
+			payload, err := json.Marshal(struct {
+				AccessToken string `json:"access_token"`
+			}{
+				AccessToken: accessToken,
+			})
+			require.NoError(t, err)
+			valueBytes, err := json.Marshal(struct {
+				Name     string `json:"name,omitempty"`
+				Domain   string `json:"domain,omitempty"`
+				ClientID string `json:"client-id,omitempty"`
+				Handle   string `json:"handle,omitempty"`
+			}{
+				Name:     "Alice Smith",
+				Domain:   "wire.com",
+				ClientID: "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
+				Handle:   "wireapp://%40alice_wire@wire.com",
+			})
+			require.NoError(t, err)
+			ctx := NewProvisionerContext(context.Background(), newWireProvisionerWithOptions(t, &provisioner.Options{
+				Wire: &wireprovisioner.Options{
+					OIDC: &wireprovisioner.OIDCOptions{
+						Provider: &wireprovisioner.Provider{
+							IssuerURL:  "http://issuerexample.com",
+							Algorithms: []string{"ES256"},
+						},
+						Config: &wireprovisioner.Config{
+							ClientID:            "test",
+							SignatureAlgorithms: []string{"ES256"},
+							Now:                 time.Now,
+						},
+						TransformTemplate: "",
+					},
+					DPOP: &wireprovisioner.DPOPOptions{
+						Target:     "http://issuer.example.com",
+						SigningKey: signerPEMBytes,
+					},
+				},
+			}))
+			ctx = NewLinkerContext(ctx, NewLinker("ca.example.com", "acme"))
+			return test{
+				ch: &Challenge{
+					ID:              "chID",
+					AuthorizationID: "azID",
+					AccountID:       "accID",
+					Token:           "token",
+					Type:            "wire-dpop-01",
+					Status:          StatusPending,
+					Value:           string(valueBytes),
+				},
+				payload: payload,
+				ctx:     ctx,
+				jwk:     jwk,
+				db: &MockDB{
+					MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
+						assert.Equal(t, "chID", updch.ID)
+						assert.Equal(t, "token", updch.Token)
+						assert.Equal(t, StatusValid, updch.Status)
+						assert.Equal(t, ChallengeType("wire-dpop-01"), updch.Type)
+						assert.Equal(t, string(valueBytes), updch.Value)
+						return nil
+					},
+					MockGetAllOrdersByAccountID: func(ctx context.Context, accountID string) ([]string, error) {
+						assert.Equal(t, "accID", accountID)
+						return []string{"orderID"}, nil
+					},
+					MockCreateDpopToken: func(ctx context.Context, orderID string, dpop map[string]interface{}) error {
+						assert.Equal(t, "orderID", orderID)
+						assert.Equal(t, "token", dpop["chal"].(string))
+						assert.Equal(t, "wireapp://%40alice_wire@wire.com", dpop["handle"].(string))
+						assert.Equal(t, "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com", dpop["sub"].(string))
+						return nil
+					},
+				},
+			}
+		},
 	}
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
@ -867,25 +1146,63 @@ func TestChallenge_Validate(t *testing.T) {
 				ctx = context.Background()
 			}
 			ctx = NewClientContext(ctx, tc.vc)
-			if err := tc.ch.Validate(ctx, tc.db, tc.jwk, tc.payload); err != nil {
-				if assert.Error(t, tc.err) {
-					var k *Error
-					if errors.As(err, &k) {
-						assert.Equal(t, tc.err.Type, k.Type)
-						assert.Equal(t, tc.err.Detail, k.Detail)
-						assert.Equal(t, tc.err.Status, k.Status)
-						assert.Equal(t, tc.err.Err.Error(), k.Err.Error())
-					} else {
-						assert.Fail(t, "unexpected error type")
-					}
+			err := tc.ch.Validate(ctx, tc.db, tc.jwk, tc.payload)
+			if tc.err != nil {
+				var k *Error
+				if errors.As(err, &k) {
+					assert.Equal(t, tc.err.Type, k.Type)
+					assert.Equal(t, tc.err.Detail, k.Detail)
+					assert.Equal(t, tc.err.Status, k.Status)
+					assert.Equal(t, tc.err.Err.Error(), k.Err.Error())
+				} else {
+					assert.Fail(t, "unexpected error type")
 				}
-			} else {
-				assert.Nil(t, tc.err)
+				return
 			}
+
+			assert.NoError(t, err)
 		})
 	}
 }

+func mustJWKServer(t *testing.T, pub jose.JSONWebKey) *httptest.Server {
+	t.Helper()
+	mux := http.NewServeMux()
+	server := httptest.NewServer(mux)
+	b, err := json.Marshal(struct {
+		Keys []jose.JSONWebKey `json:"keys,omitempty"`
+	}{
+		Keys: []jose.JSONWebKey{pub},
+	})
+	require.NoError(t, err)
+	jwks := string(b)
+
+	wellKnown := fmt.Sprintf(`{
+		"issuer": "%[1]s",
+		"authorization_endpoint": "%[1]s/auth",
+		"token_endpoint": "%[1]s/token",
+		"jwks_uri": "%[1]s/keys",
+		"userinfo_endpoint": "%[1]s/userinfo",
+		"id_token_signing_alg_values_supported": ["ES256"]
+	}`, server.URL)
+
+	mux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, req *http.Request) {
+		_, err := io.WriteString(w, wellKnown)
+		if err != nil {
+			w.WriteHeader(500)
+		}
+	})
+	mux.HandleFunc("/keys", func(w http.ResponseWriter, req *http.Request) {
+		_, err := io.WriteString(w, jwks)
+		if err != nil {
+			w.WriteHeader(500)
+		}
+	})
+
+	t.Cleanup(server.Close)
+	return server
+}
+
 type errReader int

 func (errReader) Read([]byte) (int, error) {
--- a/acme/challenge_wire_test.go
+++ b/acme/challenge_wire_test.go
--- a/acme/common.go
+++ b/acme/common.go
@ -21,7 +21,7 @@ var clock Clock

 // CertificateAuthority is the interface implemented by a CA authority.
 type CertificateAuthority interface {
-	SignWithContext(ctx context.Context, cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
+	Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
 	AreSANsAllowed(ctx context.Context, sans []string) error
 	IsRevoked(sn string) (bool, error)
 	Revoke(context.Context, *authority.RevokeOptions) error
@ -130,7 +130,7 @@ func (m *MockProvisioner) GetName() string {
 	return m.Mret1.(string)
 }

-// AuthorizeOrderIdentifier mock
+// AuthorizeOrderIdentifiers mock
 func (m *MockProvisioner) AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error {
 	if m.MauthorizeOrderIdentifier != nil {
 		return m.MauthorizeOrderIdentifier(ctx, identifier)
--- a/acme/db.go
+++ b/acme/db.go
@ -2,7 +2,6 @@ package acme

 import (
 	"context"
-	"database/sql"

 	"github.com/pkg/errors"
 )
@ -16,7 +15,7 @@ var ErrNotFound = errors.New("not found")
 // IsErrNotFound returns true if the error is a "not found" error. Returns false
 // otherwise.
 func IsErrNotFound(err error) bool {
-	return errors.Is(err, ErrNotFound) || errors.Is(err, sql.ErrNoRows)
+	return errors.Is(err, ErrNotFound)
 }

 // DB is the DB interface expected by the step-ca ACME API.
@ -54,6 +53,13 @@ type DB interface {
 	GetOrder(ctx context.Context, id string) (*Order, error)
 	GetOrdersByAccountID(ctx context.Context, accountID string) ([]string, error)
 	UpdateOrder(ctx context.Context, o *Order) error
+
+	// TODO(hs): put in a different interface
+	GetAllOrdersByAccountID(ctx context.Context, accountID string) ([]string, error)
+	CreateDpopToken(ctx context.Context, orderID string, dpop map[string]interface{}) error
+	GetDpopToken(ctx context.Context, orderID string) (map[string]interface{}, error)
+	CreateOidcToken(ctx context.Context, orderID string, idToken map[string]interface{}) error
+	GetOidcToken(ctx context.Context, orderID string) (map[string]interface{}, error)
 }

 type dbKey struct{}
@ -119,6 +125,12 @@ type MockDB struct {
 	MockGetOrdersByAccountID func(ctx context.Context, accountID string) ([]string, error)
 	MockUpdateOrder          func(ctx context.Context, o *Order) error

+	MockGetAllOrdersByAccountID func(ctx context.Context, accountID string) ([]string, error)
+	MockGetDpopToken            func(ctx context.Context, orderID string) (map[string]interface{}, error)
+	MockCreateDpopToken         func(ctx context.Context, orderID string, dpop map[string]interface{}) error
+	MockGetOidcToken            func(ctx context.Context, orderID string) (map[string]interface{}, error)
+	MockCreateOidcToken         func(ctx context.Context, orderID string, idToken map[string]interface{}) error
+
 	MockRet1  interface{}
 	MockError error
 }
@ -392,3 +404,49 @@ func (m *MockDB) GetOrdersByAccountID(ctx context.Context, accID string) ([]stri
 	}
 	return m.MockRet1.([]string), m.MockError
 }
+
+// GetAllOrdersByAccountID returns a list of any order IDs owned by the account.
+func (m *MockDB) GetAllOrdersByAccountID(ctx context.Context, accountID string) ([]string, error) {
+	if m.MockGetAllOrdersByAccountID != nil {
+		return m.MockGetAllOrdersByAccountID(ctx, accountID)
+	} else if m.MockError != nil {
+		return nil, m.MockError
+	}
+	return m.MockRet1.([]string), m.MockError
+}
+
+// GetDpop retrieves a DPoP from the database.
+func (m *MockDB) GetDpopToken(ctx context.Context, orderID string) (map[string]any, error) {
+	if m.MockGetDpopToken != nil {
+		return m.MockGetDpopToken(ctx, orderID)
+	} else if m.MockError != nil {
+		return nil, m.MockError
+	}
+	return m.MockRet1.(map[string]any), m.MockError
+}
+
+// CreateDpop creates DPoP resources and saves them to the DB.
+func (m *MockDB) CreateDpopToken(ctx context.Context, orderID string, dpop map[string]any) error {
+	if m.MockCreateDpopToken != nil {
+		return m.MockCreateDpopToken(ctx, orderID, dpop)
+	}
+	return m.MockError
+}
+
+// GetOidcToken retrieves an oidc token from the database.
+func (m *MockDB) GetOidcToken(ctx context.Context, orderID string) (map[string]any, error) {
+	if m.MockGetOidcToken != nil {
+		return m.MockGetOidcToken(ctx, orderID)
+	} else if m.MockError != nil {
+		return nil, m.MockError
+	}
+	return m.MockRet1.(map[string]any), m.MockError
+}
+
+// CreateOidcToken creates oidc token resources and saves them to the DB.
+func (m *MockDB) CreateOidcToken(ctx context.Context, orderID string, idToken map[string]any) error {
+	if m.MockCreateOidcToken != nil {
+		return m.MockCreateOidcToken(ctx, orderID, idToken)
+	}
+	return m.MockError
+}
--- a/acme/db/nosql/account.go
+++ b/acme/db/nosql/account.go
@ -18,7 +18,6 @@ type dbAccount struct {
 	Contact         []string         `json:"contact,omitempty"`
 	Status          acme.Status      `json:"status"`
 	LocationPrefix  string           `json:"locationPrefix"`
-	ProvisionerID   string           `json:"provisionerID,omitempty"`
 	ProvisionerName string           `json:"provisionerName"`
 	CreatedAt       time.Time        `json:"createdAt"`
 	DeactivatedAt   time.Time        `json:"deactivatedAt"`
@ -70,7 +69,6 @@ func (db *DB) GetAccount(ctx context.Context, id string) (*acme.Account, error)
 		Key:             dbacc.Key,
 		ID:              dbacc.ID,
 		LocationPrefix:  dbacc.LocationPrefix,
-		ProvisionerID:   dbacc.ProvisionerID,
 		ProvisionerName: dbacc.ProvisionerName,
 	}, nil
 }
@ -99,7 +97,6 @@ func (db *DB) CreateAccount(ctx context.Context, acc *acme.Account) error {
 		Status:          acc.Status,
 		CreatedAt:       clock.Now(),
 		LocationPrefix:  acc.LocationPrefix,
-		ProvisionerID:   acc.ProvisionerID,
 		ProvisionerName: acc.ProvisionerName,
 	}

--- a/acme/db/nosql/account_test.go
+++ b/acme/db/nosql/account_test.go
@ -68,14 +68,12 @@ func TestDB_getDBAccount(t *testing.T) {
 			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 			assert.FatalError(t, err)
 			dbacc := &dbAccount{
-				ID:              accID,
-				Status:          acme.StatusDeactivated,
-				CreatedAt:       now,
-				DeactivatedAt:   now,
-				Contact:         []string{"foo", "bar"},
-				Key:             jwk,
-				ProvisionerID:   "73d2c0f1-9753-448b-9b48-bf00fe434681",
-				ProvisionerName: "acme",
+				ID:            accID,
+				Status:        acme.StatusDeactivated,
+				CreatedAt:     now,
+				DeactivatedAt: now,
+				Contact:       []string{"foo", "bar"},
+				Key:           jwk,
 			}
 			b, err := json.Marshal(dbacc)
 			assert.FatalError(t, err)
--- a/acme/db/nosql/challenge.go
+++ b/acme/db/nosql/challenge.go
@ -19,6 +19,7 @@ type dbChallenge struct {
 	Status      acme.Status        `json:"status"`
 	Token       string             `json:"token"`
 	Value       string             `json:"value"`
+	Target      string             `json:"target,omitempty"`
 	ValidatedAt string             `json:"validatedAt"`
 	CreatedAt   time.Time          `json:"createdAt"`
 	Error       *acme.Error        `json:"error"` // TODO(hs): a bit dangerous; should become db-specific type
@ -61,6 +62,7 @@ func (db *DB) CreateChallenge(ctx context.Context, ch *acme.Challenge) error {
 		Token:     ch.Token,
 		CreatedAt: clock.Now(),
 		Type:      ch.Type,
+		Target:    ch.Target,
 	}

 	return db.save(ctx, ch.ID, dbch, nil, "challenge", challengeTable)
@ -84,6 +86,7 @@ func (db *DB) GetChallenge(ctx context.Context, id, authzID string) (*acme.Chall
 		Token:       dbch.Token,
 		Error:       dbch.Error,
 		ValidatedAt: dbch.ValidatedAt,
+		Target:      dbch.Target,
 	}
 	return ch, nil
 }
--- a/acme/db/nosql/nosql.go
+++ b/acme/db/nosql/nosql.go
@ -23,6 +23,8 @@ var (
 	externalAccountKeyTable                   = []byte("acme_external_account_keys")
 	externalAccountKeyIDsByReferenceTable     = []byte("acme_external_account_keyID_reference_index")
 	externalAccountKeyIDsByProvisionerIDTable = []byte("acme_external_account_keyID_provisionerID_index")
+	wireDpopTokenTable                        = []byte("wire_acme_dpop_token")
+	wireOidcTokenTable                        = []byte("wire_acme_oidc_token")
 )

 // DB is a struct that implements the AcmeDB interface.
@ -36,11 +38,11 @@ func New(db nosqlDB.DB) (*DB, error) {
 		challengeTable, nonceTable, orderTable, ordersByAccountIDTable,
 		certTable, certBySerialTable, externalAccountKeyTable,
 		externalAccountKeyIDsByReferenceTable, externalAccountKeyIDsByProvisionerIDTable,
+		wireDpopTokenTable, wireOidcTokenTable,
 	}
 	for _, b := range tables {
 		if err := db.CreateTable(b); err != nil {
-			return nil, errors.Wrapf(err, "error creating table %s",
-				string(b))
+			return nil, errors.Wrapf(err, "error creating table %s", string(b))
 		}
 	}
 	return &DB{db}, nil
--- a/acme/db/nosql/order.go
+++ b/acme/db/nosql/order.go
@ -98,7 +98,7 @@ func (db *DB) CreateOrder(ctx context.Context, o *acme.Order) error {
 		return err
 	}

-	_, err = db.updateAddOrderIDs(ctx, o.AccountID, o.ID)
+	_, err = db.updateAddOrderIDs(ctx, o.AccountID, false, o.ID)
 	if err != nil {
 		return err
 	}
@ -117,10 +117,11 @@ func (db *DB) UpdateOrder(ctx context.Context, o *acme.Order) error {
 	nu.Status = o.Status
 	nu.Error = o.Error
 	nu.CertificateID = o.CertificateID
+
 	return db.save(ctx, old.ID, nu, old, "order", orderTable)
 }

-func (db *DB) updateAddOrderIDs(ctx context.Context, accID string, addOids ...string) ([]string, error) {
+func (db *DB) updateAddOrderIDs(ctx context.Context, accID string, includeReadyOrders bool, addOids ...string) ([]string, error) {
 	ordersByAccountMux.Lock()
 	defer ordersByAccountMux.Unlock()

@ -151,7 +152,8 @@ func (db *DB) updateAddOrderIDs(ctx context.Context, accID string, addOids ...st
 		if err = o.UpdateStatus(ctx, db); err != nil {
 			return nil, acme.WrapErrorISE(err, "error updating order %s for account %s", oid, accID)
 		}
-		if o.Status == acme.StatusPending {
+
+		if o.Status == acme.StatusPending || (o.Status == acme.StatusReady && includeReadyOrders) {
 			pendOids = append(pendOids, oid)
 		}
 	}
@ -183,5 +185,10 @@ func (db *DB) updateAddOrderIDs(ctx context.Context, accID string, addOids ...st

 // GetOrdersByAccountID returns a list of order IDs owned by the account.
 func (db *DB) GetOrdersByAccountID(ctx context.Context, accID string) ([]string, error) {
-	return db.updateAddOrderIDs(ctx, accID)
+	return db.updateAddOrderIDs(ctx, accID, false)
+}
+
+// GetAllOrdersByAccountID returns a list of any order IDs owned by the account.
+func (db *DB) GetAllOrdersByAccountID(ctx context.Context, accID string) ([]string, error) {
+	return db.updateAddOrderIDs(ctx, accID, true)
 }
--- a/acme/db/nosql/order_test.go
+++ b/acme/db/nosql/order_test.go
@ -997,9 +997,9 @@ func TestDB_updateAddOrderIDs(t *testing.T) {
 				err error
 			)
 			if tc.addOids == nil {
-				res, err = d.updateAddOrderIDs(context.Background(), accID)
+				res, err = d.updateAddOrderIDs(context.Background(), accID, false)
 			} else {
-				res, err = d.updateAddOrderIDs(context.Background(), accID, tc.addOids...)
+				res, err = d.updateAddOrderIDs(context.Background(), accID, false, tc.addOids...)
 			}

 			if err != nil {
--- a/acme/db/nosql/wire.go
+++ b/acme/db/nosql/wire.go
@ -0,0 +1,121 @@
+package nosql
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/smallstep/certificates/acme"
+	"github.com/smallstep/nosql"
+)
+
+type dbDpopToken struct {
+	ID        string    `json:"id"`
+	Content   []byte    `json:"content"`
+	CreatedAt time.Time `json:"createdAt"`
+}
+
+// getDBDpopToken retrieves and unmarshals an DPoP type from the database.
+func (db *DB) getDBDpopToken(_ context.Context, orderID string) (*dbDpopToken, error) {
+	b, err := db.db.Get(wireDpopTokenTable, []byte(orderID))
+	if err != nil {
+		if nosql.IsErrNotFound(err) {
+			return nil, acme.NewError(acme.ErrorMalformedType, "dpop token %q not found", orderID)
+		}
+		return nil, fmt.Errorf("failed loading dpop token %q: %w", orderID, err)
+	}
+
+	d := new(dbDpopToken)
+	if err := json.Unmarshal(b, d); err != nil {
+		return nil, fmt.Errorf("failed unmarshaling dpop token %q into dbDpopToken: %w", orderID, err)
+	}
+	return d, nil
+}
+
+// GetDpopToken retrieves an DPoP from the database.
+func (db *DB) GetDpopToken(ctx context.Context, orderID string) (map[string]any, error) {
+	dbDpop, err := db.getDBDpopToken(ctx, orderID)
+	if err != nil {
+		return nil, err
+	}
+
+	dpop := make(map[string]any)
+	err = json.Unmarshal(dbDpop.Content, &dpop)
+
+	return dpop, err
+}
+
+// CreateDpopToken creates DPoP resources and saves them to the DB.
+func (db *DB) CreateDpopToken(ctx context.Context, orderID string, dpop map[string]any) error {
+	content, err := json.Marshal(dpop)
+	if err != nil {
+		return fmt.Errorf("failed marshaling dpop token: %w", err)
+	}
+
+	now := clock.Now()
+	dbDpop := &dbDpopToken{
+		ID:        orderID,
+		Content:   content,
+		CreatedAt: now,
+	}
+	if err := db.save(ctx, orderID, dbDpop, nil, "dpop", wireDpopTokenTable); err != nil {
+		return fmt.Errorf("failed saving dpop token: %w", err)
+	}
+	return nil
+}
+
+type dbOidcToken struct {
+	ID        string    `json:"id"`
+	Content   []byte    `json:"content"`
+	CreatedAt time.Time `json:"createdAt"`
+}
+
+// getDBOidcToken retrieves and unmarshals an OIDC id token type from the database.
+func (db *DB) getDBOidcToken(_ context.Context, orderID string) (*dbOidcToken, error) {
+	b, err := db.db.Get(wireOidcTokenTable, []byte(orderID))
+	if err != nil {
+		if nosql.IsErrNotFound(err) {
+			return nil, acme.NewError(acme.ErrorMalformedType, "oidc token %q not found", orderID)
+		}
+		return nil, fmt.Errorf("failed loading oidc token %q: %w", orderID, err)
+	}
+
+	o := new(dbOidcToken)
+	if err := json.Unmarshal(b, o); err != nil {
+		return nil, fmt.Errorf("failed unmarshaling oidc token %q into dbOidcToken: %w", orderID, err)
+	}
+	return o, nil
+}
+
+// GetOidcToken retrieves an oidc token from the database.
+func (db *DB) GetOidcToken(ctx context.Context, orderID string) (map[string]any, error) {
+	dbOidc, err := db.getDBOidcToken(ctx, orderID)
+	if err != nil {
+		return nil, err
+	}
+
+	idToken := make(map[string]any)
+	err = json.Unmarshal(dbOidc.Content, &idToken)
+
+	return idToken, err
+}
+
+// CreateOidcToken creates oidc token resources and saves them to the DB.
+func (db *DB) CreateOidcToken(ctx context.Context, orderID string, idToken map[string]any) error {
+	content, err := json.Marshal(idToken)
+	if err != nil {
+		return fmt.Errorf("failed marshaling oidc token: %w", err)
+	}
+
+	now := clock.Now()
+	dbOidc := &dbOidcToken{
+		ID:        orderID,
+		Content:   content,
+		CreatedAt: now,
+	}
+	if err := db.save(ctx, orderID, dbOidc, nil, "oidc", wireOidcTokenTable); err != nil {
+		return fmt.Errorf("failed saving oidc token: %w", err)
+	}
+	return nil
+}
--- a/acme/db/nosql/wire_test.go
+++ b/acme/db/nosql/wire_test.go
@ -0,0 +1,394 @@
+package nosql
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/smallstep/certificates/acme"
+	certificatesdb "github.com/smallstep/certificates/db"
+	"github.com/smallstep/nosql"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDB_GetDpopToken(t *testing.T) {
+	type test struct {
+		db          *DB
+		orderID     string
+		expected    map[string]any
+		expectedErr error
+	}
+	var tests = map[string]func(t *testing.T) test{
+		"fail/acme-not-found": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				expectedErr: &acme.Error{
+					Type:   "urn:ietf:params:acme:error:malformed",
+					Status: 400,
+					Detail: "The request message was malformed",
+					Err:    errors.New(`dpop token "orderID" not found`),
+				},
+			}
+		},
+		"fail/unmarshal-error": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			token := dbDpopToken{
+				ID:        "orderID",
+				Content:   []byte("{}"),
+				CreatedAt: time.Now(),
+			}
+			b, err := json.Marshal(token)
+			require.NoError(t, err)
+			err = db.Set(wireDpopTokenTable, []byte("orderID"), b[1:]) // start at index 1; corrupt JSON data
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID:     "orderID",
+				expectedErr: errors.New(`failed unmarshaling dpop token "orderID" into dbDpopToken: invalid character ':' after top-level value`),
+			}
+		},
+		"fail/db.Get": func(t *testing.T) test {
+			db := &certificatesdb.MockNoSQLDB{
+				MGet: func(bucket, key []byte) ([]byte, error) {
+					assert.Equal(t, wireDpopTokenTable, bucket)
+					assert.Equal(t, []byte("orderID"), key)
+					return nil, errors.New("fail")
+				},
+			}
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID:     "orderID",
+				expectedErr: errors.New(`failed loading dpop token "orderID": fail`),
+			}
+		},
+		"ok": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			token := dbDpopToken{
+				ID:        "orderID",
+				Content:   []byte(`{"sub": "wireapp://guVX5xeFS3eTatmXBIyA4A!7a41cf5b79683410@wire.com"}`),
+				CreatedAt: time.Now(),
+			}
+			b, err := json.Marshal(token)
+			require.NoError(t, err)
+			err = db.Set(wireDpopTokenTable, []byte("orderID"), b)
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				expected: map[string]any{
+					"sub": "wireapp://guVX5xeFS3eTatmXBIyA4A!7a41cf5b79683410@wire.com",
+				},
+			}
+		},
+	}
+	for name, run := range tests {
+		tc := run(t)
+		t.Run(name, func(t *testing.T) {
+			got, err := tc.db.GetDpopToken(context.Background(), tc.orderID)
+			if tc.expectedErr != nil {
+				assert.EqualError(t, err, tc.expectedErr.Error())
+				ae := &acme.Error{}
+				if errors.As(err, &ae) {
+					ee := &acme.Error{}
+					require.True(t, errors.As(tc.expectedErr, &ee))
+					assert.Equal(t, ee.Detail, ae.Detail)
+					assert.Equal(t, ee.Type, ae.Type)
+					assert.Equal(t, ee.Status, ae.Status)
+				}
+				assert.Nil(t, got)
+				return
+			}
+
+			assert.NoError(t, err)
+			assert.Equal(t, tc.expected, got)
+		})
+	}
+}
+
+func TestDB_CreateDpopToken(t *testing.T) {
+	type test struct {
+		db          *DB
+		orderID     string
+		dpop        map[string]any
+		expectedErr error
+	}
+	var tests = map[string]func(t *testing.T) test{
+		"fail/db.Save": func(t *testing.T) test {
+			db := &certificatesdb.MockNoSQLDB{
+				MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {
+					assert.Equal(t, wireDpopTokenTable, bucket)
+					assert.Equal(t, []byte("orderID"), key)
+					return nil, false, errors.New("fail")
+				},
+			}
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				dpop: map[string]any{
+					"sub": "wireapp://guVX5xeFS3eTatmXBIyA4A!7a41cf5b79683410@wire.com",
+				},
+				expectedErr: errors.New("failed saving dpop token: error saving acme dpop: fail"),
+			}
+		},
+		"ok": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				dpop: map[string]any{
+					"sub": "wireapp://guVX5xeFS3eTatmXBIyA4A!7a41cf5b79683410@wire.com",
+				},
+			}
+		},
+		"ok/nil": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				dpop:    nil,
+			}
+		},
+	}
+	for name, run := range tests {
+		tc := run(t)
+		t.Run(name, func(t *testing.T) {
+			err := tc.db.CreateDpopToken(context.Background(), tc.orderID, tc.dpop)
+			if tc.expectedErr != nil {
+				assert.EqualError(t, err, tc.expectedErr.Error())
+				return
+			}
+
+			assert.NoError(t, err)
+
+			dpop, err := tc.db.getDBDpopToken(context.Background(), tc.orderID)
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.orderID, dpop.ID)
+			var m map[string]any
+			err = json.Unmarshal(dpop.Content, &m)
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.dpop, m)
+		})
+	}
+}
+
+func TestDB_GetOidcToken(t *testing.T) {
+	type test struct {
+		db          *DB
+		orderID     string
+		expected    map[string]any
+		expectedErr error
+	}
+	var tests = map[string]func(t *testing.T) test{
+		"fail/acme-not-found": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				expectedErr: &acme.Error{
+					Type:   "urn:ietf:params:acme:error:malformed",
+					Status: 400,
+					Detail: "The request message was malformed",
+					Err:    errors.New(`oidc token "orderID" not found`),
+				},
+			}
+		},
+		"fail/unmarshal-error": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			token := dbOidcToken{
+				ID:        "orderID",
+				Content:   []byte("{}"),
+				CreatedAt: time.Now(),
+			}
+			b, err := json.Marshal(token)
+			require.NoError(t, err)
+			err = db.Set(wireOidcTokenTable, []byte("orderID"), b[1:]) // start at index 1; corrupt JSON data
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID:     "orderID",
+				expectedErr: errors.New(`failed unmarshaling oidc token "orderID" into dbOidcToken: invalid character ':' after top-level value`),
+			}
+		},
+		"fail/db.Get": func(t *testing.T) test {
+			db := &certificatesdb.MockNoSQLDB{
+				MGet: func(bucket, key []byte) ([]byte, error) {
+					assert.Equal(t, wireOidcTokenTable, bucket)
+					assert.Equal(t, []byte("orderID"), key)
+					return nil, errors.New("fail")
+				},
+			}
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID:     "orderID",
+				expectedErr: errors.New(`failed loading oidc token "orderID": fail`),
+			}
+		},
+		"ok": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			token := dbOidcToken{
+				ID:        "orderID",
+				Content:   []byte(`{"name": "Alice Smith", "preferred_username": "@alice.smith"}`),
+				CreatedAt: time.Now(),
+			}
+			b, err := json.Marshal(token)
+			require.NoError(t, err)
+			err = db.Set(wireOidcTokenTable, []byte("orderID"), b)
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				expected: map[string]any{
+					"name":               "Alice Smith",
+					"preferred_username": "@alice.smith",
+				},
+			}
+		},
+	}
+	for name, run := range tests {
+		tc := run(t)
+		t.Run(name, func(t *testing.T) {
+			got, err := tc.db.GetOidcToken(context.Background(), tc.orderID)
+			if tc.expectedErr != nil {
+				assert.EqualError(t, err, tc.expectedErr.Error())
+				ae := &acme.Error{}
+				if errors.As(err, &ae) {
+					ee := &acme.Error{}
+					require.True(t, errors.As(tc.expectedErr, &ee))
+					assert.Equal(t, ee.Detail, ae.Detail)
+					assert.Equal(t, ee.Type, ae.Type)
+					assert.Equal(t, ee.Status, ae.Status)
+				}
+				assert.Nil(t, got)
+				return
+			}
+
+			assert.NoError(t, err)
+			assert.Equal(t, tc.expected, got)
+		})
+	}
+}
+
+func TestDB_CreateOidcToken(t *testing.T) {
+	type test struct {
+		db          *DB
+		orderID     string
+		oidc        map[string]any
+		expectedErr error
+	}
+	var tests = map[string]func(t *testing.T) test{
+		"fail/db.Save": func(t *testing.T) test {
+			db := &certificatesdb.MockNoSQLDB{
+				MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {
+					assert.Equal(t, wireOidcTokenTable, bucket)
+					assert.Equal(t, []byte("orderID"), key)
+					return nil, false, errors.New("fail")
+				},
+			}
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				oidc: map[string]any{
+					"name":               "Alice Smith",
+					"preferred_username": "@alice.smith",
+				},
+				expectedErr: errors.New("failed saving oidc token: error saving acme oidc: fail"),
+			}
+		},
+		"ok": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				oidc: map[string]any{
+					"name":               "Alice Smith",
+					"preferred_username": "@alice.smith",
+				},
+			}
+		},
+		"ok/nil": func(t *testing.T) test {
+			dir := t.TempDir()
+			db, err := nosql.New("badgerv2", dir)
+			require.NoError(t, err)
+			return test{
+				db: &DB{
+					db: db,
+				},
+				orderID: "orderID",
+				oidc:    nil,
+			}
+		},
+	}
+	for name, run := range tests {
+		tc := run(t)
+		t.Run(name, func(t *testing.T) {
+			err := tc.db.CreateOidcToken(context.Background(), tc.orderID, tc.oidc)
+			if tc.expectedErr != nil {
+				assert.EqualError(t, err, tc.expectedErr.Error())
+				return
+			}
+
+			assert.NoError(t, err)
+
+			oidc, err := tc.db.getDBOidcToken(context.Background(), tc.orderID)
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.orderID, oidc.ID)
+			var m map[string]any
+			err = json.Unmarshal(oidc.Content, &m)
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.oidc, m)
+		})
+	}
+}
--- a/acme/db_test.go
+++ b/acme/db_test.go
@ -1,32 +0,0 @@
-package acme
-
-import (
-	"database/sql"
-	"errors"
-	"fmt"
-	"testing"
-)
-
-func TestIsErrNotFound(t *testing.T) {
-	type args struct {
-		err error
-	}
-	tests := []struct {
-		name string
-		args args
-		want bool
-	}{
-		{"true ErrNotFound", args{ErrNotFound}, true},
-		{"true sql.ErrNoRows", args{sql.ErrNoRows}, true},
-		{"true wrapped ErrNotFound", args{fmt.Errorf("something failed: %w", ErrNotFound)}, true},
-		{"true wrapped sql.ErrNoRows", args{fmt.Errorf("something failed: %w", sql.ErrNoRows)}, true},
-		{"false other", args{errors.New("not found")}, false},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := IsErrNotFound(tt.args.err); got != tt.want {
-				t.Errorf("IsErrNotFound() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
--- a/acme/errors.go
+++ b/acme/errors.go
@ -424,7 +424,7 @@ func (e *Error) ToLog() (interface{}, error) {
 }

 // Render implements render.RenderableError for Error.
-func (e *Error) Render(w http.ResponseWriter, r *http.Request) {
+func (e *Error) Render(w http.ResponseWriter) {
 	w.Header().Set("Content-Type", "application/problem+json")
-	render.JSONStatus(w, r, e, e.StatusCode())
+	render.JSONStatus(w, e, e.StatusCode())
 }
--- a/acme/linker.go
+++ b/acme/linker.go
@ -186,19 +186,19 @@ func (l *linker) Middleware(next http.Handler) http.Handler {
 		nameEscaped := chi.URLParam(r, "provisionerID")
 		name, err := url.PathUnescape(nameEscaped)
 		if err != nil {
-			render.Error(w, r, WrapErrorISE(err, "error url unescaping provisioner name '%s'", nameEscaped))
+			render.Error(w, WrapErrorISE(err, "error url unescaping provisioner name '%s'", nameEscaped))
 			return
 		}

 		p, err := authority.MustFromContext(ctx).LoadProvisionerByName(name)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

 		acmeProv, ok := p.(*provisioner.ACME)
 		if !ok {
-			render.Error(w, r, NewError(ErrorAccountDoesNotExistType, "provisioner must be of type ACME"))
+			render.Error(w, NewError(ErrorAccountDoesNotExistType, "provisioner must be of type ACME"))
 			return
 		}

--- a/acme/order.go
+++ b/acme/order.go
@ -5,15 +5,20 @@ import (
 	"context"
 	"crypto/subtle"
 	"crypto/x509"
+	"encoding/asn1"
 	"encoding/json"
+	"fmt"
 	"net"
+	"net/url"
 	"sort"
 	"strings"
 	"time"

-	"github.com/smallstep/certificates/authority/provisioner"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/x509util"
+
+	"github.com/smallstep/certificates/acme/wire"
+	"github.com/smallstep/certificates/authority/provisioner"
 )

 type IdentifierType string
@ -26,6 +31,10 @@ const (
 	// PermanentIdentifier is the ACME permanent-identifier identifier type
 	// defined in https://datatracker.ietf.org/doc/html/draft-bweeks-acme-device-attest-00
 	PermanentIdentifier IdentifierType = "permanent-identifier"
+	// WireUser is the Wire user identifier type
+	WireUser IdentifierType = "wireapp-user"
+	// WireDevice is the Wire device identifier type
+	WireDevice IdentifierType = "wireapp-device"
 )

 // Identifier encodes the type that an order pertains to.
@ -121,13 +130,15 @@ func (o *Order) UpdateStatus(ctx context.Context, db DB) error {
 	default:
 		return NewErrorISE("unrecognized order status: %s", o.Status)
 	}
+
 	if err := db.UpdateOrder(ctx, o); err != nil {
 		return WrapErrorISE(err, "error updating order")
 	}
+
 	return nil
 }

-// getAuthorizationFingerprint returns a fingerprint from the list of authorizations. This
+// getKeyFingerprint returns a fingerprint from the list of authorizations. This
 // fingerprint is used on the device-attest-01 flow to verify the attestation
 // certificate public key with the CSR public key.
 //
@ -196,7 +207,28 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques

 	// Template data
 	data := x509util.NewTemplateData()
-	data.SetCommonName(csr.Subject.CommonName)
+	if o.containsWireIdentifiers() {
+		subject, err := createWireSubject(o, csr)
+		if err != nil {
+			return fmt.Errorf("failed creating Wire subject: %w", err)
+		}
+		data.SetSubject(subject)
+
+		// Inject Wire's custom challenges into the template once they have been validated
+		dpop, err := db.GetDpopToken(ctx, o.ID)
+		if err != nil {
+			return fmt.Errorf("failed getting Wire DPoP token: %w", err)
+		}
+		data.Set("Dpop", dpop)
+
+		oidc, err := db.GetOidcToken(ctx, o.ID)
+		if err != nil {
+			return fmt.Errorf("failed getting Wire OIDC token: %w", err)
+		}
+		data.Set("Oidc", oidc)
+	} else {
+		data.SetCommonName(csr.Subject.CommonName)
+	}

 	// Custom sign options passed to authority.Sign
 	var extraOptions []provisioner.SignOption
@ -263,7 +295,7 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 	signOps = append(signOps, extraOptions...)

 	// Sign a new certificate.
-	certChain, err := auth.SignWithContext(ctx, csr, provisioner.SignOptions{
+	certChain, err := auth.Sign(csr, provisioner.SignOptions{
 		NotBefore: provisioner.NewTimeDuration(o.NotBefore),
 		NotAfter:  provisioner.NewTimeDuration(o.NotAfter),
 	}, signOps...)
@ -283,15 +315,76 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques

 	o.CertificateID = cert.ID
 	o.Status = StatusValid
+
 	if err = db.UpdateOrder(ctx, o); err != nil {
 		return WrapErrorISE(err, "error updating order %s", o.ID)
 	}
+
 	return nil
 }

+// containsWireIdentifiers checks if [Order] contains ACME
+// identifiers for the WireUser or WireDevice types.
+func (o *Order) containsWireIdentifiers() bool {
+	for _, i := range o.Identifiers {
+		if i.Type == WireUser || i.Type == WireDevice {
+			return true
+		}
+	}
+	return false
+}
+
+// createWireSubject creates the subject for an [Order] with WireUser identifiers.
+func createWireSubject(o *Order, csr *x509.CertificateRequest) (subject x509util.Subject, err error) {
+	wireUserIDs, wireDeviceIDs, otherIDs := 0, 0, 0
+	for _, identifier := range o.Identifiers {
+		switch identifier.Type {
+		case WireUser:
+			wireID, err := wire.ParseUserID([]byte(identifier.Value))
+			if err != nil {
+				return subject, NewErrorISE("unmarshal wireID: %s", err)
+			}
+
+			// TODO: temporarily using a custom OIDC for carrying the display name without having it listed as a DNS SAN.
+			// reusing LDAP's OID for diplay name see http://oid-info.com/get/2.16.840.1.113730.3.1.241
+			displayNameOid := asn1.ObjectIdentifier{2, 16, 840, 1, 113730, 3, 1, 241}
+			var foundDisplayName = false
+			for _, entry := range csr.Subject.Names {
+				if entry.Type.Equal(displayNameOid) {
+					foundDisplayName = true
+					displayName := entry.Value.(string)
+					if displayName != wireID.Name {
+						return subject, NewErrorISE("expected displayName %v, found %v", wireID.Name, displayName)
+					}
+				}
+			}
+			if !foundDisplayName {
+				return subject, NewErrorISE("CSR must contain the display name in '2.16.840.1.113730.3.1.241' OID")
+			}
+
+			if len(csr.Subject.Organization) == 0 || !strings.EqualFold(csr.Subject.Organization[0], wireID.Domain) {
+				return subject, NewErrorISE("expected Organization [%s], found %v", wireID.Domain, csr.Subject.Organization)
+			}
+			subject.CommonName = wireID.Name
+			subject.Organization = []string{wireID.Domain}
+			wireUserIDs++
+		case WireDevice:
+			wireDeviceIDs++
+		default:
+			otherIDs++
+		}
+	}
+
+	if otherIDs > 0 || wireUserIDs != 1 && wireDeviceIDs != 1 {
+		return subject, NewErrorISE("order must have exactly one WireUser and WireDevice identifier")
+	}
+
+	return
+}
+
 func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativeName, error) {
 	var sans []x509util.SubjectAlternativeName
-	if len(csr.EmailAddresses) > 0 || len(csr.URIs) > 0 {
+	if len(csr.EmailAddresses) > 0 {
 		return sans, NewError(ErrorBadCSRType, "Only DNS names and IP addresses are allowed")
 	}

@ -299,7 +392,8 @@ func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativ
 	orderNames := make([]string, numberOfIdentifierType(DNS, o.Identifiers))
 	orderIPs := make([]net.IP, numberOfIdentifierType(IP, o.Identifiers))
 	orderPIDs := make([]string, numberOfIdentifierType(PermanentIdentifier, o.Identifiers))
-	indexDNS, indexIP, indexPID := 0, 0, 0
+	tmpOrderURIs := make([]*url.URL, numberOfIdentifierType(WireUser, o.Identifiers)+numberOfIdentifierType(WireDevice, o.Identifiers))
+	indexDNS, indexIP, indexPID, indexURI := 0, 0, 0, 0
 	for _, n := range o.Identifiers {
 		switch n.Type {
 		case DNS:
@ -311,14 +405,37 @@ func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativ
 		case PermanentIdentifier:
 			orderPIDs[indexPID] = n.Value
 			indexPID++
+		case WireUser:
+			wireID, err := wire.ParseUserID([]byte(n.Value))
+			if err != nil {
+				return sans, NewErrorISE("unsupported identifier value in order: %s", n.Value)
+			}
+			handle, err := url.Parse(wireID.Handle)
+			if err != nil {
+				return sans, NewErrorISE("handle must be a URI: %s", wireID.Handle)
+			}
+			tmpOrderURIs[indexURI] = handle
+			indexURI++
+		case WireDevice:
+			wireID, err := wire.ParseDeviceID([]byte(n.Value))
+			if err != nil {
+				return sans, NewErrorISE("unsupported identifier value in order: %s", n.Value)
+			}
+			clientID, err := url.Parse(wireID.ClientID)
+			if err != nil {
+				return sans, NewErrorISE("clientId must be a URI: %s", wireID.ClientID)
+			}
+			tmpOrderURIs[indexURI] = clientID
+			indexURI++
 		default:
 			return sans, NewErrorISE("unsupported identifier type in order: %s", n.Type)
 		}
 	}
 	orderNames = uniqueSortedLowerNames(orderNames)
 	orderIPs = uniqueSortedIPs(orderIPs)
+	orderURIs := uniqueSortedURIStrings(tmpOrderURIs)

-	totalNumberOfSANs := len(csr.DNSNames) + len(csr.IPAddresses)
+	totalNumberOfSANs := len(csr.DNSNames) + len(csr.IPAddresses) + len(csr.URIs)
 	sans = make([]x509util.SubjectAlternativeName, totalNumberOfSANs)
 	index := 0

@ -361,6 +478,26 @@ func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativ
 		index++
 	}

+	if len(csr.URIs) != len(tmpOrderURIs) {
+		return sans, NewError(ErrorBadCSRType, "CSR URIs do not match identifiers exactly: "+
+			"CSR URIs = %v, Order URIs = %v", csr.URIs, tmpOrderURIs)
+	}
+
+	// sort URI list
+	csrURIs := uniqueSortedURIStrings(csr.URIs)
+
+	for i := range csrURIs {
+		if csrURIs[i] != orderURIs[i] {
+			return sans, NewError(ErrorBadCSRType, "CSR URIs do not match identifiers exactly: "+
+				"CSR URIs = %v, Order URIs = %v", csr.URIs, tmpOrderURIs)
+		}
+		sans[index] = x509util.SubjectAlternativeName{
+			Type:  x509util.URIType,
+			Value: orderURIs[i],
+		}
+		index++
+	}
+
 	return sans, nil
 }

@ -430,6 +567,21 @@ func uniqueSortedLowerNames(names []string) (unique []string) {
 	}
 	unique = make([]string, 0, len(nameMap))
 	for name := range nameMap {
+		if len(name) > 0 {
+			unique = append(unique, name)
+		}
+	}
+	sort.Strings(unique)
+	return
+}
+
+func uniqueSortedURIStrings(uris []*url.URL) (unique []string) {
+	uriMap := make(map[string]struct{}, len(uris))
+	for _, name := range uris {
+		uriMap[name.String()] = struct{}{}
+	}
+	unique = make([]string, 0, len(uriMap))
+	for name := range uriMap {
 		unique = append(unique, name)
 	}
 	sort.Strings(unique)
--- a/acme/order_test.go
+++ b/acme/order_test.go
@ -9,7 +9,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
-	"net/url"
 	"reflect"
 	"testing"
 	"time"
@ -271,16 +270,16 @@ func TestOrder_UpdateStatus(t *testing.T) {
 }

 type mockSignAuth struct {
-	signWithContext       func(ctx context.Context, csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
+	sign                  func(csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
 	areSANsAllowed        func(ctx context.Context, sans []string) error
 	loadProvisionerByName func(string) (provisioner.Interface, error)
 	ret1, ret2            interface{}
 	err                   error
 }

-func (m *mockSignAuth) SignWithContext(ctx context.Context, csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
-	if m.signWithContext != nil {
-		return m.signWithContext(ctx, csr, signOpts, extraOpts...)
+func (m *mockSignAuth) Sign(csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+	if m.sign != nil {
+		return m.sign(csr, signOpts, extraOpts...)
 	} else if m.err != nil {
 		return nil, m.err
 	}
@ -578,7 +577,7 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return nil, errors.New("force")
 					},
@ -628,7 +627,7 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return []*x509.Certificate{foo, bar, baz}, nil
 					},
@ -685,7 +684,7 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return []*x509.Certificate{foo, bar, baz}, nil
 					},
@ -770,7 +769,7 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return []*x509.Certificate{leaf, inter, root}, nil
 					},
@ -863,7 +862,7 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return []*x509.Certificate{leaf, inter, root}, nil
 					},
@ -973,7 +972,7 @@ func TestOrder_Finalize(t *testing.T) {
 				// using the mocking functions as a wrapper for actual test helpers generated per test case or per
 				// function that's tested.
 				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return []*x509.Certificate{leaf, inter, root}, nil
 					},
@ -1044,7 +1043,7 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return []*x509.Certificate{foo, bar, baz}, nil
 					},
@ -1108,7 +1107,7 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return []*x509.Certificate{foo, bar, baz}, nil
 					},
@ -1175,7 +1174,7 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				ca: &mockSignAuth{
-					signWithContext: func(_ context.Context, _csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return []*x509.Certificate{foo, bar, baz}, nil
 					},
@ -1702,25 +1701,6 @@ func TestOrder_sans(t *testing.T) {
 			want: []x509util.SubjectAlternativeName{},
 			err:  NewError(ErrorBadCSRType, "Only DNS names and IP addresses are allowed"),
 		},
-		{
-			name: "fail/invalid-alternative-name-uri",
-			fields: fields{
-				Identifiers: []Identifier{},
-			},
-			csr: &x509.CertificateRequest{
-				Subject: pkix.Name{
-					CommonName: "foo.internal",
-				},
-				URIs: []*url.URL{
-					{
-						Scheme: "https://",
-						Host:   "smallstep.com",
-					},
-				},
-			},
-			want: []x509util.SubjectAlternativeName{},
-			err:  NewError(ErrorBadCSRType, "Only DNS names and IP addresses are allowed"),
-		},
 		{
 			name: "fail/error-names-length-mismatch",
 			fields: fields{
--- a/acme/wire/id.go
+++ b/acme/wire/id.go
@ -0,0 +1,65 @@
+package wire
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"go.step.sm/crypto/kms/uri"
+)
+
+type UserID struct {
+	Name   string `json:"name,omitempty"`
+	Domain string `json:"domain,omitempty"`
+	Handle string `json:"handle,omitempty"`
+}
+
+type DeviceID struct {
+	Name     string `json:"name,omitempty"`
+	Domain   string `json:"domain,omitempty"`
+	ClientID string `json:"client-id,omitempty"`
+	Handle   string `json:"handle,omitempty"`
+}
+
+func ParseUserID(data []byte) (id UserID, err error) {
+	err = json.Unmarshal(data, &id)
+	return
+}
+
+func ParseDeviceID(data []byte) (id DeviceID, err error) {
+	err = json.Unmarshal(data, &id)
+	return
+}
+
+type ClientID struct {
+	Scheme   string
+	Username string
+	DeviceID string
+	Domain   string
+}
+
+// ParseClientID parses a Wire clientID. The ClientID format is as follows:
+//
+//	"wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com",
+//
+// where '!' is used as a separator between the user id & device id.
+func ParseClientID(clientID string) (ClientID, error) {
+	clientIDURI, err := uri.Parse(clientID)
+	if err != nil {
+		return ClientID{}, fmt.Errorf("invalid Wire client ID URI %q: %w", clientID, err)
+	}
+	if clientIDURI.Scheme != "wireapp" {
+		return ClientID{}, fmt.Errorf("invalid Wire client ID scheme %q; expected \"wireapp\"", clientIDURI.Scheme)
+	}
+	fullUsername := clientIDURI.User.Username()
+	parts := strings.SplitN(fullUsername, "!", 2)
+	if len(parts) != 2 {
+		return ClientID{}, fmt.Errorf("invalid Wire client ID username %q", fullUsername)
+	}
+	return ClientID{
+		Scheme:   clientIDURI.Scheme,
+		Username: parts[0],
+		DeviceID: parts[1],
+		Domain:   clientIDURI.Host,
+	}, nil
+}
--- a/acme/wire/id_test.go
+++ b/acme/wire/id_test.go
@ -0,0 +1,82 @@
+package wire
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestParseUserID(t *testing.T) {
+	ok := `{"name": "Alice Smith", "domain": "wire.com", "handle": "wireapp://%40alice_wire@wire.com"}`
+	tests := []struct {
+		name        string
+		data        []byte
+		wantWireID  UserID
+		expectedErr error
+	}{
+		{name: "ok", data: []byte(ok), wantWireID: UserID{Name: "Alice Smith", Domain: "wire.com", Handle: "wireapp://%40alice_wire@wire.com"}},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotWireID, err := ParseUserID(tt.data)
+			if tt.expectedErr != nil {
+				assert.EqualError(t, err, tt.expectedErr.Error())
+				return
+			}
+
+			assert.NoError(t, err)
+			assert.Equal(t, tt.wantWireID, gotWireID)
+		})
+	}
+}
+
+func TestParseDeviceID(t *testing.T) {
+	ok := `{"name": "device", "domain": "wire.com", "client-id": "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com", "handle": "wireapp://%40alice_wire@wire.com"}`
+	tests := []struct {
+		name        string
+		data        []byte
+		wantWireID  DeviceID
+		expectedErr error
+	}{
+		{name: "ok", data: []byte(ok), wantWireID: DeviceID{Name: "device", Domain: "wire.com", ClientID: "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com", Handle: "wireapp://%40alice_wire@wire.com"}},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotWireID, err := ParseDeviceID(tt.data)
+			if tt.expectedErr != nil {
+				assert.EqualError(t, err, tt.expectedErr.Error())
+				return
+			}
+
+			assert.NoError(t, err)
+			assert.Equal(t, tt.wantWireID, gotWireID)
+		})
+	}
+}
+
+func TestParseClientID(t *testing.T) {
+	tests := []struct {
+		name        string
+		clientID    string
+		want        ClientID
+		expectedErr error
+	}{
+		{name: "ok", clientID: "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com", want: ClientID{Scheme: "wireapp", Username: "CzbfFjDOQrenCbDxVmgnFw", DeviceID: "594930e9d50bb175", Domain: "wire.com"}},
+		{name: "fail/uri", clientID: "bla", expectedErr: errors.New(`invalid Wire client ID URI "bla": error parsing bla: scheme is missing`)},
+		{name: "fail/scheme", clientID: "not-wireapp://bla.com", expectedErr: errors.New(`invalid Wire client ID scheme "not-wireapp"; expected "wireapp"`)},
+		{name: "fail/username", clientID: "wireapp://user@wire.com", expectedErr: errors.New(`invalid Wire client ID username "user"`)},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ParseClientID(tt.clientID)
+			if tt.expectedErr != nil {
+				assert.EqualError(t, err, tt.expectedErr.Error())
+				return
+			}
+
+			assert.NoError(t, err)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/api/api.go
+++ b/api/api.go
@ -42,7 +42,7 @@ type Authority interface {
 	AuthorizeRenewToken(ctx context.Context, ott string) (*x509.Certificate, error)
 	GetTLSOptions() *config.TLSOptions
 	Root(shasum string) (*x509.Certificate, error)
-	SignWithContext(ctx context.Context, cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
+	Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
 	Renew(peer *x509.Certificate) ([]*x509.Certificate, error)
 	RenewContext(ctx context.Context, peer *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
 	Rekey(peer *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
@ -54,7 +54,7 @@ type Authority interface {
 	GetRoots() ([]*x509.Certificate, error)
 	GetFederation() ([]*x509.Certificate, error)
 	Version() authority.Version
-	GetCertificateRevocationList() (*authority.CertificateRevocationListInfo, error)
+	GetCertificateRevocationList() ([]byte, error)
 }

 // mustAuthority will be replaced on unit tests.
@ -353,15 +353,15 @@ func Route(r Router) {
 // Version is an HTTP handler that returns the version of the server.
 func Version(w http.ResponseWriter, r *http.Request) {
 	v := mustAuthority(r.Context()).Version()
-	render.JSON(w, r, VersionResponse{
+	render.JSON(w, VersionResponse{
 		Version:                     v.Version,
 		RequireClientAuthentication: v.RequireClientAuthentication,
 	})
 }

 // Health is an HTTP handler that returns the status of the server.
-func Health(w http.ResponseWriter, r *http.Request) {
-	render.JSON(w, r, HealthResponse{Status: "ok"})
+func Health(w http.ResponseWriter, _ *http.Request) {
+	render.JSON(w, HealthResponse{Status: "ok"})
 }

 // Root is an HTTP handler that using the SHA256 from the URL, returns the root
@ -372,11 +372,11 @@ func Root(w http.ResponseWriter, r *http.Request) {
 	// Load root certificate with the
 	cert, err := mustAuthority(r.Context()).Root(sum)
 	if err != nil {
-		render.Error(w, r, errs.Wrapf(http.StatusNotFound, err, "%s was not found", r.RequestURI))
+		render.Error(w, errs.Wrapf(http.StatusNotFound, err, "%s was not found", r.RequestURI))
 		return
 	}

-	render.JSON(w, r, &RootResponse{RootPEM: Certificate{cert}})
+	render.JSON(w, &RootResponse{RootPEM: Certificate{cert}})
 }

 func certChainToPEM(certChain []*x509.Certificate) []Certificate {
@ -391,17 +391,17 @@ func certChainToPEM(certChain []*x509.Certificate) []Certificate {
 func Provisioners(w http.ResponseWriter, r *http.Request) {
 	cursor, limit, err := ParseCursor(r)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	p, next, err := mustAuthority(r.Context()).GetProvisioners(cursor, limit)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}

-	render.JSON(w, r, &ProvisionersResponse{
+	render.JSON(w, &ProvisionersResponse{
 		Provisioners: p,
 		NextCursor:   next,
 	})
@ -412,18 +412,18 @@ func ProvisionerKey(w http.ResponseWriter, r *http.Request) {
 	kid := chi.URLParam(r, "kid")
 	key, err := mustAuthority(r.Context()).GetEncryptedKey(kid)
 	if err != nil {
-		render.Error(w, r, errs.NotFoundErr(err))
+		render.Error(w, errs.NotFoundErr(err))
 		return
 	}

-	render.JSON(w, r, &ProvisionerKeyResponse{key})
+	render.JSON(w, &ProvisionerKeyResponse{key})
 }

 // Roots returns all the root certificates for the CA.
 func Roots(w http.ResponseWriter, r *http.Request) {
 	roots, err := mustAuthority(r.Context()).GetRoots()
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error getting roots"))
+		render.Error(w, errs.ForbiddenErr(err, "error getting roots"))
 		return
 	}

@ -432,7 +432,7 @@ func Roots(w http.ResponseWriter, r *http.Request) {
 		certs[i] = Certificate{roots[i]}
 	}

-	render.JSONStatus(w, r, &RootsResponse{
+	render.JSONStatus(w, &RootsResponse{
 		Certificates: certs,
 	}, http.StatusCreated)
 }
@ -441,7 +441,7 @@ func Roots(w http.ResponseWriter, r *http.Request) {
 func RootsPEM(w http.ResponseWriter, r *http.Request) {
 	roots, err := mustAuthority(r.Context()).GetRoots()
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}

@ -454,7 +454,7 @@ func RootsPEM(w http.ResponseWriter, r *http.Request) {
 		})

 		if _, err := w.Write(block); err != nil {
-			log.Error(w, r, err)
+			log.Error(w, err)
 			return
 		}
 	}
@ -464,7 +464,7 @@ func RootsPEM(w http.ResponseWriter, r *http.Request) {
 func Federation(w http.ResponseWriter, r *http.Request) {
 	federated, err := mustAuthority(r.Context()).GetFederation()
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error getting federated roots"))
+		render.Error(w, errs.ForbiddenErr(err, "error getting federated roots"))
 		return
 	}

@ -473,7 +473,7 @@ func Federation(w http.ResponseWriter, r *http.Request) {
 		certs[i] = Certificate{federated[i]}
 	}

-	render.JSONStatus(w, r, &FederationResponse{
+	render.JSONStatus(w, &FederationResponse{
 		Certificates: certs,
 	}, http.StatusCreated)
 }
@ -565,7 +565,7 @@ func LogSSHCertificate(w http.ResponseWriter, cert *ssh.Certificate) {
 func ParseCursor(r *http.Request) (cursor string, limit int, err error) {
 	q := r.URL.Query()
 	cursor = q.Get("cursor")
-	if v := q.Get("limit"); v != "" {
+	if v := q.Get("limit"); len(v) > 0 {
 		limit, err = strconv.Atoi(v)
 		if err != nil {
 			return "", 0, errs.BadRequestErr(err, "limit '%s' is not an integer", v)
--- a/api/api_test.go
+++ b/api/api_test.go
@ -189,7 +189,7 @@ type mockAuthority struct {
 	authorizeRenewToken          func(ctx context.Context, ott string) (*x509.Certificate, error)
 	getTLSOptions                func() *authority.TLSOptions
 	root                         func(shasum string) (*x509.Certificate, error)
-	signWithContext              func(ctx context.Context, cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
+	sign                         func(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
 	renew                        func(cert *x509.Certificate) ([]*x509.Certificate, error)
 	rekey                        func(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
 	renewContext                 func(ctx context.Context, oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
@ -200,7 +200,7 @@ type mockAuthority struct {
 	getEncryptedKey              func(kid string) (string, error)
 	getRoots                     func() ([]*x509.Certificate, error)
 	getFederation                func() ([]*x509.Certificate, error)
-	getCRL                       func() (*authority.CertificateRevocationListInfo, error)
+	getCRL                       func() ([]byte, error)
 	signSSH                      func(ctx context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)
 	signSSHAddUser               func(ctx context.Context, key ssh.PublicKey, cert *ssh.Certificate) (*ssh.Certificate, error)
 	renewSSH                     func(ctx context.Context, cert *ssh.Certificate) (*ssh.Certificate, error)
@ -214,12 +214,12 @@ type mockAuthority struct {
 	version                      func() authority.Version
 }

-func (m *mockAuthority) GetCertificateRevocationList() (*authority.CertificateRevocationListInfo, error) {
+func (m *mockAuthority) GetCertificateRevocationList() ([]byte, error) {
 	if m.getCRL != nil {
 		return m.getCRL()
 	}

-	return m.ret1.(*authority.CertificateRevocationListInfo), m.err
+	return m.ret1.([]byte), m.err
 }

 // TODO: remove once Authorize is deprecated.
@ -251,9 +251,9 @@ func (m *mockAuthority) Root(shasum string) (*x509.Certificate, error) {
 	return m.ret1.(*x509.Certificate), m.err
 }

-func (m *mockAuthority) SignWithContext(ctx context.Context, cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
-	if m.signWithContext != nil {
-		return m.signWithContext(ctx, cr, opts, signOpts...)
+func (m *mockAuthority) Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+	if m.sign != nil {
+		return m.sign(cr, opts, signOpts...)
 	}
 	return []*x509.Certificate{m.ret1.(*x509.Certificate), m.ret2.(*x509.Certificate)}, m.err
 }
@ -789,6 +789,45 @@ func (m *mockProvisioner) AuthorizeSSHRekey(ctx context.Context, token string) (
 	return m.ret1.(*ssh.Certificate), m.ret2.([]provisioner.SignOption), m.err
 }

+func Test_CRLGeneration(t *testing.T) {
+	tests := []struct {
+		name       string
+		err        error
+		statusCode int
+		expected   []byte
+	}{
+		{"empty", nil, http.StatusOK, nil},
+	}
+
+	chiCtx := chi.NewRouteContext()
+	req := httptest.NewRequest("GET", "http://example.com/crl", http.NoBody)
+	req = req.WithContext(context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx))
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockMustAuthority(t, &mockAuthority{ret1: tt.expected, err: tt.err})
+			w := httptest.NewRecorder()
+			CRL(w, req)
+			res := w.Result()
+
+			if res.StatusCode != tt.statusCode {
+				t.Errorf("caHandler.CRL StatusCode = %d, wants %d", res.StatusCode, tt.statusCode)
+			}
+
+			body, err := io.ReadAll(res.Body)
+			res.Body.Close()
+			if err != nil {
+				t.Errorf("caHandler.Root unexpected error = %v", err)
+			}
+			if tt.statusCode == 200 {
+				if !bytes.Equal(bytes.TrimSpace(body), tt.expected) {
+					t.Errorf("caHandler.Root CRL = %s, wants %s", body, tt.expected)
+				}
+			}
+		})
+	}
+}
+
 func Test_caHandler_Route(t *testing.T) {
 	type fields struct {
 		Authority Authority
@ -884,12 +923,16 @@ func Test_Sign(t *testing.T) {
 		CsrPEM: CertificateRequest{csr},
 		OTT:    "foobarzar",
 	})
-	require.NoError(t, err)
+	if err != nil {
+		t.Fatal(err)
+	}
 	invalid, err := json.Marshal(SignRequest{
 		CsrPEM: CertificateRequest{csr},
 		OTT:    "",
 	})
-	require.NoError(t, err)
+	if err != nil {
+		t.Fatal(err)
+	}

 	expected1 := []byte(`{"crt":"` + strings.ReplaceAll(certPEM, "\n", `\n`) + `\n","ca":"` + strings.ReplaceAll(rootPEM, "\n", `\n`) + `\n","certChain":["` + strings.ReplaceAll(certPEM, "\n", `\n`) + `\n","` + strings.ReplaceAll(rootPEM, "\n", `\n`) + `\n"]}`)
 	expected2 := []byte(`{"crt":"` + strings.ReplaceAll(stepCertPEM, "\n", `\n`) + `\n","ca":"` + strings.ReplaceAll(rootPEM, "\n", `\n`) + `\n","certChain":["` + strings.ReplaceAll(stepCertPEM, "\n", `\n`) + `\n","` + strings.ReplaceAll(rootPEM, "\n", `\n`) + `\n"]}`)
--- a/api/crl.go
+++ b/api/crl.go
@ -3,32 +3,18 @@ package api
 import (
 	"encoding/pem"
 	"net/http"
-	"time"

 	"github.com/smallstep/certificates/api/render"
-	"github.com/smallstep/certificates/errs"
 )

 // CRL is an HTTP handler that returns the current CRL in DER or PEM format
 func CRL(w http.ResponseWriter, r *http.Request) {
-	crlInfo, err := mustAuthority(r.Context()).GetCertificateRevocationList()
+	crlBytes, err := mustAuthority(r.Context()).GetCertificateRevocationList()
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

-	if crlInfo == nil {
-		render.Error(w, r, errs.New(http.StatusNotFound, "no CRL available"))
-		return
-	}
-
-	expires := crlInfo.ExpiresAt
-	if expires.IsZero() {
-		expires = time.Now()
-	}
-
-	w.Header().Add("Expires", expires.Format(time.RFC1123))
-
 	_, formatAsPEM := r.URL.Query()["pem"]
 	if formatAsPEM {
 		w.Header().Add("Content-Type", "application/x-pem-file")
@ -36,11 +22,11 @@ func CRL(w http.ResponseWriter, r *http.Request) {

 		_ = pem.Encode(w, &pem.Block{
 			Type:  "X509 CRL",
-			Bytes: crlInfo.Data,
+			Bytes: crlBytes,
 		})
 	} else {
 		w.Header().Add("Content-Type", "application/pkix-crl")
 		w.Header().Add("Content-Disposition", "attachment; filename=\"crl.der\"")
-		w.Write(crlInfo.Data)
+		w.Write(crlBytes)
 	}
 }
--- a/api/crl_test.go
+++ b/api/crl_test.go
@ -1,93 +0,0 @@
-package api
-
-import (
-	"bytes"
-	"context"
-	"encoding/pem"
-	"io"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-	"time"
-
-	"github.com/go-chi/chi/v5"
-	"github.com/pkg/errors"
-	"github.com/smallstep/certificates/authority"
-	"github.com/smallstep/certificates/errs"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func Test_CRL(t *testing.T) {
-	data := []byte{1, 2, 3, 4}
-	pemData := pem.EncodeToMemory(&pem.Block{
-		Type:  "X509 CRL",
-		Bytes: data,
-	})
-	pemData = bytes.TrimSpace(pemData)
-	emptyPEMData := pem.EncodeToMemory(&pem.Block{
-		Type:  "X509 CRL",
-		Bytes: nil,
-	})
-	emptyPEMData = bytes.TrimSpace(emptyPEMData)
-	tests := []struct {
-		name              string
-		url               string
-		err               error
-		statusCode        int
-		crlInfo           *authority.CertificateRevocationListInfo
-		expectedBody      []byte
-		expectedHeaders   http.Header
-		expectedErrorJSON string
-	}{
-		{"ok", "http://example.com/crl", nil, http.StatusOK, &authority.CertificateRevocationListInfo{Data: data}, data, http.Header{"Content-Type": []string{"application/pkix-crl"}, "Content-Disposition": []string{`attachment; filename="crl.der"`}}, ""},
-		{"ok/pem", "http://example.com/crl?pem=true", nil, http.StatusOK, &authority.CertificateRevocationListInfo{Data: data}, pemData, http.Header{"Content-Type": []string{"application/x-pem-file"}, "Content-Disposition": []string{`attachment; filename="crl.pem"`}}, ""},
-		{"ok/empty", "http://example.com/crl", nil, http.StatusOK, &authority.CertificateRevocationListInfo{Data: nil}, nil, http.Header{"Content-Type": []string{"application/pkix-crl"}, "Content-Disposition": []string{`attachment; filename="crl.der"`}}, ""},
-		{"ok/empty-pem", "http://example.com/crl?pem=true", nil, http.StatusOK, &authority.CertificateRevocationListInfo{Data: nil}, emptyPEMData, http.Header{"Content-Type": []string{"application/x-pem-file"}, "Content-Disposition": []string{`attachment; filename="crl.pem"`}}, ""},
-		{"fail/internal", "http://example.com/crl", errs.Wrap(http.StatusInternalServerError, errors.New("failure"), "authority.GetCertificateRevocationList"), http.StatusInternalServerError, nil, nil, http.Header{}, `{"status":500,"message":"The certificate authority encountered an Internal Server Error. Please see the certificate authority logs for more info."}`},
-		{"fail/nil", "http://example.com/crl", nil, http.StatusNotFound, nil, nil, http.Header{}, `{"status":404,"message":"no CRL available"}`},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			mockMustAuthority(t, &mockAuthority{ret1: tt.crlInfo, err: tt.err})
-
-			chiCtx := chi.NewRouteContext()
-			req := httptest.NewRequest("GET", tt.url, http.NoBody)
-			req = req.WithContext(context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx))
-			w := httptest.NewRecorder()
-			CRL(w, req)
-			res := w.Result()
-
-			assert.Equal(t, tt.statusCode, res.StatusCode)
-
-			body, err := io.ReadAll(res.Body)
-			res.Body.Close()
-			require.NoError(t, err)
-
-			if tt.statusCode >= 300 {
-				assert.JSONEq(t, tt.expectedErrorJSON, string(bytes.TrimSpace(body)))
-				return
-			}
-
-			// check expected header values
-			for _, h := range []string{"content-type", "content-disposition"} {
-				v := tt.expectedHeaders.Get(h)
-				require.NotEmpty(t, v)
-
-				actual := res.Header.Get(h)
-				assert.Equal(t, v, actual)
-			}
-
-			// check expires header value
-			assert.NotEmpty(t, res.Header.Get("expires"))
-			t1, err := time.Parse(time.RFC1123, res.Header.Get("expires"))
-			if assert.NoError(t, err) {
-				assert.False(t, t1.IsZero())
-			}
-
-			// check body contents
-			assert.Equal(t, tt.expectedBody, bytes.TrimSpace(body))
-		})
-	}
-}
--- a/api/log/log.go
+++ b/api/log/log.go
@ -2,7 +2,6 @@
 package log

 import (
-	"context"
 	"fmt"
 	"net/http"
 	"os"
@ -10,29 +9,6 @@ import (
 	"github.com/pkg/errors"
 )

-type errorLoggerKey struct{}
-
-// ErrorLogger is the function type used to log errors.
-type ErrorLogger func(http.ResponseWriter, *http.Request, error)
-
-func (fn ErrorLogger) call(w http.ResponseWriter, r *http.Request, err error) {
-	if fn == nil {
-		return
-	}
-	fn(w, r, err)
-}
-
-// WithErrorLogger returns a new context with the given error logger.
-func WithErrorLogger(ctx context.Context, fn ErrorLogger) context.Context {
-	return context.WithValue(ctx, errorLoggerKey{}, fn)
-}
-
-// ErrorLoggerFromContext returns an error logger from the context.
-func ErrorLoggerFromContext(ctx context.Context) (fn ErrorLogger) {
-	fn, _ = ctx.Value(errorLoggerKey{}).(ErrorLogger)
-	return
-}
-
 // StackTracedError is the set of errors implementing the StackTrace function.
 //
 // Errors implementing this interface have their stack traces logged when passed
@ -51,10 +27,8 @@ type fieldCarrier interface {
 // Error adds to the response writer the given error if it implements
 // logging.ResponseLogger. If it does not implement it, then writes the error
 // using the log package.
-func Error(w http.ResponseWriter, r *http.Request, err error) {
-	ErrorLoggerFromContext(r.Context()).call(w, r, err)
-
-	fc, ok := w.(fieldCarrier)
+func Error(rw http.ResponseWriter, err error) {
+	fc, ok := rw.(fieldCarrier)
 	if !ok {
 		return
 	}
@ -77,7 +51,7 @@ func Error(w http.ResponseWriter, r *http.Request, err error) {

 // EnabledResponse log the response object if it implements the EnableLogger
 // interface.
-func EnabledResponse(rw http.ResponseWriter, r *http.Request, v any) {
+func EnabledResponse(rw http.ResponseWriter, v any) {
 	type enableLogger interface {
 		ToLog() (any, error)
 	}
@ -85,7 +59,7 @@ func EnabledResponse(rw http.ResponseWriter, r *http.Request, v any) {
 	if el, ok := v.(enableLogger); ok {
 		out, err := el.ToLog()
 		if err != nil {
-			Error(rw, r, err)
+			Error(rw, err)

 			return
 		}
--- a/api/log/log_test.go
+++ b/api/log/log_test.go
@ -1,9 +1,6 @@
 package log

 import (
-	"bytes"
-	"encoding/json"
-	"log/slog"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@ -30,34 +27,21 @@ func (stackTracedError) StackTrace() pkgerrors.StackTrace {
 }

 func TestError(t *testing.T) {
-	var buf bytes.Buffer
-	logger := slog.New(slog.NewJSONHandler(&buf, &slog.HandlerOptions{}))
-	req := httptest.NewRequest("GET", "/test", http.NoBody)
-	reqWithLogger := req.WithContext(WithErrorLogger(req.Context(), func(w http.ResponseWriter, r *http.Request, err error) {
-		if err != nil {
-			logger.ErrorContext(r.Context(), "request failed", slog.Any("error", err))
-		}
-	}))
-
 	tests := []struct {
 		name string
 		error
 		rw               http.ResponseWriter
-		r                *http.Request
 		isFieldCarrier   bool
-		isSlogLogger     bool
 		stepDebug        bool
 		expectStackTrace bool
 	}{
-		{"noLogger", nil, nil, req, false, false, false, false},
-		{"noError", nil, logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, false, false},
-		{"noErrorDebug", nil, logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, true, false},
-		{"anError", assert.AnError, logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, false, false},
-		{"anErrorDebug", assert.AnError, logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, true, false},
-		{"stackTracedError", new(stackTracedError), logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, true, true},
-		{"stackTracedErrorDebug", new(stackTracedError), logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, true, true},
-		{"slogWithNoError", nil, logging.NewResponseLogger(httptest.NewRecorder()), reqWithLogger, true, true, false, false},
-		{"slogWithError", assert.AnError, logging.NewResponseLogger(httptest.NewRecorder()), reqWithLogger, true, true, false, false},
+		{"noLogger", nil, nil, false, false, false},
+		{"noError", nil, logging.NewResponseLogger(httptest.NewRecorder()), true, false, false},
+		{"noErrorDebug", nil, logging.NewResponseLogger(httptest.NewRecorder()), true, true, false},
+		{"anError", assert.AnError, logging.NewResponseLogger(httptest.NewRecorder()), true, false, false},
+		{"anErrorDebug", assert.AnError, logging.NewResponseLogger(httptest.NewRecorder()), true, true, false},
+		{"stackTracedError", new(stackTracedError), logging.NewResponseLogger(httptest.NewRecorder()), true, true, true},
+		{"stackTracedErrorDebug", new(stackTracedError), logging.NewResponseLogger(httptest.NewRecorder()), true, true, true},
 	}

 	for _, tt := range tests {
@ -68,41 +52,27 @@ func TestError(t *testing.T) {
 				t.Setenv("STEPDEBUG", "0")
 			}

-			Error(tt.rw, tt.r, tt.error)
+			Error(tt.rw, tt.error)

 			// return early if test case doesn't use logger
-			if !tt.isFieldCarrier && !tt.isSlogLogger {
+			if !tt.isFieldCarrier {
 				return
 			}

-			if tt.isFieldCarrier {
-				fields := tt.rw.(logging.ResponseLogger).Fields()
-
-				// expect the error field to be (not) set and to be the same error that was fed to Error
-				if tt.error == nil {
-					assert.Nil(t, fields["error"])
-				} else {
-					assert.Same(t, tt.error, fields["error"])
-				}
+			fields := tt.rw.(logging.ResponseLogger).Fields()

-				// check if stack-trace is set when expected
-				if _, hasStackTrace := fields["stack-trace"]; tt.expectStackTrace && !hasStackTrace {
-					t.Error(`ResponseLogger["stack-trace"] not set`)
-				} else if !tt.expectStackTrace && hasStackTrace {
-					t.Error(`ResponseLogger["stack-trace"] was set`)
-				}
+			// expect the error field to be (not) set and to be the same error that was fed to Error
+			if tt.error == nil {
+				assert.Nil(t, fields["error"])
+			} else {
+				assert.Same(t, tt.error, fields["error"])
 			}

-			if tt.isSlogLogger {
-				b := buf.Bytes()
-				if tt.error == nil {
-					assert.Empty(t, b)
-				} else if assert.NotEmpty(t, b) {
-					var m map[string]any
-					assert.NoError(t, json.Unmarshal(b, &m))
-					assert.Equal(t, tt.error.Error(), m["error"])
-				}
-				buf.Reset()
+			// check if stack-trace is set when expected
+			if _, hasStackTrace := fields["stack-trace"]; tt.expectStackTrace && !hasStackTrace {
+				t.Error(`ResponseLogger["stack-trace"] not set`)
+			} else if !tt.expectStackTrace && hasStackTrace {
+				t.Error(`ResponseLogger["stack-trace"] was set`)
 			}
 		})
 	}
--- a/api/models/scep.go
+++ b/api/models/scep.go
@ -97,7 +97,7 @@ func (s *SCEP) AuthorizeSSHSign(context.Context, string) ([]provisioner.SignOpti
 	return nil, errDummyImplementation
 }

-// AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite
+// AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite
 // this method if they will support authorizing tokens for revoking SSH Certificates.
 func (s *SCEP) AuthorizeSSHRevoke(context.Context, string) error {
 	return errDummyImplementation
--- a/api/read/read.go
+++ b/api/read/read.go
@ -51,7 +51,7 @@ func (e badProtoJSONError) Error() string {
 }

 // Render implements render.RenderableError for badProtoJSONError
-func (e badProtoJSONError) Render(w http.ResponseWriter, r *http.Request) {
+func (e badProtoJSONError) Render(w http.ResponseWriter) {
 	v := struct {
 		Type    string `json:"type"`
 		Detail  string `json:"detail"`
@ -62,5 +62,5 @@ func (e badProtoJSONError) Render(w http.ResponseWriter, r *http.Request) {
 		// trim the proto prefix for the message
 		Message: strings.TrimSpace(strings.TrimPrefix(e.Error(), "proto:")),
 	}
-	render.JSONStatus(w, r, v, http.StatusBadRequest)
+	render.JSONStatus(w, v, http.StatusBadRequest)
 }
--- a/api/read/read_test.go
+++ b/api/read/read_test.go
@ -142,8 +142,7 @@ func Test_badProtoJSONError_Render(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {

 			w := httptest.NewRecorder()
-			r := httptest.NewRequest("POST", "/test", http.NoBody)
-			tt.e.Render(w, r)
+			tt.e.Render(w)
 			res := w.Result()
 			defer res.Body.Close()

--- a/api/rekey.go
+++ b/api/rekey.go
@ -29,25 +29,25 @@ func (s *RekeyRequest) Validate() error {
 // Rekey is similar to renew except that the certificate will be renewed with new key from csr.
 func Rekey(w http.ResponseWriter, r *http.Request) {
 	if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
-		render.Error(w, r, errs.BadRequest("missing client certificate"))
+		render.Error(w, errs.BadRequest("missing client certificate"))
 		return
 	}

 	var body RekeyRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}

 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	a := mustAuthority(r.Context())
 	certChain, err := a.Rekey(r.TLS.PeerCertificates[0], body.CsrPEM.CertificateRequest.PublicKey)
 	if err != nil {
-		render.Error(w, r, errs.Wrap(http.StatusInternalServerError, err, "cahandler.Rekey"))
+		render.Error(w, errs.Wrap(http.StatusInternalServerError, err, "cahandler.Rekey"))
 		return
 	}
 	certChainPEM := certChainToPEM(certChain)
@ -57,7 +57,7 @@ func Rekey(w http.ResponseWriter, r *http.Request) {
 	}

 	LogCertificate(w, certChain[0])
-	render.JSONStatus(w, r, &SignResponse{
+	render.JSONStatus(w, &SignResponse{
 		ServerPEM:    certChainPEM[0],
 		CaPEM:        caPEM,
 		CertChainPEM: certChainPEM,
--- a/api/render/render.go
+++ b/api/render/render.go
@ -13,8 +13,8 @@ import (
 )

 // JSON is shorthand for JSONStatus(w, v, http.StatusOK).
-func JSON(w http.ResponseWriter, r *http.Request, v interface{}) {
-	JSONStatus(w, r, v, http.StatusOK)
+func JSON(w http.ResponseWriter, v interface{}) {
+	JSONStatus(w, v, http.StatusOK)
 }

 // JSONStatus marshals v into w. It additionally sets the status code of
@ -22,7 +22,7 @@ func JSON(w http.ResponseWriter, r *http.Request, v interface{}) {
 //
 // JSONStatus sets the Content-Type of w to application/json unless one is
 // specified.
-func JSONStatus(w http.ResponseWriter, r *http.Request, v interface{}, status int) {
+func JSONStatus(w http.ResponseWriter, v interface{}, status int) {
 	setContentTypeUnlessPresent(w, "application/json")
 	w.WriteHeader(status)

@ -43,7 +43,7 @@ func JSONStatus(w http.ResponseWriter, r *http.Request, v interface{}, status in
 		}
 	}

-	log.EnabledResponse(w, r, v)
+	log.EnabledResponse(w, v)
 }

 // ProtoJSON is shorthand for ProtoJSONStatus(w, m, http.StatusOK).
@ -80,22 +80,22 @@ func setContentTypeUnlessPresent(w http.ResponseWriter, contentType string) {
 type RenderableError interface {
 	error

-	Render(http.ResponseWriter, *http.Request)
+	Render(http.ResponseWriter)
 }

 // Error marshals the JSON representation of err to w. In case err implements
 // RenderableError its own Render method will be called instead.
-func Error(rw http.ResponseWriter, r *http.Request, err error) {
-	log.Error(rw, r, err)
+func Error(w http.ResponseWriter, err error) {
+	log.Error(w, err)

-	var re RenderableError
-	if errors.As(err, &re) {
-		re.Render(rw, r)
+	var r RenderableError
+	if errors.As(err, &r) {
+		r.Render(w)

 		return
 	}

-	JSONStatus(rw, r, err, statusCodeFromError(err))
+	JSONStatus(w, err, statusCodeFromError(err))
 }

 // StatusCodedError is the set of errors that implement the basic StatusCode
--- a/api/render/render_test.go
+++ b/api/render/render_test.go
@ -18,8 +18,8 @@ import (
 func TestJSON(t *testing.T) {
 	rec := httptest.NewRecorder()
 	rw := logging.NewResponseLogger(rec)
-	r := httptest.NewRequest("POST", "/test", http.NoBody)
-	JSON(rw, r, map[string]interface{}{"foo": "bar"})
+
+	JSON(rw, map[string]interface{}{"foo": "bar"})

 	assert.Equal(t, http.StatusOK, rec.Result().StatusCode)
 	assert.Equal(t, "application/json", rec.Header().Get("Content-Type"))
@ -64,8 +64,7 @@ func jsonPanicTest[T json.UnsupportedTypeError | json.UnsupportedValueError | js
 		assert.ErrorAs(t, err, &e)
 	}()

-	r := httptest.NewRequest("POST", "/test", http.NoBody)
-	JSON(httptest.NewRecorder(), r, v)
+	JSON(httptest.NewRecorder(), v)
 }

 type renderableError struct {
@ -77,9 +76,10 @@ func (err renderableError) Error() string {
 	return err.Message
 }

-func (err renderableError) Render(w http.ResponseWriter, r *http.Request) {
+func (err renderableError) Render(w http.ResponseWriter) {
 	w.Header().Set("Content-Type", "something/custom")
-	JSONStatus(w, r, err, err.Code)
+
+	JSONStatus(w, err, err.Code)
 }

 type statusedError struct {
@ -116,8 +116,8 @@ func TestError(t *testing.T) {

 		t.Run(strconv.Itoa(caseIndex), func(t *testing.T) {
 			rec := httptest.NewRecorder()
-			r := httptest.NewRequest("POST", "/test", http.NoBody)
-			Error(rec, r, kase.err)
+
+			Error(rec, kase.err)

 			assert.Equal(t, kase.code, rec.Result().StatusCode)
 			assert.Equal(t, kase.body, rec.Body.String())
--- a/api/renew.go
+++ b/api/renew.go
@ -23,20 +23,19 @@ func Renew(w http.ResponseWriter, r *http.Request) {
 	// Get the leaf certificate from the peer or the token.
 	cert, token, err := getPeerCertificate(r)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	// The token can be used by RAs to renew a certificate.
 	if token != "" {
 		ctx = authority.NewTokenContext(ctx, token)
-		logOtt(w, token)
 	}

 	a := mustAuthority(ctx)
 	certChain, err := a.RenewContext(ctx, cert, nil)
 	if err != nil {
-		render.Error(w, r, errs.Wrap(http.StatusInternalServerError, err, "cahandler.Renew"))
+		render.Error(w, errs.Wrap(http.StatusInternalServerError, err, "cahandler.Renew"))
 		return
 	}
 	certChainPEM := certChainToPEM(certChain)
@ -46,7 +45,7 @@ func Renew(w http.ResponseWriter, r *http.Request) {
 	}

 	LogCertificate(w, certChain[0])
-	render.JSONStatus(w, r, &SignResponse{
+	render.JSONStatus(w, &SignResponse{
 		ServerPEM:    certChainPEM[0],
 		CaPEM:        caPEM,
 		CertChainPEM: certChainPEM,
--- a/api/revoke.go
+++ b/api/revoke.go
@ -57,12 +57,12 @@ func (r *RevokeRequest) Validate() (err error) {
 func Revoke(w http.ResponseWriter, r *http.Request) {
 	var body RevokeRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}

 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -78,10 +78,10 @@ func Revoke(w http.ResponseWriter, r *http.Request) {

 	// A token indicates that we are using the api via a provisioner token,
 	// otherwise it is assumed that the certificate is revoking itself over mTLS.
-	if body.OTT != "" {
+	if len(body.OTT) > 0 {
 		logOtt(w, body.OTT)
 		if _, err := a.Authorize(ctx, body.OTT); err != nil {
-			render.Error(w, r, errs.UnauthorizedErr(err))
+			render.Error(w, errs.UnauthorizedErr(err))
 			return
 		}
 		opts.OTT = body.OTT
@ -90,12 +90,12 @@ func Revoke(w http.ResponseWriter, r *http.Request) {
 		// the client certificate Serial Number must match the serial number
 		// being revoked.
 		if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
-			render.Error(w, r, errs.BadRequest("missing ott or client certificate"))
+			render.Error(w, errs.BadRequest("missing ott or client certificate"))
 			return
 		}
 		opts.Crt = r.TLS.PeerCertificates[0]
 		if opts.Crt.SerialNumber.String() != opts.Serial {
-			render.Error(w, r, errs.BadRequest("serial number in client certificate different than body"))
+			render.Error(w, errs.BadRequest("serial number in client certificate different than body"))
 			return
 		}
 		// TODO: should probably be checking if the certificate was revoked here.
@ -106,12 +106,12 @@ func Revoke(w http.ResponseWriter, r *http.Request) {
 	}

 	if err := a.Revoke(ctx, opts); err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error revoking certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error revoking certificate"))
 		return
 	}

 	logRevoke(w, opts)
-	render.JSON(w, r, &RevokeResponse{Status: "ok"})
+	render.JSON(w, &RevokeResponse{Status: "ok"})
 }

 func logRevoke(w http.ResponseWriter, ri *authority.RevokeOptions) {
--- a/api/sign.go
+++ b/api/sign.go
@ -52,13 +52,13 @@ type SignResponse struct {
 func Sign(w http.ResponseWriter, r *http.Request) {
 	var body SignRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}

 	logOtt(w, body.OTT)
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -74,13 +74,13 @@ func Sign(w http.ResponseWriter, r *http.Request) {
 	ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignMethod)
 	signOpts, err := a.Authorize(ctx, body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.UnauthorizedErr(err))
+		render.Error(w, errs.UnauthorizedErr(err))
 		return
 	}

-	certChain, err := a.SignWithContext(ctx, body.CsrPEM.CertificateRequest, opts, signOpts...)
+	certChain, err := a.Sign(body.CsrPEM.CertificateRequest, opts, signOpts...)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error signing certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error signing certificate"))
 		return
 	}
 	certChainPEM := certChainToPEM(certChain)
@ -90,7 +90,7 @@ func Sign(w http.ResponseWriter, r *http.Request) {
 	}

 	LogCertificate(w, certChain[0])
-	render.JSONStatus(w, r, &SignResponse{
+	render.JSONStatus(w, &SignResponse{
 		ServerPEM:    certChainPEM[0],
 		CaPEM:        caPEM,
 		CertChainPEM: certChainPEM,
--- a/api/ssh.go
+++ b/api/ssh.go
@ -253,19 +253,19 @@ type SSHBastionResponse struct {
 func SSHSign(w http.ResponseWriter, r *http.Request) {
 	var body SSHSignRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}

 	logOtt(w, body.OTT)
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	publicKey, err := ssh.ParsePublicKey(body.PublicKey)
 	if err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error parsing publicKey"))
+		render.Error(w, errs.BadRequestErr(err, "error parsing publicKey"))
 		return
 	}

@ -273,7 +273,7 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 	if body.AddUserPublicKey != nil {
 		addUserPublicKey, err = ssh.ParsePublicKey(body.AddUserPublicKey)
 		if err != nil {
-			render.Error(w, r, errs.BadRequestErr(err, "error parsing addUserPublicKey"))
+			render.Error(w, errs.BadRequestErr(err, "error parsing addUserPublicKey"))
 			return
 		}
 	}
@ -293,13 +293,13 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 	a := mustAuthority(ctx)
 	signOpts, err := a.Authorize(ctx, body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.UnauthorizedErr(err))
+		render.Error(w, errs.UnauthorizedErr(err))
 		return
 	}

 	cert, err := a.SignSSH(ctx, publicKey, opts, signOpts...)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error signing ssh certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
 		return
 	}

@ -307,7 +307,7 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 	if addUserPublicKey != nil && authority.IsValidForAddUser(cert) == nil {
 		addUserCert, err := a.SignSSHAddUser(ctx, addUserPublicKey, cert)
 		if err != nil {
-			render.Error(w, r, errs.ForbiddenErr(err, "error signing ssh certificate"))
+			render.Error(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
 			return
 		}
 		addUserCertificate = &SSHCertificate{addUserCert}
@ -320,7 +320,7 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 		ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignIdentityMethod)
 		signOpts, err := a.Authorize(ctx, body.OTT)
 		if err != nil {
-			render.Error(w, r, errs.UnauthorizedErr(err))
+			render.Error(w, errs.UnauthorizedErr(err))
 			return
 		}

@ -330,16 +330,16 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 			NotAfter:  time.Unix(int64(cert.ValidBefore), 0),
 		})

-		certChain, err := a.SignWithContext(ctx, cr, provisioner.SignOptions{}, signOpts...)
+		certChain, err := a.Sign(cr, provisioner.SignOptions{}, signOpts...)
 		if err != nil {
-			render.Error(w, r, errs.ForbiddenErr(err, "error signing identity certificate"))
+			render.Error(w, errs.ForbiddenErr(err, "error signing identity certificate"))
 			return
 		}
 		identityCertificate = certChainToPEM(certChain)
 	}

 	LogSSHCertificate(w, cert)
-	render.JSONStatus(w, r, &SSHSignResponse{
+	render.JSONStatus(w, &SSHSignResponse{
 		Certificate:         SSHCertificate{cert},
 		AddUserCertificate:  addUserCertificate,
 		IdentityCertificate: identityCertificate,
@ -352,12 +352,12 @@ func SSHRoots(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	keys, err := mustAuthority(ctx).GetSSHRoots(ctx)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}

 	if len(keys.HostKeys) == 0 && len(keys.UserKeys) == 0 {
-		render.Error(w, r, errs.NotFound("no keys found"))
+		render.Error(w, errs.NotFound("no keys found"))
 		return
 	}

@ -369,7 +369,7 @@ func SSHRoots(w http.ResponseWriter, r *http.Request) {
 		resp.UserKeys = append(resp.UserKeys, SSHPublicKey{PublicKey: k})
 	}

-	render.JSON(w, r, resp)
+	render.JSON(w, resp)
 }

 // SSHFederation is an HTTP handler that returns the federated SSH public keys
@ -378,12 +378,12 @@ func SSHFederation(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	keys, err := mustAuthority(ctx).GetSSHFederation(ctx)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}

 	if len(keys.HostKeys) == 0 && len(keys.UserKeys) == 0 {
-		render.Error(w, r, errs.NotFound("no keys found"))
+		render.Error(w, errs.NotFound("no keys found"))
 		return
 	}

@ -395,7 +395,7 @@ func SSHFederation(w http.ResponseWriter, r *http.Request) {
 		resp.UserKeys = append(resp.UserKeys, SSHPublicKey{PublicKey: k})
 	}

-	render.JSON(w, r, resp)
+	render.JSON(w, resp)
 }

 // SSHConfig is an HTTP handler that returns rendered templates for ssh clients
@ -403,18 +403,18 @@ func SSHFederation(w http.ResponseWriter, r *http.Request) {
 func SSHConfig(w http.ResponseWriter, r *http.Request) {
 	var body SSHConfigRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	ctx := r.Context()
 	ts, err := mustAuthority(ctx).GetSSHConfig(ctx, body.Type, body.Data)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}

@ -425,32 +425,32 @@ func SSHConfig(w http.ResponseWriter, r *http.Request) {
 	case provisioner.SSHHostCert:
 		cfg.HostTemplates = ts
 	default:
-		render.Error(w, r, errs.InternalServer("it should hot get here"))
+		render.Error(w, errs.InternalServer("it should hot get here"))
 		return
 	}

-	render.JSON(w, r, cfg)
+	render.JSON(w, cfg)
 }

 // SSHCheckHost is the HTTP handler that returns if a hosts certificate exists or not.
 func SSHCheckHost(w http.ResponseWriter, r *http.Request) {
 	var body SSHCheckPrincipalRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	ctx := r.Context()
 	exists, err := mustAuthority(ctx).CheckSSHHost(ctx, body.Principal, body.Token)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
-	render.JSON(w, r, &SSHCheckPrincipalResponse{
+	render.JSON(w, &SSHCheckPrincipalResponse{
 		Exists: exists,
 	})
 }
@ -465,10 +465,10 @@ func SSHGetHosts(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	hosts, err := mustAuthority(ctx).GetSSHHosts(ctx, cert)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
-	render.JSON(w, r, &SSHGetHostsResponse{
+	render.JSON(w, &SSHGetHostsResponse{
 		Hosts: hosts,
 	})
 }
@ -477,22 +477,22 @@ func SSHGetHosts(w http.ResponseWriter, r *http.Request) {
 func SSHBastion(w http.ResponseWriter, r *http.Request) {
 	var body SSHBastionRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	ctx := r.Context()
 	bastion, err := mustAuthority(ctx).GetSSHBastion(ctx, body.User, body.Hostname)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}

-	render.JSON(w, r, &SSHBastionResponse{
+	render.JSON(w, &SSHBastionResponse{
 		Hostname: body.Hostname,
 		Bastion:  bastion,
 	})
--- a/api/sshRekey.go
+++ b/api/sshRekey.go
@ -42,19 +42,19 @@ type SSHRekeyResponse struct {
 func SSHRekey(w http.ResponseWriter, r *http.Request) {
 	var body SSHRekeyRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}

 	logOtt(w, body.OTT)
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	publicKey, err := ssh.ParsePublicKey(body.PublicKey)
 	if err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error parsing publicKey"))
+		render.Error(w, errs.BadRequestErr(err, "error parsing publicKey"))
 		return
 	}

@ -64,18 +64,18 @@ func SSHRekey(w http.ResponseWriter, r *http.Request) {
 	a := mustAuthority(ctx)
 	signOpts, err := a.Authorize(ctx, body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.UnauthorizedErr(err))
+		render.Error(w, errs.UnauthorizedErr(err))
 		return
 	}
 	oldCert, _, err := provisioner.ExtractSSHPOPCert(body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}

 	newCert, err := a.RekeySSH(ctx, oldCert, publicKey, signOpts...)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error rekeying ssh certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error rekeying ssh certificate"))
 		return
 	}

@ -85,12 +85,12 @@ func SSHRekey(w http.ResponseWriter, r *http.Request) {

 	identity, err := renewIdentityCertificate(r, notBefore, notAfter)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error renewing identity certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error renewing identity certificate"))
 		return
 	}

 	LogSSHCertificate(w, newCert)
-	render.JSONStatus(w, r, &SSHRekeyResponse{
+	render.JSONStatus(w, &SSHRekeyResponse{
 		Certificate:         SSHCertificate{newCert},
 		IdentityCertificate: identity,
 	}, http.StatusCreated)
--- a/api/sshRenew.go
+++ b/api/sshRenew.go
@ -40,13 +40,13 @@ type SSHRenewResponse struct {
 func SSHRenew(w http.ResponseWriter, r *http.Request) {
 	var body SSHRenewRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}

 	logOtt(w, body.OTT)
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -56,18 +56,18 @@ func SSHRenew(w http.ResponseWriter, r *http.Request) {
 	a := mustAuthority(ctx)
 	_, err := a.Authorize(ctx, body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.UnauthorizedErr(err))
+		render.Error(w, errs.UnauthorizedErr(err))
 		return
 	}
 	oldCert, _, err := provisioner.ExtractSSHPOPCert(body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}

 	newCert, err := a.RenewSSH(ctx, oldCert)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error renewing ssh certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error renewing ssh certificate"))
 		return
 	}

@ -77,12 +77,12 @@ func SSHRenew(w http.ResponseWriter, r *http.Request) {

 	identity, err := renewIdentityCertificate(r, notBefore, notAfter)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error renewing identity certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error renewing identity certificate"))
 		return
 	}

 	LogSSHCertificate(w, newCert)
-	render.JSONStatus(w, r, &SSHSignResponse{
+	render.JSONStatus(w, &SSHSignResponse{
 		Certificate:         SSHCertificate{newCert},
 		IdentityCertificate: identity,
 	}, http.StatusCreated)
--- a/api/sshRevoke.go
+++ b/api/sshRevoke.go
@ -51,12 +51,12 @@ func (r *SSHRevokeRequest) Validate() (err error) {
 func SSHRevoke(w http.ResponseWriter, r *http.Request) {
 	var body SSHRevokeRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}

 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -75,18 +75,18 @@ func SSHRevoke(w http.ResponseWriter, r *http.Request) {
 	logOtt(w, body.OTT)

 	if _, err := a.Authorize(ctx, body.OTT); err != nil {
-		render.Error(w, r, errs.UnauthorizedErr(err))
+		render.Error(w, errs.UnauthorizedErr(err))
 		return
 	}
 	opts.OTT = body.OTT

 	if err := a.Revoke(ctx, opts); err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error revoking ssh certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error revoking ssh certificate"))
 		return
 	}

 	logSSHRevoke(w, opts)
-	render.JSON(w, r, &SSHRevokeResponse{Status: "ok"})
+	render.JSON(w, &SSHRevokeResponse{Status: "ok"})
 }

 func logSSHRevoke(w http.ResponseWriter, ri *authority.RevokeOptions) {
--- a/api/ssh_test.go
+++ b/api/ssh_test.go
@ -325,7 +325,7 @@ func Test_SSHSign(t *testing.T) {
 				signSSHAddUser: func(ctx context.Context, key ssh.PublicKey, cert *ssh.Certificate) (*ssh.Certificate, error) {
 					return tt.addUserCert, tt.addUserErr
 				},
-				signWithContext: func(ctx context.Context, cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
+				sign: func(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 					return tt.tlsSignCerts, tt.tlsSignErr
 				},
 			})
--- a/authority/admin/api/acme.go
+++ b/authority/admin/api/acme.go
@ -40,12 +40,12 @@ func requireEABEnabled(next http.HandlerFunc) http.HandlerFunc {

 		acmeProvisioner := prov.GetDetails().GetACME()
 		if acmeProvisioner == nil {
-			render.Error(w, r, admin.NewErrorISE("error getting ACME details for provisioner '%s'", prov.GetName()))
+			render.Error(w, admin.NewErrorISE("error getting ACME details for provisioner '%s'", prov.GetName()))
 			return
 		}

 		if !acmeProvisioner.RequireEab {
-			render.Error(w, r, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner '%s'", prov.GetName()))
+			render.Error(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner '%s'", prov.GetName()))
 			return
 		}

@ -69,18 +69,18 @@ func NewACMEAdminResponder() ACMEAdminResponder {
 }

 // GetExternalAccountKeys writes the response for the EAB keys GET endpoint
-func (h *acmeAdminResponder) GetExternalAccountKeys(w http.ResponseWriter, r *http.Request) {
-	render.Error(w, r, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
+func (h *acmeAdminResponder) GetExternalAccountKeys(w http.ResponseWriter, _ *http.Request) {
+	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
 }

 // CreateExternalAccountKey writes the response for the EAB key POST endpoint
-func (h *acmeAdminResponder) CreateExternalAccountKey(w http.ResponseWriter, r *http.Request) {
-	render.Error(w, r, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
+func (h *acmeAdminResponder) CreateExternalAccountKey(w http.ResponseWriter, _ *http.Request) {
+	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
 }

 // DeleteExternalAccountKey writes the response for the EAB key DELETE endpoint
-func (h *acmeAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, r *http.Request) {
-	render.Error(w, r, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
+func (h *acmeAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, _ *http.Request) {
+	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
 }

 func eakToLinked(k *acme.ExternalAccountKey) *linkedca.EABKey {
--- a/authority/admin/api/admin.go
+++ b/authority/admin/api/admin.go
@ -90,7 +90,7 @@ func GetAdmin(w http.ResponseWriter, r *http.Request) {

 	adm, ok := mustAuthority(r.Context()).LoadAdminByID(id)
 	if !ok {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType,
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType,
 			"admin %s not found", id))
 		return
 	}
@ -101,17 +101,17 @@ func GetAdmin(w http.ResponseWriter, r *http.Request) {
 func GetAdmins(w http.ResponseWriter, r *http.Request) {
 	cursor, limit, err := api.ParseCursor(r)
 	if err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err,
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err,
 			"error parsing cursor and limit from query params"))
 		return
 	}

 	admins, nextCursor, err := mustAuthority(r.Context()).GetAdmins(cursor, limit)
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error retrieving paginated admins"))
+		render.Error(w, admin.WrapErrorISE(err, "error retrieving paginated admins"))
 		return
 	}
-	render.JSON(w, r, &GetAdminsResponse{
+	render.JSON(w, &GetAdminsResponse{
 		Admins:     admins,
 		NextCursor: nextCursor,
 	})
@ -121,19 +121,19 @@ func GetAdmins(w http.ResponseWriter, r *http.Request) {
 func CreateAdmin(w http.ResponseWriter, r *http.Request) {
 	var body CreateAdminRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error reading request body"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error reading request body"))
 		return
 	}

 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	auth := mustAuthority(r.Context())
 	p, err := auth.LoadProvisionerByName(body.Provisioner)
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", body.Provisioner))
+		render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", body.Provisioner))
 		return
 	}
 	adm := &linkedca.Admin{
@ -143,7 +143,7 @@ func CreateAdmin(w http.ResponseWriter, r *http.Request) {
 	}
 	// Store to authority collection.
 	if err := auth.StoreAdmin(r.Context(), adm, p); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error storing admin"))
+		render.Error(w, admin.WrapErrorISE(err, "error storing admin"))
 		return
 	}

@ -155,23 +155,23 @@ func DeleteAdmin(w http.ResponseWriter, r *http.Request) {
 	id := chi.URLParam(r, "id")

 	if err := mustAuthority(r.Context()).RemoveAdmin(r.Context(), id); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error deleting admin %s", id))
+		render.Error(w, admin.WrapErrorISE(err, "error deleting admin %s", id))
 		return
 	}

-	render.JSON(w, r, &DeleteResponse{Status: "ok"})
+	render.JSON(w, &DeleteResponse{Status: "ok"})
 }

 // UpdateAdmin updates an existing admin.
 func UpdateAdmin(w http.ResponseWriter, r *http.Request) {
 	var body UpdateAdminRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error reading request body"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error reading request body"))
 		return
 	}

 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -179,7 +179,7 @@ func UpdateAdmin(w http.ResponseWriter, r *http.Request) {
 	auth := mustAuthority(r.Context())
 	adm, err := auth.UpdateAdmin(r.Context(), id, &linkedca.Admin{Type: body.Type})
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error updating admin %s", id))
+		render.Error(w, admin.WrapErrorISE(err, "error updating admin %s", id))
 		return
 	}

--- a/authority/admin/api/middleware.go
+++ b/authority/admin/api/middleware.go
@ -1,6 +1,7 @@
 package api

 import (
+	"errors"
 	"net/http"

 	"github.com/go-chi/chi/v5"
@ -19,7 +20,7 @@ import (
 func requireAPIEnabled(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if !mustAuthority(r.Context()).IsAdminAPIEnabled() {
-			render.Error(w, r, admin.NewError(admin.ErrorNotImplementedType, "administration API not enabled"))
+			render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "administration API not enabled"))
 			return
 		}
 		next(w, r)
@ -31,7 +32,7 @@ func extractAuthorizeTokenAdmin(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		tok := r.Header.Get("Authorization")
 		if tok == "" {
-			render.Error(w, r, admin.NewError(admin.ErrorUnauthorizedType,
+			render.Error(w, admin.NewError(admin.ErrorUnauthorizedType,
 				"missing authorization header token"))
 			return
 		}
@ -39,7 +40,7 @@ func extractAuthorizeTokenAdmin(next http.HandlerFunc) http.HandlerFunc {
 		ctx := r.Context()
 		adm, err := mustAuthority(ctx).AuthorizeAdminToken(r, tok)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}

@ -64,13 +65,13 @@ func loadProvisionerByName(next http.HandlerFunc) http.HandlerFunc {

 		// TODO(hs): distinguish 404 vs. 500
 		if p, err = auth.LoadProvisionerByName(name); err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", name))
+			render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", name))
 			return
 		}

 		prov, err := adminDB.GetProvisioner(ctx, p.GetID())
 		if err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error retrieving provisioner %s", name))
+			render.Error(w, admin.WrapErrorISE(err, "error retrieving provisioner %s", name))
 			return
 		}

@ -91,7 +92,7 @@ func checkAction(next http.HandlerFunc, supportedInStandalone bool) http.Handler
 		// when an action is not supported in standalone mode and when
 		// using a nosql.DB backend, actions are not supported
 		if _, ok := admin.MustFromContext(r.Context()).(*nosql.DB); ok {
-			render.Error(w, r, admin.NewError(admin.ErrorNotImplementedType,
+			render.Error(w, admin.NewError(admin.ErrorNotImplementedType,
 				"operation not supported in standalone mode"))
 			return
 		}
@ -124,16 +125,16 @@ func loadExternalAccountKey(next http.HandlerFunc) http.HandlerFunc {
 		}

 		if err != nil {
-			if acme.IsErrNotFound(err) {
-				render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
+			if errors.Is(err, acme.ErrNotFound) {
+				render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
 				return
 			}
-			render.Error(w, r, admin.WrapErrorISE(err, "error retrieving ACME External Account Key"))
+			render.Error(w, admin.WrapErrorISE(err, "error retrieving ACME External Account Key"))
 			return
 		}

 		if eak == nil {
-			render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
+			render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
 			return
 		}

--- a/authority/admin/api/policy.go
+++ b/authority/admin/api/policy.go
@ -35,7 +35,7 @@ type PolicyAdminResponder interface {
 // policyAdminResponder implements PolicyAdminResponder.
 type policyAdminResponder struct{}

-// NewPolicyAdminResponder returns a new PolicyAdminResponder.
+// NewACMEAdminResponder returns a new PolicyAdminResponder.
 func NewPolicyAdminResponder() PolicyAdminResponder {
 	return &policyAdminResponder{}
 }
@ -44,7 +44,7 @@ func NewPolicyAdminResponder() PolicyAdminResponder {
 func (par *policyAdminResponder) GetAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -52,12 +52,12 @@ func (par *policyAdminResponder) GetAuthorityPolicy(w http.ResponseWriter, r *ht
 	authorityPolicy, err := auth.GetAuthorityPolicy(r.Context())
 	var ae *admin.Error
 	if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) {
-		render.Error(w, r, admin.WrapErrorISE(ae, "error retrieving authority policy"))
+		render.Error(w, admin.WrapErrorISE(ae, "error retrieving authority policy"))
 		return
 	}

 	if authorityPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
 		return
 	}

@ -68,7 +68,7 @@ func (par *policyAdminResponder) GetAuthorityPolicy(w http.ResponseWriter, r *ht
 func (par *policyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -77,26 +77,26 @@ func (par *policyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r

 	var ae *admin.Error
 	if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) {
-		render.Error(w, r, admin.WrapErrorISE(err, "error retrieving authority policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error retrieving authority policy"))
 		return
 	}

 	if authorityPolicy != nil {
 		adminErr := admin.NewError(admin.ErrorConflictType, "authority already has a policy")
-		render.Error(w, r, adminErr)
+		render.Error(w, adminErr)
 		return
 	}

 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	newPolicy.Deduplicate()

 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating authority policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating authority policy"))
 		return
 	}

@ -105,11 +105,11 @@ func (par *policyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r
 	var createdPolicy *linkedca.Policy
 	if createdPolicy, err = auth.CreateAuthorityPolicy(ctx, adm, newPolicy); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error storing authority policy"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error storing authority policy"))
 			return
 		}

-		render.Error(w, r, admin.WrapErrorISE(err, "error storing authority policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error storing authority policy"))
 		return
 	}

@ -120,7 +120,7 @@ func (par *policyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r
 func (par *policyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -129,25 +129,25 @@ func (par *policyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r

 	var ae *admin.Error
 	if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) {
-		render.Error(w, r, admin.WrapErrorISE(err, "error retrieving authority policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error retrieving authority policy"))
 		return
 	}

 	if authorityPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
 		return
 	}

 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	newPolicy.Deduplicate()

 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating authority policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating authority policy"))
 		return
 	}

@ -156,11 +156,11 @@ func (par *policyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r
 	var updatedPolicy *linkedca.Policy
 	if updatedPolicy, err = auth.UpdateAuthorityPolicy(ctx, adm, newPolicy); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error updating authority policy"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error updating authority policy"))
 			return
 		}

-		render.Error(w, r, admin.WrapErrorISE(err, "error updating authority policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error updating authority policy"))
 		return
 	}

@ -171,7 +171,7 @@ func (par *policyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r
 func (par *policyAdminResponder) DeleteAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -180,35 +180,35 @@ func (par *policyAdminResponder) DeleteAuthorityPolicy(w http.ResponseWriter, r

 	var ae *admin.Error
 	if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) {
-		render.Error(w, r, admin.WrapErrorISE(ae, "error retrieving authority policy"))
+		render.Error(w, admin.WrapErrorISE(ae, "error retrieving authority policy"))
 		return
 	}

 	if authorityPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
 		return
 	}

 	if err := auth.RemoveAuthorityPolicy(ctx); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error deleting authority policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error deleting authority policy"))
 		return
 	}

-	render.JSONStatus(w, r, DeleteResponse{Status: "ok"}, http.StatusOK)
+	render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
 }

 // GetProvisionerPolicy handles the GET /admin/provisioners/{name}/policy request
 func (par *policyAdminResponder) GetProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	prov := linkedca.MustProvisionerFromContext(ctx)
 	provisionerPolicy := prov.GetPolicy()
 	if provisionerPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
 		return
 	}

@ -219,7 +219,7 @@ func (par *policyAdminResponder) GetProvisionerPolicy(w http.ResponseWriter, r *
 func (par *policyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -227,20 +227,20 @@ func (par *policyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter,
 	provisionerPolicy := prov.GetPolicy()
 	if provisionerPolicy != nil {
 		adminErr := admin.NewError(admin.ErrorConflictType, "provisioner %s already has a policy", prov.Name)
-		render.Error(w, r, adminErr)
+		render.Error(w, adminErr)
 		return
 	}

 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	newPolicy.Deduplicate()

 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating provisioner policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating provisioner policy"))
 		return
 	}

@ -248,11 +248,11 @@ func (par *policyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter,
 	auth := mustAuthority(ctx)
 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error creating provisioner policy"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error creating provisioner policy"))
 			return
 		}

-		render.Error(w, r, admin.WrapErrorISE(err, "error creating provisioner policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error creating provisioner policy"))
 		return
 	}

@ -263,27 +263,27 @@ func (par *policyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter,
 func (par *policyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	prov := linkedca.MustProvisionerFromContext(ctx)
 	provisionerPolicy := prov.GetPolicy()
 	if provisionerPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
 		return
 	}

 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	newPolicy.Deduplicate()

 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating provisioner policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating provisioner policy"))
 		return
 	}

@ -291,11 +291,11 @@ func (par *policyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter,
 	auth := mustAuthority(ctx)
 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error updating provisioner policy"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error updating provisioner policy"))
 			return
 		}

-		render.Error(w, r, admin.WrapErrorISE(err, "error updating provisioner policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error updating provisioner policy"))
 		return
 	}

@ -306,13 +306,13 @@ func (par *policyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter,
 func (par *policyAdminResponder) DeleteProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	prov := linkedca.MustProvisionerFromContext(ctx)
 	if prov.Policy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
 		return
 	}

@ -321,24 +321,24 @@ func (par *policyAdminResponder) DeleteProvisionerPolicy(w http.ResponseWriter,

 	auth := mustAuthority(ctx)
 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error deleting provisioner policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error deleting provisioner policy"))
 		return
 	}

-	render.JSONStatus(w, r, DeleteResponse{Status: "ok"}, http.StatusOK)
+	render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
 }

 func (par *policyAdminResponder) GetACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	eak := linkedca.MustExternalAccountKeyFromContext(ctx)
 	eakPolicy := eak.GetPolicy()
 	if eakPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
 		return
 	}

@ -348,7 +348,7 @@ func (par *policyAdminResponder) GetACMEAccountPolicy(w http.ResponseWriter, r *
 func (par *policyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -357,20 +357,20 @@ func (par *policyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter,
 	eakPolicy := eak.GetPolicy()
 	if eakPolicy != nil {
 		adminErr := admin.NewError(admin.ErrorConflictType, "ACME EAK %s already has a policy", eak.Id)
-		render.Error(w, r, adminErr)
+		render.Error(w, adminErr)
 		return
 	}

 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	newPolicy.Deduplicate()

 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating ACME EAK policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating ACME EAK policy"))
 		return
 	}

@ -379,7 +379,7 @@ func (par *policyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter,
 	acmeEAK := linkedEAKToCertificates(eak)
 	acmeDB := acme.MustDatabaseFromContext(ctx)
 	if err := acmeDB.UpdateExternalAccountKey(ctx, prov.GetId(), acmeEAK); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error creating ACME EAK policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error creating ACME EAK policy"))
 		return
 	}

@ -389,7 +389,7 @@ func (par *policyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter,
 func (par *policyAdminResponder) UpdateACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -397,20 +397,20 @@ func (par *policyAdminResponder) UpdateACMEAccountPolicy(w http.ResponseWriter,
 	eak := linkedca.MustExternalAccountKeyFromContext(ctx)
 	eakPolicy := eak.GetPolicy()
 	if eakPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
 		return
 	}

 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	newPolicy.Deduplicate()

 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating ACME EAK policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating ACME EAK policy"))
 		return
 	}

@ -418,7 +418,7 @@ func (par *policyAdminResponder) UpdateACMEAccountPolicy(w http.ResponseWriter,
 	acmeEAK := linkedEAKToCertificates(eak)
 	acmeDB := acme.MustDatabaseFromContext(ctx)
 	if err := acmeDB.UpdateExternalAccountKey(ctx, prov.GetId(), acmeEAK); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error updating ACME EAK policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error updating ACME EAK policy"))
 		return
 	}

@ -428,7 +428,7 @@ func (par *policyAdminResponder) UpdateACMEAccountPolicy(w http.ResponseWriter,
 func (par *policyAdminResponder) DeleteACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -436,7 +436,7 @@ func (par *policyAdminResponder) DeleteACMEAccountPolicy(w http.ResponseWriter,
 	eak := linkedca.MustExternalAccountKeyFromContext(ctx)
 	eakPolicy := eak.GetPolicy()
 	if eakPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
 		return
 	}

@ -446,11 +446,11 @@ func (par *policyAdminResponder) DeleteACMEAccountPolicy(w http.ResponseWriter,
 	acmeEAK := linkedEAKToCertificates(eak)
 	acmeDB := acme.MustDatabaseFromContext(ctx)
 	if err := acmeDB.UpdateExternalAccountKey(ctx, prov.GetId(), acmeEAK); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error deleting ACME EAK policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error deleting ACME EAK policy"))
 		return
 	}

-	render.JSONStatus(w, r, DeleteResponse{Status: "ok"}, http.StatusOK)
+	render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
 }

 // blockLinkedCA blocks all API operations on linked deployments
--- a/authority/admin/api/provisioner.go
+++ b/authority/admin/api/provisioner.go
@ -38,21 +38,21 @@ func GetProvisioner(w http.ResponseWriter, r *http.Request) {
 	auth := mustAuthority(ctx)
 	db := admin.MustFromContext(ctx)

-	if id != "" {
+	if len(id) > 0 {
 		if p, err = auth.LoadProvisionerByID(id); err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", id))
+			render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", id))
 			return
 		}
 	} else {
 		if p, err = auth.LoadProvisionerByName(name); err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", name))
+			render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", name))
 			return
 		}
 	}

 	prov, err := db.GetProvisioner(ctx, p.GetID())
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	render.ProtoJSON(w, prov)
@ -62,17 +62,17 @@ func GetProvisioner(w http.ResponseWriter, r *http.Request) {
 func GetProvisioners(w http.ResponseWriter, r *http.Request) {
 	cursor, limit, err := api.ParseCursor(r)
 	if err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err,
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err,
 			"error parsing cursor and limit from query params"))
 		return
 	}

 	p, next, err := mustAuthority(r.Context()).GetProvisioners(cursor, limit)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
-	render.JSON(w, r, &GetProvisionersResponse{
+	render.JSON(w, &GetProvisionersResponse{
 		Provisioners: p,
 		NextCursor:   next,
 	})
@ -82,24 +82,24 @@ func GetProvisioners(w http.ResponseWriter, r *http.Request) {
 func CreateProvisioner(w http.ResponseWriter, r *http.Request) {
 	var prov = new(linkedca.Provisioner)
 	if err := read.ProtoJSON(r.Body, prov); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	// TODO: Validate inputs
 	if err := authority.ValidateClaims(prov.Claims); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	// validate the templates and template data
 	if err := validateTemplates(prov.X509Template, prov.SshTemplate); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "invalid template"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "invalid template"))
 		return
 	}

 	if err := mustAuthority(r.Context()).StoreProvisioner(r.Context(), prov); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error storing provisioner %s", prov.Name))
+		render.Error(w, admin.WrapErrorISE(err, "error storing provisioner %s", prov.Name))
 		return
 	}
 	render.ProtoJSONStatus(w, prov, http.StatusCreated)
@ -116,31 +116,31 @@ func DeleteProvisioner(w http.ResponseWriter, r *http.Request) {
 	name := chi.URLParam(r, "name")
 	auth := mustAuthority(r.Context())

-	if id != "" {
+	if len(id) > 0 {
 		if p, err = auth.LoadProvisionerByID(id); err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", id))
+			render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", id))
 			return
 		}
 	} else {
 		if p, err = auth.LoadProvisionerByName(name); err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", name))
+			render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", name))
 			return
 		}
 	}

 	if err := auth.RemoveProvisioner(r.Context(), p.GetID()); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error removing provisioner %s", p.GetName()))
+		render.Error(w, admin.WrapErrorISE(err, "error removing provisioner %s", p.GetName()))
 		return
 	}

-	render.JSON(w, r, &DeleteResponse{Status: "ok"})
+	render.JSON(w, &DeleteResponse{Status: "ok"})
 }

 // UpdateProvisioner updates an existing prov.
 func UpdateProvisioner(w http.ResponseWriter, r *http.Request) {
 	var nu = new(linkedca.Provisioner)
 	if err := read.ProtoJSON(r.Body, nu); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -151,51 +151,51 @@ func UpdateProvisioner(w http.ResponseWriter, r *http.Request) {

 	p, err := auth.LoadProvisionerByName(name)
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner from cached configuration '%s'", name))
+		render.Error(w, admin.WrapErrorISE(err, "error loading provisioner from cached configuration '%s'", name))
 		return
 	}

 	old, err := db.GetProvisioner(r.Context(), p.GetID())
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner from db '%s'", p.GetID()))
+		render.Error(w, admin.WrapErrorISE(err, "error loading provisioner from db '%s'", p.GetID()))
 		return
 	}

 	if nu.Id != old.Id {
-		render.Error(w, r, admin.NewErrorISE("cannot change provisioner ID"))
+		render.Error(w, admin.NewErrorISE("cannot change provisioner ID"))
 		return
 	}
 	if nu.Type != old.Type {
-		render.Error(w, r, admin.NewErrorISE("cannot change provisioner type"))
+		render.Error(w, admin.NewErrorISE("cannot change provisioner type"))
 		return
 	}
 	if nu.AuthorityId != old.AuthorityId {
-		render.Error(w, r, admin.NewErrorISE("cannot change provisioner authorityID"))
+		render.Error(w, admin.NewErrorISE("cannot change provisioner authorityID"))
 		return
 	}
 	if !nu.CreatedAt.AsTime().Equal(old.CreatedAt.AsTime()) {
-		render.Error(w, r, admin.NewErrorISE("cannot change provisioner createdAt"))
+		render.Error(w, admin.NewErrorISE("cannot change provisioner createdAt"))
 		return
 	}
 	if !nu.DeletedAt.AsTime().Equal(old.DeletedAt.AsTime()) {
-		render.Error(w, r, admin.NewErrorISE("cannot change provisioner deletedAt"))
+		render.Error(w, admin.NewErrorISE("cannot change provisioner deletedAt"))
 		return
 	}

 	// TODO: Validate inputs
 	if err := authority.ValidateClaims(nu.Claims); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	// validate the templates and template data
 	if err := validateTemplates(nu.X509Template, nu.SshTemplate); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "invalid template"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "invalid template"))
 		return
 	}

 	if err := auth.UpdateProvisioner(r.Context(), nu); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	render.ProtoJSON(w, nu)
--- a/authority/admin/api/webhook.go
+++ b/authority/admin/api/webhook.go
@ -71,28 +71,28 @@ func (war *webhookAdminResponder) CreateProvisionerWebhook(w http.ResponseWriter

 	var newWebhook = new(linkedca.Webhook)
 	if err := read.ProtoJSON(r.Body, newWebhook); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	if err := validateWebhook(newWebhook); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	if newWebhook.Secret != "" {
 		err := admin.NewError(admin.ErrorBadRequestType, "webhook secret must not be set")
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	if newWebhook.Id != "" {
 		err := admin.NewError(admin.ErrorBadRequestType, "webhook ID must not be set")
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	id, err := randutil.UUIDv4()
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error generating webhook id"))
+		render.Error(w, admin.WrapErrorISE(err, "error generating webhook id"))
 		return
 	}
 	newWebhook.Id = id
@ -101,14 +101,14 @@ func (war *webhookAdminResponder) CreateProvisionerWebhook(w http.ResponseWriter
 	for _, wh := range prov.Webhooks {
 		if wh.Name == newWebhook.Name {
 			err := admin.NewError(admin.ErrorConflictType, "provisioner %q already has a webhook with the name %q", prov.Name, newWebhook.Name)
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 	}

 	secret, err := randutil.Bytes(64)
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error generating webhook secret"))
+		render.Error(w, admin.WrapErrorISE(err, "error generating webhook secret"))
 		return
 	}
 	newWebhook.Secret = base64.StdEncoding.EncodeToString(secret)
@ -117,11 +117,11 @@ func (war *webhookAdminResponder) CreateProvisionerWebhook(w http.ResponseWriter

 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error creating provisioner webhook"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error creating provisioner webhook"))
 			return
 		}

-		render.Error(w, r, admin.WrapErrorISE(err, "error creating provisioner webhook"))
+		render.Error(w, admin.WrapErrorISE(err, "error creating provisioner webhook"))
 		return
 	}

@ -145,21 +145,21 @@ func (war *webhookAdminResponder) DeleteProvisionerWebhook(w http.ResponseWriter
 		}
 	}
 	if !found {
-		render.JSONStatus(w, r, DeleteResponse{Status: "ok"}, http.StatusOK)
+		render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
 		return
 	}

 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error deleting provisioner webhook"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error deleting provisioner webhook"))
 			return
 		}

-		render.Error(w, r, admin.WrapErrorISE(err, "error deleting provisioner webhook"))
+		render.Error(w, admin.WrapErrorISE(err, "error deleting provisioner webhook"))
 		return
 	}

-	render.JSONStatus(w, r, DeleteResponse{Status: "ok"}, http.StatusOK)
+	render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
 }

 func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter, r *http.Request) {
@ -170,12 +170,12 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter

 	var newWebhook = new(linkedca.Webhook)
 	if err := read.ProtoJSON(r.Body, newWebhook); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	if err := validateWebhook(newWebhook); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

@ -186,13 +186,13 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter
 		}
 		if newWebhook.Secret != "" && newWebhook.Secret != wh.Secret {
 			err := admin.NewError(admin.ErrorBadRequestType, "webhook secret cannot be updated")
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		newWebhook.Secret = wh.Secret
 		if newWebhook.Id != "" && newWebhook.Id != wh.Id {
 			err := admin.NewError(admin.ErrorBadRequestType, "webhook ID cannot be updated")
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		newWebhook.Id = wh.Id
@ -203,17 +203,17 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter
 	if !found {
 		msg := fmt.Sprintf("provisioner %q has no webhook with the name %q", prov.Name, newWebhook.Name)
 		err := admin.NewError(admin.ErrorNotFoundType, msg)
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}

 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error updating provisioner webhook"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error updating provisioner webhook"))
 			return
 		}

-		render.Error(w, r, admin.WrapErrorISE(err, "error updating provisioner webhook"))
+		render.Error(w, admin.WrapErrorISE(err, "error updating provisioner webhook"))
 		return
 	}

--- a/authority/admin/db/nosql/admin_test.go
+++ b/authority/admin/db/nosql/admin_test.go
@ -857,7 +857,7 @@ func TestDB_CreateAdmin(t *testing.T) {
 						var _dba = new(dbAdmin)
 						assert.FatalError(t, json.Unmarshal(nu, _dba))

-						assert.True(t, _dba.ID != "" && _dba.ID == string(key))
+						assert.True(t, len(_dba.ID) > 0 && _dba.ID == string(key))
 						assert.Equals(t, _dba.AuthorityID, adm.AuthorityId)
 						assert.Equals(t, _dba.ProvisionerID, adm.ProvisionerId)
 						assert.Equals(t, _dba.Subject, adm.Subject)
@ -890,7 +890,7 @@ func TestDB_CreateAdmin(t *testing.T) {
 						var _dba = new(dbAdmin)
 						assert.FatalError(t, json.Unmarshal(nu, _dba))

-						assert.True(t, _dba.ID != "" && _dba.ID == string(key))
+						assert.True(t, len(_dba.ID) > 0 && _dba.ID == string(key))
 						assert.Equals(t, _dba.AuthorityID, adm.AuthorityId)
 						assert.Equals(t, _dba.ProvisionerID, adm.ProvisionerId)
 						assert.Equals(t, _dba.Subject, adm.Subject)
--- a/authority/admin/db/nosql/provisioner_test.go
+++ b/authority/admin/db/nosql/provisioner_test.go
@ -906,7 +906,7 @@ func TestDB_CreateProvisioner(t *testing.T) {
 						var _dbp = new(dbProvisioner)
 						assert.FatalError(t, json.Unmarshal(nu, _dbp))

-						assert.True(t, _dbp.ID != "" && _dbp.ID == string(key))
+						assert.True(t, len(_dbp.ID) > 0 && _dbp.ID == string(key))
 						assert.Equals(t, _dbp.AuthorityID, prov.AuthorityId)
 						assert.Equals(t, _dbp.Type, prov.Type)
 						assert.Equals(t, _dbp.Name, prov.Name)
@ -944,7 +944,7 @@ func TestDB_CreateProvisioner(t *testing.T) {
 						var _dbp = new(dbProvisioner)
 						assert.FatalError(t, json.Unmarshal(nu, _dbp))

-						assert.True(t, _dbp.ID != "" && _dbp.ID == string(key))
+						assert.True(t, len(_dbp.ID) > 0 && _dbp.ID == string(key))
 						assert.Equals(t, _dbp.AuthorityID, prov.AuthorityId)
 						assert.Equals(t, _dbp.Type, prov.Type)
 						assert.Equals(t, _dbp.Name, prov.Name)
@ -1093,7 +1093,7 @@ func TestDB_UpdateProvisioner(t *testing.T) {
 						var _dbp = new(dbProvisioner)
 						assert.FatalError(t, json.Unmarshal(nu, _dbp))

-						assert.True(t, _dbp.ID != "" && _dbp.ID == string(key))
+						assert.True(t, len(_dbp.ID) > 0 && _dbp.ID == string(key))
 						assert.Equals(t, _dbp.AuthorityID, prov.AuthorityId)
 						assert.Equals(t, _dbp.Type, prov.Type)
 						assert.Equals(t, _dbp.Name, prov.Name)
@ -1188,7 +1188,7 @@ func TestDB_UpdateProvisioner(t *testing.T) {
 						var _dbp = new(dbProvisioner)
 						assert.FatalError(t, json.Unmarshal(nu, _dbp))

-						assert.True(t, _dbp.ID != "" && _dbp.ID == string(key))
+						assert.True(t, len(_dbp.ID) > 0 && _dbp.ID == string(key))
 						assert.Equals(t, _dbp.AuthorityID, prov.AuthorityId)
 						assert.Equals(t, _dbp.Type, prov.Type)
 						assert.Equals(t, _dbp.Name, prov.Name)
--- a/authority/admin/errors.go
+++ b/authority/admin/errors.go
@ -205,8 +205,8 @@ func (e *Error) ToLog() (interface{}, error) {
 }

 // Render implements render.RenderableError for Error.
-func (e *Error) Render(w http.ResponseWriter, r *http.Request) {
+func (e *Error) Render(w http.ResponseWriter) {
 	e.Message = e.Err.Error()

-	render.JSONStatus(w, r, e, e.StatusCode())
+	render.JSONStatus(w, e, e.StatusCode())
 }
--- a/authority/authority.go
+++ b/authority/authority.go
@ -62,10 +62,9 @@ type Authority struct {
 	x509Enforcers         []provisioner.CertificateEnforcer

 	// SCEP CA
-	scepOptions    *scep.Options
-	validateSCEP   bool
-	scepAuthority  *scep.Authority
-	scepKeyManager provisioner.SCEPKeyManager
+	scepOptions   *scep.Options
+	validateSCEP  bool
+	scepAuthority *scep.Authority

 	// SSH CA
 	sshHostPassword         []byte
@ -105,9 +104,6 @@ type Authority struct {

 	// If true, do not output initialization logs
 	quietInit bool
-
-	// Called whenever applicable, in order to instrument the authority.
-	meter Meter
 }

 // Info contains information about the authority.
@ -130,7 +126,6 @@ func New(cfg *config.Config, opts ...Option) (*Authority, error) {
 		config:       cfg,
 		certificates: new(sync.Map),
 		validateSCEP: true,
-		meter:        noopMeter{},
 	}

 	// Apply options.
@ -139,9 +134,6 @@ func New(cfg *config.Config, opts ...Option) (*Authority, error) {
 			return nil, err
 		}
 	}
-	if a.keyManager != nil {
-		a.keyManager = newInstrumentedKeyManager(a.keyManager, a.meter)
-	}

 	if !a.skipInit {
 		// Initialize authority from options or configuration.
@ -159,7 +151,6 @@ func NewEmbedded(opts ...Option) (*Authority, error) {
 	a := &Authority{
 		config:       &config.Config{},
 		certificates: new(sync.Map),
-		meter:        noopMeter{},
 	}

 	// Apply options.
@ -168,9 +159,6 @@ func NewEmbedded(opts ...Option) (*Authority, error) {
 			return nil, err
 		}
 	}
-	if a.keyManager != nil {
-		a.keyManager = newInstrumentedKeyManager(a.keyManager, a.meter)
-	}

 	// Validate required options
 	switch {
@ -349,8 +337,6 @@ func (a *Authority) init() error {
 		if err != nil {
 			return err
 		}
-
-		a.keyManager = newInstrumentedKeyManager(a.keyManager, a.meter)
 	}

 	// Initialize linkedca client if necessary. On a linked RA, the issuer
@ -447,7 +433,6 @@ func (a *Authority) init() error {
 				return err
 			}
 			a.rootX509Certs = append(a.rootX509Certs, resp.RootCertificate)
-			a.intermediateX509Certs = append(a.intermediateX509Certs, resp.IntermediateCertificates...)
 		}
 	}

@ -696,42 +681,32 @@ func (a *Authority) init() error {
 			options := &scep.Options{
 				Roots:         a.rootX509Certs,
 				Intermediates: a.intermediateX509Certs,
+				SignerCert:    a.intermediateX509Certs[0],
 			}
-
-			// intermediate certificates can be empty in RA mode
-			if len(a.intermediateX509Certs) > 0 {
-				options.SignerCert = a.intermediateX509Certs[0]
+			if options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
+				SigningKey: a.config.IntermediateKey,
+				Password:   a.password,
+			}); err != nil {
+				return err
 			}
-
-			// attempt to create the (default) SCEP signer if the intermediate
-			// key is configured.
-			if a.config.IntermediateKey != "" {
-				if options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
-					SigningKey: a.config.IntermediateKey,
-					Password:   a.password,
-				}); err != nil {
-					return err
-				}
-
-				// TODO(hs): instead of creating the decrypter here, pass the
-				// intermediate key + chain down to the SCEP authority,
-				// and only instantiate it when required there. Is that possible?
-				// Also with entering passwords?
-				// TODO(hs): if moving the logic, try improving the logic for the
-				// decrypter password too? Right now it needs to be entered multiple
-				// times; I've observed it to be three times maximum, every time
-				// the intermediate key is read.
-				_, isRSAKey := options.Signer.Public().(*rsa.PublicKey)
-				if km, ok := a.keyManager.(kmsapi.Decrypter); ok && isRSAKey {
-					if decrypter, err := km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
-						DecryptionKey: a.config.IntermediateKey,
-						Password:      a.password,
-					}); err == nil {
-						// only pass the decrypter down when it was successfully created,
-						// meaning it's an RSA key, and `CreateDecrypter` did not fail.
-						options.Decrypter = decrypter
-						options.DecrypterCert = options.Intermediates[0]
-					}
+			// TODO(hs): instead of creating the decrypter here, pass the
+			// intermediate key + chain down to the SCEP authority,
+			// and only instantiate it when required there. Is that possible?
+			// Also with entering passwords?
+			// TODO(hs): if moving the logic, try improving the logic for the
+			// decrypter password too? Right now it needs to be entered multiple
+			// times; I've observed it to be three times maximum, every time
+			// the intermediate key is read.
+			_, isRSA := options.Signer.Public().(*rsa.PublicKey)
+			if km, ok := a.keyManager.(kmsapi.Decrypter); ok && isRSA {
+				if decrypter, err := km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
+					DecryptionKey: a.config.IntermediateKey,
+					Password:      a.password,
+				}); err == nil {
+					// only pass the decrypter down when it was successfully created,
+					// meaning it's an RSA key, and `CreateDecrypter` did not fail.
+					options.Decrypter = decrypter
+					options.DecrypterCert = options.Intermediates[0]
 				}
 			}

--- a/authority/authority_test.go
+++ b/authority/authority_test.go
@ -1,7 +1,6 @@
 package authority

 import (
-	"context"
 	"crypto"
 	"crypto/rand"
 	"crypto/sha256"
@ -113,7 +112,7 @@ func TestAuthorityNew(t *testing.T) {
 			c.Root = []string{"foo"}
 			return &newTest{
 				config: c,
-				err:    errors.New(`error reading "foo": no such file or directory`),
+				err:    errors.New("error reading foo: no such file or directory"),
 			}
 		},
 		"fail bad password": func(t *testing.T) *newTest {
@ -131,7 +130,7 @@ func TestAuthorityNew(t *testing.T) {
 			c.IntermediateCert = "wrong"
 			return &newTest{
 				config: c,
-				err:    errors.New(`error reading "wrong": no such file or directory`),
+				err:    errors.New("error reading wrong: no such file or directory"),
 			}
 		},
 	}
@ -415,7 +414,7 @@ func TestNewEmbedded_Sign(t *testing.T) {
 	csr, err := x509.ParseCertificateRequest(cr)
 	assert.FatalError(t, err)

-	cert, err := a.SignWithContext(context.Background(), csr, provisioner.SignOptions{})
+	cert, err := a.Sign(csr, provisioner.SignOptions{})
 	assert.FatalError(t, err)
 	assert.Equals(t, []string{"foo.bar.zar"}, cert[0].DNSNames)
 	assert.Equals(t, crt, cert[1])
--- a/authority/authorize.go
+++ b/authority/authorize.go
@ -286,16 +286,16 @@ func (a *Authority) authorizeRevoke(ctx context.Context, token string) error {
 // extra extension cannot be found, authorize the renewal by default.
 //
 // TODO(mariano): should we authorize by default?
-func (a *Authority) authorizeRenew(ctx context.Context, cert *x509.Certificate) (provisioner.Interface, error) {
+func (a *Authority) authorizeRenew(ctx context.Context, cert *x509.Certificate) error {
 	serial := cert.SerialNumber.String()
 	var opts = []interface{}{errs.WithKeyVal("serialNumber", serial)}

 	isRevoked, err := a.IsRevoked(serial)
 	if err != nil {
-		return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
+		return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
 	}
 	if isRevoked {
-		return nil, errs.Unauthorized("authority.authorizeRenew: certificate has been revoked", opts...)
+		return errs.Unauthorized("authority.authorizeRenew: certificate has been revoked", opts...)
 	}
 	p, err := a.LoadProvisionerByCertificate(cert)
 	if err != nil {
@ -305,13 +305,13 @@ func (a *Authority) authorizeRenew(ctx context.Context, cert *x509.Certificate)
 		// returns the noop provisioner if this happens, and it allows
 		// certificate renewals.
 		if p, ok = a.provisioners.LoadByCertificate(cert); !ok {
-			return nil, errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
+			return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
 		}
 	}
 	if err := p.AuthorizeRenew(ctx, cert); err != nil {
-		return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
+		return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
 	}
-	return p, nil
+	return nil
 }

 // authorizeSSHCertificate returns an error if the given certificate is revoked.
--- a/authority/authorize_test.go
+++ b/authority/authorize_test.go
@ -876,7 +876,7 @@ func TestAuthority_authorizeRenew(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			tc := genTestCase(t)

-			_, err := tc.auth.authorizeRenew(context.Background(), tc.cert)
+			err := tc.auth.authorizeRenew(context.Background(), tc.cert)
 			if err != nil {
 				if assert.NotNil(t, tc.err) {
 					var sc render.StatusCodedError
@ -1375,7 +1375,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
 	}

 	generateX5cToken := func(a *Authority, key crypto.Signer, claims jose.Claims, opts ...provisioner.SignOption) (string, *x509.Certificate) {
-		chain, err := a.SignWithContext(ctx, csr, provisioner.SignOptions{}, opts...)
+		chain, err := a.Sign(csr, provisioner.SignOptions{}, opts...)
 		if err != nil {
 			t.Fatal(err)
 		}
--- a/authority/config/config.go
+++ b/authority/config/config.go
@ -83,7 +83,6 @@ type Config struct {
 	Templates        *templates.Templates `json:"templates,omitempty"`
 	CommonName       string               `json:"commonName,omitempty"`
 	CRL              *CRLConfig           `json:"crl,omitempty"`
-	MetricsAddress   string               `json:"metricsAddress,omitempty"`
 	SkipValidation   bool                 `json:"-"`

 	// Keeps record of the filename the Config is read from
@ -328,12 +327,6 @@ func (c *Config) Validate() error {
 		return errors.Errorf("invalid address %s", c.Address)
 	}

-	if addr := c.MetricsAddress; addr != "" {
-		if _, _, err := net.SplitHostPort(addr); err != nil {
-			return errors.Errorf("invalid metrics address %q", c.Address)
-		}
-	}
-
 	if c.TLS == nil {
 		c.TLS = &DefaultTLSOptions
 	} else {
--- a/authority/internal/constraints/verify.go
+++ b/authority/internal/constraints/verify.go
@ -203,7 +203,7 @@ func matchURIConstraint(uri *url.URL, constraint string) (bool, error) {
 // domainToReverseLabels converts a textual domain name like foo.example.com to
 // the list of labels in reverse order, e.g. ["com", "example", "foo"].
 func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) {
-	for domain != "" {
+	for len(domain) > 0 {
 		if i := strings.LastIndexByte(domain, '.'); i == -1 {
 			reverseLabels = append(reverseLabels, domain)
 			domain = ""
@ -316,7 +316,7 @@ func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) {
 	} else {
 		// Atom ("." Atom)*
 	NextChar:
-		for in != "" {
+		for len(in) > 0 {
 			// atext from RFC 2822, Section 3.2.4
 			c := in[0]

--- a/authority/linkedca.go
+++ b/authority/linkedca.go
@ -110,7 +110,7 @@ func newLinkedCAClient(token string) (*linkedCaClient, error) {
 	tlsConfig.GetClientCertificate = renewer.GetClientCertificate

 	// Start mTLS client
-	conn, err := grpc.NewClient(u.Host, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)))
+	conn, err := grpc.Dial(u.Host, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)))
 	if err != nil {
 		return nil, errors.Wrapf(err, "error connecting %s", u.Host)
 	}
@ -478,7 +478,10 @@ func getAuthority(sans []string) (string, error) {
 // getRootCertificate creates an insecure majordomo client and returns the
 // verified root certificate.
 func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error) {
-	conn, err := grpc.NewClient(endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
 		//nolint:gosec // used in bootstrap protocol
 		InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check]
 	})))
@ -486,7 +489,7 @@ func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error)
 		return nil, errors.Wrapf(err, "error connecting %s", endpoint)
 	}

-	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	ctx, cancel = context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()

 	client := linkedca.NewMajordomoClient(conn)
@ -528,7 +531,11 @@ func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error)
 // login creates a new majordomo client with just the root ca pool and returns
 // the signed certificate and tls configuration.
 func login(authority, token string, csr *x509.CertificateRequest, signer crypto.PrivateKey, endpoint string, rootCAs *x509.CertPool) (*tls.Certificate, *tls.Config, error) {
-	conn, err := grpc.NewClient(endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
+	// Connect to majordomo
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
 		MinVersion: tls.VersionTLS12,
 		RootCAs:    rootCAs,
 	})))
@ -537,7 +544,7 @@ func login(authority, token string, csr *x509.CertificateRequest, signer crypto.
 	}

 	// Login to get the signed certificate
-	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	ctx, cancel = context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()

 	client := linkedca.NewMajordomoClient(conn)
--- a/authority/meter.go
+++ b/authority/meter.go
@ -1,111 +0,0 @@
-package authority
-
-import (
-	"crypto"
-	"io"
-
-	"go.step.sm/crypto/kms"
-	kmsapi "go.step.sm/crypto/kms/apiv1"
-
-	"github.com/smallstep/certificates/authority/provisioner"
-)
-
-// Meter wraps the set of defined callbacks for metrics gatherers.
-type Meter interface {
-	// X509Signed is called whenever an X509 certificate is signed.
-	X509Signed(provisioner.Interface, error)
-
-	// X509Renewed is called whenever an X509 certificate is renewed.
-	X509Renewed(provisioner.Interface, error)
-
-	// X509Rekeyed is called whenever an X509 certificate is rekeyed.
-	X509Rekeyed(provisioner.Interface, error)
-
-	// X509WebhookAuthorized is called whenever an X509 authoring webhook is called.
-	X509WebhookAuthorized(provisioner.Interface, error)
-
-	// X509WebhookEnriched is called whenever an X509 enriching webhook is called.
-	X509WebhookEnriched(provisioner.Interface, error)
-
-	// SSHSigned is called whenever an SSH certificate is signed.
-	SSHSigned(provisioner.Interface, error)
-
-	// SSHRenewed is called whenever an SSH certificate is renewed.
-	SSHRenewed(provisioner.Interface, error)
-
-	// SSHRekeyed is called whenever an SSH certificate is rekeyed.
-	SSHRekeyed(provisioner.Interface, error)
-
-	// SSHWebhookAuthorized is called whenever an SSH authoring webhook is called.
-	SSHWebhookAuthorized(provisioner.Interface, error)
-
-	// SSHWebhookEnriched is called whenever an SSH enriching webhook is called.
-	SSHWebhookEnriched(provisioner.Interface, error)
-
-	// KMSSigned is called per KMS signer signature.
-	KMSSigned(error)
-}
-
-// noopMeter implements a noop [Meter].
-type noopMeter struct{}
-
-func (noopMeter) SSHRekeyed(provisioner.Interface, error)            {}
-func (noopMeter) SSHRenewed(provisioner.Interface, error)            {}
-func (noopMeter) SSHSigned(provisioner.Interface, error)             {}
-func (noopMeter) SSHWebhookAuthorized(provisioner.Interface, error)  {}
-func (noopMeter) SSHWebhookEnriched(provisioner.Interface, error)    {}
-func (noopMeter) X509Rekeyed(provisioner.Interface, error)           {}
-func (noopMeter) X509Renewed(provisioner.Interface, error)           {}
-func (noopMeter) X509Signed(provisioner.Interface, error)            {}
-func (noopMeter) X509WebhookAuthorized(provisioner.Interface, error) {}
-func (noopMeter) X509WebhookEnriched(provisioner.Interface, error)   {}
-func (noopMeter) KMSSigned(error)                                    {}
-
-type instrumentedKeyManager struct {
-	kms.KeyManager
-	meter Meter
-}
-
-type instrumentedKeyAndDecrypterManager struct {
-	kms.KeyManager
-	decrypter kmsapi.Decrypter
-	meter     Meter
-}
-
-func newInstrumentedKeyManager(k kms.KeyManager, m Meter) kms.KeyManager {
-	decrypter, isDecrypter := k.(kmsapi.Decrypter)
-	switch {
-	case isDecrypter:
-		return &instrumentedKeyAndDecrypterManager{&instrumentedKeyManager{k, m}, decrypter, m}
-	default:
-		return &instrumentedKeyManager{k, m}
-	}
-}
-
-func (i *instrumentedKeyManager) CreateSigner(req *kmsapi.CreateSignerRequest) (s crypto.Signer, err error) {
-	if s, err = i.KeyManager.CreateSigner(req); err == nil {
-		s = &instrumentedKMSSigner{s, i.meter}
-	}
-
-	return
-}
-
-func (i *instrumentedKeyAndDecrypterManager) CreateDecrypter(req *kmsapi.CreateDecrypterRequest) (s crypto.Decrypter, err error) {
-	return i.decrypter.CreateDecrypter(req)
-}
-
-type instrumentedKMSSigner struct {
-	crypto.Signer
-	meter Meter
-}
-
-func (i *instrumentedKMSSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) {
-	signature, err = i.Signer.Sign(rand, digest, opts)
-	i.meter.KMSSigned(err)
-
-	return
-}
-
-var _ kms.KeyManager = (*instrumentedKeyManager)(nil)
-var _ kms.KeyManager = (*instrumentedKeyAndDecrypterManager)(nil)
-var _ kmsapi.Decrypter = (*instrumentedKeyAndDecrypterManager)(nil)
--- a/authority/options.go
+++ b/authority/options.go
@ -167,15 +167,6 @@ func WithKeyManager(k kms.KeyManager) Option {
 	}
 }

-// WithX509CAService allows the consumer to provide an externally implemented
-// API implementation of apiv1.CertificateAuthorityService
-func WithX509CAService(svc casapi.CertificateAuthorityService) Option {
-	return func(a *Authority) error {
-		a.x509CAService = svc
-		return nil
-	}
-}
-
 // WithX509Signer defines the signer used to sign X509 certificates.
 func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option {
 	return WithX509SignerChain([]*x509.Certificate{crt}, s)
@ -226,16 +217,6 @@ func WithFullSCEPOptions(options *scep.Options) Option {
 	}
 }

-// WithSCEPKeyManager defines the key manager used on SCEP provisioners.
-//
-// This feature is EXPERIMENTAL and might change at any time.
-func WithSCEPKeyManager(skm provisioner.SCEPKeyManager) Option {
-	return func(a *Authority) error {
-		a.scepKeyManager = skm
-		return nil
-	}
-}
-
 // WithSSHUserSigner defines the signer used to sign SSH user certificates.
 func WithSSHUserSigner(s crypto.Signer) Option {
 	return func(a *Authority) error {
@ -400,16 +381,3 @@ func readCertificateBundle(pemCerts []byte) ([]*x509.Certificate, error) {
 	}
 	return certs, nil
 }
-
-// WithMeter is an option that sets the authority's [Meter] to the provided one.
-func WithMeter(m Meter) Option {
-	if m == nil {
-		m = noopMeter{}
-	}
-
-	return func(a *Authority) (_ error) {
-		a.meter = m
-
-		return
-	}
-}
--- a/authority/policy/policy.go
+++ b/authority/policy/policy.go
@ -21,7 +21,6 @@ type HostPolicy policy.SSHNamePolicyEngine
 func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy, error) {
 	// return early if no policy engine options to configure
 	if policyOptions == nil {
-		//nolint:nilnil,nolintlint // expected values
 		return nil, nil
 	}

@ -51,7 +50,6 @@ func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy,

 	// ensure no policy engine is returned when no name options were provided
 	if len(options) == 0 {
-		//nolint:nilnil,nolintlint // expected values
 		return nil, nil
 	}

@ -95,7 +93,6 @@ func NewSSHHostPolicyEngine(policyOptions SSHPolicyOptionsInterface) (HostPolicy
 func newSSHPolicyEngine(policyOptions SSHPolicyOptionsInterface, typ sshPolicyEngineType) (policy.SSHNamePolicyEngine, error) {
 	// return early if no policy engine options to configure
 	if policyOptions == nil {
-		//nolint:nilnil,nolintlint // expected values
 		return nil, nil
 	}

@ -137,7 +134,6 @@ func newSSHPolicyEngine(policyOptions SSHPolicyOptionsInterface, typ sshPolicyEn

 	// ensure no policy engine is returned when no name options were provided
 	if len(options) == 0 {
-		//nolint:nilnil,nolintlint // expected values
 		return nil, nil
 	}

--- a/authority/provisioner/acme.go
+++ b/authority/provisioner/acme.go
@ -10,6 +10,7 @@ import (
 	"time"

 	"github.com/pkg/errors"
+	"github.com/smallstep/certificates/acme/wire"
 	"go.step.sm/linkedca"
 )

@ -26,6 +27,10 @@ const (
 	TLS_ALPN_01 ACMEChallenge = "tls-alpn-01"
 	// DEVICE_ATTEST_01 is the device-attest-01 ACME challenge.
 	DEVICE_ATTEST_01 ACMEChallenge = "device-attest-01"
+	// WIREOIDC_01 is the Wire OIDC challenge.
+	WIREOIDC_01 ACMEChallenge = "wire-oidc-01"
+	// WIREDPOP_01 is the Wire DPoP challenge.
+	WIREDPOP_01 ACMEChallenge = "wire-dpop-01"
 )

 // String returns a normalized version of the challenge.
@ -36,7 +41,7 @@ func (c ACMEChallenge) String() string {
 // Validate returns an error if the acme challenge is not a valid one.
 func (c ACMEChallenge) Validate() error {
 	switch ACMEChallenge(c.String()) {
-	case HTTP_01, DNS_01, TLS_ALPN_01, DEVICE_ATTEST_01:
+	case HTTP_01, DNS_01, TLS_ALPN_01, DEVICE_ATTEST_01, WIREOIDC_01, WIREDPOP_01:
 		return nil
 	default:
 		return fmt.Errorf("acme challenge %q is not supported", c)
@ -218,6 +223,10 @@ const (
 	IP ACMEIdentifierType = "ip"
 	// DNS is the ACME dns identifier type
 	DNS ACMEIdentifierType = "dns"
+	// WireUser is the Wire user identifier type
+	WireUser ACMEIdentifierType = "wireapp-user"
+	// WireDevice is the Wire device identifier type
+	WireDevice ACMEIdentifierType = "wireapp-device"
 )

 // ACMEIdentifier encodes ACME Order Identifiers
@ -243,6 +252,18 @@ func (p *ACME) AuthorizeOrderIdentifier(_ context.Context, identifier ACMEIdenti
 		err = x509Policy.IsIPAllowed(net.ParseIP(identifier.Value))
 	case DNS:
 		err = x509Policy.IsDNSAllowed(identifier.Value)
+	case WireUser:
+		var wireID wire.UserID
+		if wireID, err = wire.ParseUserID([]byte(identifier.Value)); err != nil {
+			return fmt.Errorf("failed parsing Wire SANs: %w", err)
+		}
+		err = x509Policy.AreSANsAllowed([]string{wireID.Handle})
+	case WireDevice:
+		var wireID wire.DeviceID
+		if wireID, err = wire.ParseDeviceID([]byte(identifier.Value)); err != nil {
+			return fmt.Errorf("failed parsing Wire SANs: %w", err)
+		}
+		err = x509Policy.AreSANsAllowed([]string{wireID.ClientID})
 	default:
 		err = fmt.Errorf("invalid ACME identifier type '%s' provided", identifier.Type)
 	}
--- a/authority/provisioner/aws_certificates.pem
+++ b/authority/provisioner/aws_certificates.pem
@ -1,89 +1,24 @@
 # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-signature.html
-# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/regions-certs.html use RSA format

-
-# certificate for us-east-2
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUVJTc+hOU+8Gk3JlqsX438Dk5c58wDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDQyOTE3MTE0OVoXDTI5MDQyODE3MTE0OVowXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUVJTc+hOU
-+8Gk3JlqsX438Dk5c58wEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQAywJQaVNWJqW0R0T0xVOSoN1GLk9x9kKEuN67RN9CLin4dA97qa7Mr5W4P
-FZ6vnh5CjOhQBRXV9xJUeYSdqVItNAUFK/fEzDdjf1nUfPlQ3OJ49u6CV01NoJ9m
-usvY9kWcV46dqn2bk2MyfTTgvmeqP8fiMRPxxnVRkSzlldP5Fg==
-----END CERTIFICATE-----
-
-# certificate for us-east-1
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUE1y2NIKCU+Rg4uu4u32koG9QEYIwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDQyOTE3MzQwMVoXDTI5MDQyODE3MzQwMVowXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUE1y2NIKC
-U+Rg4uu4u32koG9QEYIwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQAlxSmwcWnhT4uAeSinJuz+1BTcKhVSWb5jT8pYjQb8ZoZkXXRGb09mvYeU
-NeqOBr27rvRAnaQ/9LUQf72+SahDFuS4CMI8nwowytqbmwquqFr4dxA/SDADyRiF
-ea1UoMuNHTY49J/1vPomqsVn7mugTp+TbjqCfOJTpu0temHcFA==
-----END CERTIFICATE-----
-
-# certificate for us-west-1
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUK2zmY9PUSTR7rc1k2OwPYu4+g7wwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDQyOTE3MDI0M1oXDTI5MDQyODE3MDI0M1owXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUK2zmY9PU
-STR7rc1k2OwPYu4+g7wwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQA1Ng4QmN4n7iPh5CnadSOc0ZfM7by0dBePwZJyGvOHdaw6P6E/vEk76KsC
-Q8p+akuzVzVPkU4kBK/TRqLp19wEWoVwhhTaxHjQ1tTRHqXIVlrkw4JrtFbeNM21
-GlkSLonuzmNZdivn9WuQYeGe7nUD4w3q9GgiF3CPorJe+UxtbA==
-----END CERTIFICATE-----
-
-# certificate for us-west-2
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUFx8PxCkbHwpD31bOyCtyz3GclbgwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDQyOTE3MjM1OVoXDTI5MDQyODE3MjM1OVowXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUFx8PxCkb
-HwpD31bOyCtyz3GclbgwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQBzOl+9Xy1+UsbUBI95HO9mbbdnuX+aMJXgG9uFZNjgNEbMcvx+h8P9IMko
-z7PzFdheQQ1NLjsHH9mSR1SyC4m9ja6BsejH5nLBWyCdjfdP3muZM4O5+r7vUa1O
-dWU+hP/T7DUrPAIVMOE7mpYa+WPWJrN6BlRwQkKQ7twm9kDalA==
+# default certificate for "other regions"
+-----BEGIN CERTIFICATE-----
+MIIDIjCCAougAwIBAgIJAKnL4UEDMN/FMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRgw
+FgYDVQQKEw9BbWF6b24uY29tIEluYy4xGjAYBgNVBAMTEWVjMi5hbWF6b25hd3Mu
+Y29tMB4XDTE0MDYwNTE0MjgwMloXDTI0MDYwNTE0MjgwMlowajELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxGDAWBgNV
+BAoTD0FtYXpvbi5jb20gSW5jLjEaMBgGA1UEAxMRZWMyLmFtYXpvbmF3cy5jb20w
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIe9GN//SRK2knbjySG0ho3yqQM3
+e2TDhWO8D2e8+XZqck754gFSo99AbT2RmXClambI7xsYHZFapbELC4H91ycihvrD
+jbST1ZjkLQgga0NE1q43eS68ZeTDccScXQSNivSlzJZS8HJZjgqzBlXjZftjtdJL
+XeE4hwvo0sD4f3j9AgMBAAGjgc8wgcwwHQYDVR0OBBYEFCXWzAgVyrbwnFncFFIs
+77VBdlE4MIGcBgNVHSMEgZQwgZGAFCXWzAgVyrbwnFncFFIs77VBdlE4oW6kbDBq
+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh
+dHRsZTEYMBYGA1UEChMPQW1hem9uLmNvbSBJbmMuMRowGAYDVQQDExFlYzIuYW1h
+em9uYXdzLmNvbYIJAKnL4UEDMN/FMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
+BQADgYEAFYcz1OgEhQBXIwIdsgCOS8vEtiJYF+j9uO6jz7VOmJqO+pRlAbRlvY8T
+C1haGgSI/A1uZUKs/Zfnph0oEI0/hu1IIJ/SKBDtN5lvmZ/IzbOPIJWirlsllQIQ
+7zvWbGd9c9+Rm3p04oTvhup99la7kZqevJK0QRdD/6NpCKsqP/0=
 -----END CERTIFICATE-----

 # certificate for eu-south-1
@ -157,7 +92,7 @@ NTpxxcXmUKquX+pHmIkK1LKDO8rNE84jqxrxRsfDi6by82fjVYf2pgjJW8R1FAw+
 mL5WQRFexbfB5aXhcMo0AA==
 -----END CERTIFICATE-----

-# certificate for cn-north-1
+# certificate for cn-north-1, cn-northwest-1
 -----BEGIN CERTIFICATE-----
 MIIDCzCCAnSgAwIBAgIJALSOMbOoU2svMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
 BAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0
@ -178,48 +113,6 @@ oADS0ph+YUz5P/bUCm61wFjlxaTfwKcuTR3ytj7bFLoW5Bm7Sa+TCl3lOGb2taon
 SUDlRyNy1jJFstEZjOhs
 -----END CERTIFICATE-----

-# certificate for cn-northwest-1
-----BEGIN CERTIFICATE-----
-MIIDCzCCAnSgAwIBAgIJALSOMbOoU2svMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
-BAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0
-dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0yMzA3MDQw
-ODM1MzlaFw0yODA3MDIwODM1MzlaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBX
-YXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6
-b24gV2ViIFNlcnZpY2VzIExMQzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-uhhUNlqAZdcWWB/OSDVDGk3OA99EFzOn/mJlmciQ/Xwu2dFJWmSCqEAE6gjufCjQ
-q3voxAhC2CF+elKtJW/C0Sz/LYo60PUqd6iXF4h+upB9HkOOGuWHXsHBTsvgkgGA
-1CGgel4U0Cdq+23eANr8N8m28UzljjSnTlrYCHtzN4sCAwEAAaOB1DCB0TALBgNV
-HQ8EBAMCB4AwHQYDVR0OBBYEFBkZu3wT27NnYgrfH+xJz4HJaNJoMIGOBgNVHSME
-gYYwgYOAFBkZu3wT27NnYgrfH+xJz4HJaNJooWCkXjBcMQswCQYDVQQGEwJVUzEZ
-MBcGA1UECBMQV2FzaGluZ3RvbiBTdGF0ZTEQMA4GA1UEBxMHU2VhdHRsZTEgMB4G
-A1UEChMXQW1hem9uIFdlYiBTZXJ2aWNlcyBMTEOCCQC0jjGzqFNrLzASBgNVHRMB
-Af8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBCwUAA4GBAECji43p+oPkYqmzll7e8Hgb
-oADS0ph+YUz5P/bUCm61wFjlxaTfwKcuTR3ytj7bFLoW5Bm7Sa+TCl3lOGb2taon
-2h+9NirRK6JYk87LMNvbS40HGPFumJL2NzEsGUeK+MRiWu+Oh5/lJGii3qw4YByx
-SUDlRyNy1jJFstEZjOhs
-----END CERTIFICATE-----
-
-# certificate for eu-central-1
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUFD5GsmkxRuecttwsCG763m3u63UwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDQyOTE1NTUyOVoXDTI5MDQyODE1NTUyOVowXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUFD5Gsmkx
-RuecttwsCG763m3u63UwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQBBh0WaXlBsW56Hqk588MmJxsOrvcKfDjF57RgEDgnGnQaJcStCVWDO9UYO
-JX2tdsPw+E7AjDqjsuxYaotLn3Mr3mK0sNOXq9BljBnWD4pARg89KZnZI8FN35HQ
-O/LYOVHCknuPL123VmVRNs51qQA9hkPjvw21UzpDLxaUxt9Z/w==
-----END CERTIFICATE-----
-
 # certificate for eu-central-2
 -----BEGIN CERTIFICATE-----
 MIICMzCCAZygAwIBAgIGAXjSGFGiMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
@ -236,27 +129,6 @@ NBElvPCDKFvTJl4QQhToy056llO5GvdS9RK+H8xrP2mrqngApoKTApv93vHBixgF
 Sn5KrczRO0YSm3OjkqbydU7DFlmkXXR7GYE+5jbHvQHYiT1J5sMu
 -----END CERTIFICATE-----

-# certificate for ap-south-1
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUDLA+x6tTAP3LRTr0z6nOxfsozdMwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDQyOTE0MTMwMVoXDTI5MDQyODE0MTMwMVowXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUDLA+x6tT
-AP3LRTr0z6nOxfsozdMwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQAZ7rYKoAwwiiH1M5GJbrT/BEk3OO2VrEPw8ZxgpqQ/EKlzMlOs/0Cyrmp7
-UYyUgYFQe5nq37Z94rOUSeMgv/WRxaMwrLlLqD78cuF9DSkXaZIX/kECtVaUnjk8
-BZx0QhoIHOpQocJUSlm/dLeMuE0+0A3HNR6JVktGsUdv9ulmKw==
-----END CERTIFICATE-----
-
 # certificate for ap-south-2
 -----BEGIN CERTIFICATE-----
 MIICMzCCAZygAwIBAgIGAXjwLj9CMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
@ -273,48 +145,6 @@ ETwUZ9mTq2vxlV0KvuetCDNS5u4cJsxe/TGGbYP0yP2qfMl0cCImzRI5W0gn8gog
 dervfeT7nH5ih0TWEy/QDWfkQ601L4erm4yh4YQq8vcqAPSkf04N
 -----END CERTIFICATE-----

-# certificate for ap-southeast-1
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUSqP6ih+++5KF07NXngrWf26mhSUwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDQyOTE0MzAxNFoXDTI5MDQyODE0MzAxNFowXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUSqP6ih++
-+5KF07NXngrWf26mhSUwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQAw13BxW11U/JL58j//Fmk7qqtrZTqXmaz1qm2WlIpJpW750MOcP4ux1uPy
-eM0RdVZ4jHSMv5gtLAv/PjExBfw9n6vNCk+5GZG4Xec5DoapBZHXmfMo93sjxBFP
-4x9rWn0GuwAVO9ukjYPevq2Rerilrq5VvppHtbATVNY2qecXDA==
-----END CERTIFICATE-----
-
-# certificate for ap-southeast-2
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUFxWyAdk4oiXIOC9PxcgjYYh71mwwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDQyOTE1MjE0M1oXDTI5MDQyODE1MjE0M1owXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUFxWyAdk4
-oiXIOC9PxcgjYYh71mwwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQByjeQe6lr7fiIhoGdjBXYzDfkX0lGGvMIhRh57G1bbceQfaYdZd7Ptc0jl
-bpycKGaTvhUdkpMOiV2Hi9dOOYawkdhyJDstmDNKu6P9+b6Kak8He5z3NU1tUR2Y
-uTwcz7Ye8Nldx//ws3raErfTI7D6s9m63OX8cAJ/f8bNgikwpw==
-----END CERTIFICATE-----
-
 # certificate for ap-southeast-3
 -----BEGIN CERTIFICATE-----
 MIICMzCCAZygAwIBAgIGAXbVDG2yMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
@ -395,244 +225,23 @@ WX00FTEj4hRVjameE1nENoO8Z7fUVloAFDlDo69fhkJeSvn51D1WRrPnoWGgEfr1
 +OfK1bAcKTtfkkkP9r4RdwSjKzO5Zu/B+Wqm3kVEz/QNcz6npmA6
 -----END CERTIFICATE-----

-# certificate for us-gov-east-1
+# certificate for us-gov-east-1 and us-gov-west-1
 -----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIULVyrqjjwZ461qelPCiShB1KCCj4wDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDUwNzE1MjIzNloXDTI5MDUwNjE1MjIzNlowXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCpohwYUVPH9I7Vbkb3WMe/JB0Y/bmfVj3VpcK445YBRO9K80al
-esjgBc2tAX4KYg4Lht4EBKccLHTzaNi51YEGX1aLNrSmxhz1+WtzNLNUsyY3zD9z
-vwX/3k1+JB2dRA+m+Cpwx4mjzZyAeQtHtegVaAytkmqtxQrSCexBxvqRqQIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQU1ZXneBYnPvYXkHVlVjg7918V
-gE8wgZkGA1UdIwSBkTCBjoAU1ZXneBYnPvYXkHVlVjg7918VgE+hYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IULVyrqjjw
-Z461qelPCiShB1KCCj4wEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQBfAL/YZv0y3zmVbXjyxQCsDloeDCJjFKIu3ameEckeIWJbST9LMto0zViZ
-puIAf05x6GQiEqfBMk+YMxJfcTmJB4Ebaj4egFlslJPSHyC2xuydHlr3B04INOH5
-Z2oCM68u6GGbj0jZjg7GJonkReG9N72kDva/ukwZKgq8zErQVQ==
-----END CERTIFICATE-----
-
-# certificate for us-gov-west-1
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUe5wGF3jfb7lUHzvDxmM/ktGCLwwwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDUwNzE3MzAzMloXDTI5MDUwNjE3MzAzMlowXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCpohwYUVPH9I7Vbkb3WMe/JB0Y/bmfVj3VpcK445YBRO9K80al
-esjgBc2tAX4KYg4Lht4EBKccLHTzaNi51YEGX1aLNrSmxhz1+WtzNLNUsyY3zD9z
-vwX/3k1+JB2dRA+m+Cpwx4mjzZyAeQtHtegVaAytkmqtxQrSCexBxvqRqQIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQU1ZXneBYnPvYXkHVlVjg7918V
-gE8wgZkGA1UdIwSBkTCBjoAU1ZXneBYnPvYXkHVlVjg7918VgE+hYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUe5wGF3jf
-b7lUHzvDxmM/ktGCLwwwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQCbTdpx1Iob9SwUReY4exMnlwQlmkTLyA8tYGWzchCJOJJEPfsW0ryy1A0H
-YIuvyUty3rJdp9ib8h3GZR71BkZnNddHhy06kPs4p8ewF8+d8OWtOJQcI+ZnFfG4
-KyM4rUsBrljpG2aOCm12iACEyrvgJJrS8VZwUDZS6mZEnn/lhA==
-----END CERTIFICATE-----
-
-# certificate for ca-west-1
-----BEGIN CERTIFICATE-----
-MIICMzCCAZygAwIBAgIGAYPou9weMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
-AlVTMRkwFwYDVQQIDBBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHDAdTZWF0dGxl
-MSAwHgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0yMjEwMTgwMTM2
-MDlaGA8yMjAxMTAxODAxMzYwOVowXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgMEFdh
-c2hpbmd0b24gU3RhdGUxEDAOBgNVBAcMB1NlYXR0bGUxIDAeBgNVBAoMF0FtYXpv
-biBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK
-1kIcG5Q6adBXQM75GldfTSiXl7tn54p10TnspI0ErDdb2B6q2Ji/v4XBVH13ZCMg
-qlRHMqV8AWI5iO6gFn2A9sN3AZXTMqwtZeiDdebq3k6Wt7ieYvpXTg0qvgsjQIov
-RZWaBDBJy9x8C2hW+w9lMQjFHkJ7Jy/PHCJ69EzebQIDAQABMA0GCSqGSIb3DQEB
-BQUAA4GBAGe9Snkz1A6rHBH6/5kDtYvtPYwhx2sXNxztbhkXErFk40Nw5l459NZx
-EeudxJBLoCkkSgYjhRcOZ/gvDVtWG7qyb6fAqgoisyAbk8K9LzxSim2S1nmT9vD8
-4B/t/VvwQBylc+ej8kRxMH7fquZLp7IXfmtBzyUqu6Dpbne+chG2
-----END CERTIFICATE-----
-
-# certificate for ap-northeast-1
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIULgwDh7TiDrPPBJwscqDwiBHkEFQwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDQyOTEyMjMxMFoXDTI5MDQyODEyMjMxMFowXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IULgwDh7Ti
-DrPPBJwscqDwiBHkEFQwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQBtjAglBde1t4F9EHCZOj4qnY6Gigy07Ou54i+lR77MhbpzE8V28Li9l+YT
-QMIn6SzJqU3/fIycIro1OVY1lHmaKYgPGSEZxBenSBHfzwDLRmC9oRp4QMe0BjOC
-gepj1lUoiN7OA6PtA+ycNlsP0oJvdBjhvayLiuM3tUfLTrgHbw==
-----END CERTIFICATE-----
-
-# certificate for ap-northeast-2
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUbBSn2UIO6vYk4iNWV0RPxJJtHlgwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDQyOTEzMzg0NloXDTI5MDQyODEzMzg0NlowXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUbBSn2UIO
-6vYk4iNWV0RPxJJtHlgwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQAmjTjalG8MGLqWTC2uYqEM8nzI3px1eo0ArvFRsyqQ3fgmWcQpxExqUqRy
-l3+2134Kv8dFab04Gut5wlfRtc2OwPKKicmv/IXGN+9bKFnQFjTqif08NIzrDZch
-aFT/uvxrIiM+oN2YsHq66GUhO2+xVRXDXVxM/VObFgPERbJpyA==
-----END CERTIFICATE-----
-
-# certificate for ap-northeast-3
-----BEGIN CERTIFICATE-----
-MIICMzCCAZygAwIBAgIGAYPou9weMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
-AlVTMRkwFwYDVQQIDBBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHDAdTZWF0dGxl
-MSAwHgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0yMjEwMTgwMTM2
-MDlaGA8yMjAxMTAxODAxMzYwOVowXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgMEFdh
-c2hpbmd0b24gU3RhdGUxEDAOBgNVBAcMB1NlYXR0bGUxIDAeBgNVBAoMF0FtYXpv
-biBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK
-1kIcG5Q6adBXQM75GldfTSiXl7tn54p10TnspI0ErDdb2B6q2Ji/v4XBVH13ZCMg
-qlRHMqV8AWI5iO6gFn2A9sN3AZXTMqwtZeiDdebq3k6Wt7ieYvpXTg0qvgsjQIov
-RZWaBDBJy9x8C2hW+w9lMQjFHkJ7Jy/PHCJ69EzebQIDAQABMA0GCSqGSIb3DQEB
-BQUAA4GBAGe9Snkz1A6rHBH6/5kDtYvtPYwhx2sXNxztbhkXErFk40Nw5l459NZx
-EeudxJBLoCkkSgYjhRcOZ/gvDVtWG7qyb6fAqgoisyAbk8K9LzxSim2S1nmT9vD8
-4B/t/VvwQBylc+ej8kRxMH7fquZLp7IXfmtBzyUqu6Dpbne+chG2
-----END CERTIFICATE-----
-
-# certificate for ca-central-1
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUIrLgixJJB5C4G8z6pZ5rB0JU2aQwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDQyOTE1MzU0M1oXDTI5MDQyODE1MzU0M1owXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUIrLgixJJ
-B5C4G8z6pZ5rB0JU2aQwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQBHiQJmzyFAaSYs8SpiRijIDZW2RIo7qBKb/pI3rqK6yOWDlPuMr6yNI81D
-IrKGGftg4Z+2KETYU4x76HSf0s//vfH3QA57qFaAwddhKYy4BhteFQl/Wex3xTlX
-LiwI07kwJvJy3mS6UfQ4HcvZy219tY+0iyOWrz/jVxwq7TOkCw==
-----END CERTIFICATE-----
-
-# certificate for eu-west-1
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUakDaQ1Zqy87Hy9ESXA1pFC116HkwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDQyOTE2MTgxMFoXDTI5MDQyODE2MTgxMFowXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUakDaQ1Zq
-y87Hy9ESXA1pFC116HkwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQADIkn/MqaLGPuK5+prZZ5Ox4bBZLPtreO2C7r0pqU2kPM2lVPyYYydkvP0
-lgSmmsErGu/oL9JNztDe2oCA+kNy17ehcsf8cw0uP861czNFKCeU8b7FgBbL+sIm
-qi33rAq6owWGi/5uEcfCR+JP7W+oSYVir5r/yDmWzx+BVH5S/g==
-----END CERTIFICATE-----
-
-# certificate for eu-west-2
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUCgCV/DPxYNND/swDgEKGiC5I+EwwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDQyOTE2MjkxNFoXDTI5MDQyODE2MjkxNFowXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUCgCV/DPx
-YNND/swDgEKGiC5I+EwwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQATPu/sOE2esNa4+XPEGKlEJSgqzyBSQLQc+VWo6FAJhGG9fp7D97jhHeLC
-5vwfmtTAfnGBxadfAOT3ASkxnOZhXtnRna460LtnNHm7ArCVgXKJo7uBn6ViXtFh
-uEEw4y6p9YaLQna+VC8Xtgw6WKq2JXuKzuhuNKSFaGGw9vRcHg==
-----END CERTIFICATE-----
-
-# certificate for eu-west-3
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUaC9fX57UDr6u1vBvsCsECKBZQyIwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDQyOTE2MzczOFoXDTI5MDQyODE2MzczOFowXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUaC9fX57U
-Dr6u1vBvsCsECKBZQyIwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQCARv1bQEDaMEzYI0nPlu8GHcMXgmgA94HyrXhMMcaIlQwocGBs6VILGVhM
-TXP2r3JFaPEpmXSQNQHvGA13clKwAZbni8wtzv6qXb4L4muF34iQRHF0nYrEDoK7
-mMPR8+oXKKuPO/mv/XKo6XAV5DDERdSYHX5kkA2R9wtvyZjPnQ==
-----END CERTIFICATE-----
-
-# certificate for eu-north-1
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUN1c9U6U/xiVDFgJcYKZB4NkH1QEwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDQyOTE2MDYwM1oXDTI5MDQyODE2MDYwM1owXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUN1c9U6U/
-xiVDFgJcYKZB4NkH1QEwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQBTIQdoFSDRHkpqNPUbZ9WXR2O5v/9bpmHojMYZb3Hw46wsaRso7STiGGX/
-tRqjIkPUIXsdhZ3+7S/RmhFznmZc8e0bjU4n5vi9CJtQSt+1u4E17+V2bF+D3h/7
-wcfE0l3414Q8JaTDtfEf/aF3F0uyBvr4MDMd7mFvAMmDmBPSlA==
-----END CERTIFICATE-----
-
-# certificate for sa-east-1
-----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUX4Bh4MQ86Roh37VDRRX1MNOB3TcwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
-MB4XDTI0MDQyOTE2NDYwOVoXDTI5MDQyODE2NDYwOVowXDELMAkGA1UEBhMCVVMx
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUX4Bh4MQ8
-6Roh37VDRRX1MNOB3TcwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
-AAOBgQBnhocfH6ZIX6F5K9+Y9V4HFk8vSaaKL5ytw/P5td1h9ej94KF3xkZ5fyjN
-URvGQv3kNmNJBoNarcP9I7JIMjsNPmVzqWawyCEGCZImoARxSS3Fc5EAs2PyBfcD
-9nCtzMTaKO09Xyq0wqXVYn1xJsE5d5yBDsGrzaTHKjxo61+ezQ==
-----END CERTIFICATE-----
+MIIDCzCCAnSgAwIBAgIJAIe9Hnq82O7UMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
+BAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0
+dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0yMTA3MTQx
+NDI3NTdaFw0yNDA3MTMxNDI3NTdaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBX
+YXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6
+b24gV2ViIFNlcnZpY2VzIExMQzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+qaIcGFFTx/SO1W5G91jHvyQdGP25n1Y91aXCuOOWAUTvSvNGpXrI4AXNrQF+CmIO
+C4beBASnHCx082jYudWBBl9Wiza0psYc9flrczSzVLMmN8w/c78F/95NfiQdnUQP
+pvgqcMeJo82cgHkLR7XoFWgMrZJqrcUK0gnsQcb6kakCAwEAAaOB1DCB0TALBgNV
+HQ8EBAMCB4AwHQYDVR0OBBYEFNWV53gWJz72F5B1ZVY4O/dfFYBPMIGOBgNVHSME
+gYYwgYOAFNWV53gWJz72F5B1ZVY4O/dfFYBPoWCkXjBcMQswCQYDVQQGEwJVUzEZ
+MBcGA1UECBMQV2FzaGluZ3RvbiBTdGF0ZTEQMA4GA1UEBxMHU2VhdHRsZTEgMB4G
+A1UEChMXQW1hem9uIFdlYiBTZXJ2aWNlcyBMTEOCCQCHvR56vNju1DASBgNVHRMB
+Af8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBCwUAA4GBACrKjWj460GUPZCGm3/z0dIz
+M2BPuH769wcOsqfFZcMKEysSFK91tVtUb1soFwH4/Lb/T0PqNrvtEwD1Nva5k0h2
+xZhNNRmDuhOhW1K9wCcnHGRBwY5t4lYL6hNV6hcrqYwGMjTjcAjBG2yMgznSNFle
+Rwi/S3BFXISixNx9cILu
+-----END CERTIFICATE-----
--- a/authority/provisioner/aws_test.go
+++ b/authority/provisioner/aws_test.go
@ -896,5 +896,5 @@ func TestAWS_HardcodedCertificates(t *testing.T) {
 		assert.True(t, cert.NotAfter.After(time.Now()))
 		certs = append(certs, cert)
 	}
-	assert.Len(t, 33, certs, "expected 33 certificates in aws_certificates.pem, but got %d", len(certs))
+	assert.Len(t, 14, certs, "expected 14 certificates in aws_certificates.pem")
 }
--- a/authority/provisioner/claims.go
+++ b/authority/provisioner/claims.go
@ -234,24 +234,24 @@ func (c *Claimer) IsSSHCAEnabled() bool {
 // Validate validates and modifies the Claims with default values.
 func (c *Claimer) Validate() error {
 	var (
-		minDur = c.MinTLSCertDuration()
-		maxDur = c.MaxTLSCertDuration()
-		defDur = c.DefaultTLSCertDuration()
+		min = c.MinTLSCertDuration()
+		max = c.MaxTLSCertDuration()
+		def = c.DefaultTLSCertDuration()
 	)
 	switch {
-	case minDur <= 0:
+	case min <= 0:
 		return errors.Errorf("claims: MinTLSCertDuration must be greater than 0")
-	case maxDur <= 0:
+	case max <= 0:
 		return errors.Errorf("claims: MaxTLSCertDuration must be greater than 0")
-	case defDur <= 0:
+	case def <= 0:
 		return errors.Errorf("claims: DefaultTLSCertDuration must be greater than 0")
-	case maxDur < minDur:
+	case max < min:
 		return errors.Errorf("claims: MaxCertDuration cannot be less "+
-			"than MinCertDuration: MaxCertDuration - %v, MinCertDuration - %v", maxDur, minDur)
-	case defDur < minDur:
-		return errors.Errorf("claims: DefaultCertDuration cannot be less than MinCertDuration: DefaultCertDuration - %v, MinCertDuration - %v", defDur, minDur)
-	case maxDur < defDur:
-		return errors.Errorf("claims: MaxCertDuration cannot be less than DefaultCertDuration: MaxCertDuration - %v, DefaultCertDuration - %v", maxDur, defDur)
+			"than MinCertDuration: MaxCertDuration - %v, MinCertDuration - %v", max, min)
+	case def < min:
+		return errors.Errorf("claims: DefaultCertDuration cannot be less than MinCertDuration: DefaultCertDuration - %v, MinCertDuration - %v", def, min)
+	case max < def:
+		return errors.Errorf("claims: MaxCertDuration cannot be less than DefaultCertDuration: MaxCertDuration - %v, DefaultCertDuration - %v", max, def)
 	default:
 		return nil
 	}
--- a/authority/provisioner/collection.go
+++ b/authority/provisioner/collection.go
@ -125,7 +125,7 @@ func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims)
 	}

 	// Try with azp (OIDC)
-	if payload.AuthorizedParty != "" {
+	if len(payload.AuthorizedParty) > 0 {
 		if p, ok := c.LoadByTokenID(payload.AuthorizedParty); ok {
 			return p, ok
 		}
--- a/authority/provisioner/jwk.go
+++ b/authority/provisioner/jwk.go
@ -87,7 +87,7 @@ func (p *JWK) GetType() Type {

 // GetEncryptedKey returns the base provisioner encrypted key if it's defined.
 func (p *JWK) GetEncryptedKey() (string, string, bool) {
-	return p.Key.KeyID, p.EncryptedKey, p.EncryptedKey != ""
+	return p.Key.KeyID, p.EncryptedKey, len(p.EncryptedKey) > 0
 }

 // Init initializes and validates the fields of a JWK type.
--- a/authority/provisioner/keystore.go
+++ b/authority/provisioner/keystore.go
@ -105,7 +105,7 @@ func getKeysFromJWKsURI(uri string) (jose.JSONWebKeySet, time.Duration, error) {

 func getCacheAge(cacheControl string) time.Duration {
 	age := defaultCacheAge
-	if cacheControl != "" {
+	if len(cacheControl) > 0 {
 		match := maxAgeRegex.FindAllStringSubmatch(cacheControl, -1)
 		if len(match) > 0 {
 			if len(match[0]) == 2 {
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@ -93,8 +93,6 @@ type OIDC struct {
 	ListenAddress         string   `json:"listenAddress,omitempty"`
 	Claims                *Claims  `json:"claims,omitempty"`
 	Options               *Options `json:"options,omitempty"`
-	Scopes                []string `json:"scopes,omitempty"`
-	AuthParams            []string `json:"authParams,omitempty"`
 	configuration         openIDConfiguration
 	keyStore              *keyStore
 	ctl                   *Controller
--- a/authority/provisioner/options.go
+++ b/authority/provisioner/options.go
@ -2,6 +2,7 @@ package provisioner

 import (
 	"encoding/json"
+	"fmt"
 	"strings"

 	"github.com/pkg/errors"
@ -11,6 +12,7 @@ import (
 	"go.step.sm/crypto/x509util"

 	"github.com/smallstep/certificates/authority/policy"
+	"github.com/smallstep/certificates/authority/provisioner/wire"
 )

 // CertificateOptions is an interface that returns a list of options passed when
@ -30,9 +32,10 @@ func (fn certificateOptionsFunc) Options(so SignOptions) []x509util.Option {
 type Options struct {
 	X509 *X509Options `json:"x509,omitempty"`
 	SSH  *SSHOptions  `json:"ssh,omitempty"`
-
 	// Webhooks is a list of webhooks that can augment template data
 	Webhooks []*Webhook `json:"webhooks,omitempty"`
+	// Wire holds the options used for the ACME Wire integration
+	Wire *wire.Options `json:"wire,omitempty"`
 }

 // GetX509Options returns the X.509 options.
@ -51,6 +54,20 @@ func (o *Options) GetSSHOptions() *SSHOptions {
 	return o.SSH
 }

+// GetWireOptions returns the SSH options.
+func (o *Options) GetWireOptions() (*wire.Options, error) {
+	if o == nil {
+		return nil, errors.New("no options available")
+	}
+	if o.Wire == nil {
+		return nil, errors.New("no Wire options available")
+	}
+	if err := o.Wire.Validate(); err != nil {
+		return nil, fmt.Errorf("failed validating Wire options: %w", err)
+	}
+	return o.Wire, nil
+}
+
 // GetWebhooks returns the webhooks options.
 func (o *Options) GetWebhooks() []*Webhook {
 	if o == nil {
--- a/authority/provisioner/provisioner.go
+++ b/authority/provisioner/provisioner.go
@ -10,7 +10,6 @@ import (
 	"strings"

 	"github.com/pkg/errors"
-	kmsapi "go.step.sm/crypto/kms/apiv1"
 	"golang.org/x/crypto/ssh"

 	"github.com/smallstep/certificates/errs"
@ -207,13 +206,6 @@ type SSHKeys struct {
 	HostKeys []ssh.PublicKey
 }

-// SCEPKeyManager is a KMS interface that combines a KeyManager with a
-// Decrypter.
-type SCEPKeyManager interface {
-	kmsapi.KeyManager
-	kmsapi.Decrypter
-}
-
 // Config defines the default parameters used in the initialization of
 // provisioners.
 type Config struct {
@ -234,8 +226,6 @@ type Config struct {
 	AuthorizeSSHRenewFunc AuthorizeSSHRenewFunc
 	// WebhookClient is an http client to use in webhook request
 	WebhookClient *http.Client
-	// SCEPKeyManager, if defined, is the interface used by SCEP provisioners.
-	SCEPKeyManager SCEPKeyManager
 }

 type provisioner struct {
@ -330,7 +320,7 @@ func (b *base) AuthorizeSSHSign(context.Context, string) ([]SignOption, error) {
 	return nil, errs.Unauthorized("provisioner.AuthorizeSSHSign not implemented")
 }

-// AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite
+// AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite
 // this method if they will support authorizing tokens for revoking SSH Certificates.
 func (b *base) AuthorizeSSHRevoke(context.Context, string) error {
 	return errs.Unauthorized("provisioner.AuthorizeSSHRevoke not implemented")
--- a/authority/provisioner/scep.go
+++ b/authority/provisioner/scep.go
@ -15,6 +15,7 @@ import (

 	"go.step.sm/crypto/kms"
 	kmsapi "go.step.sm/crypto/kms/apiv1"
+	"go.step.sm/crypto/kms/uri"
 	"go.step.sm/linkedca"

 	"github.com/smallstep/certificates/webhook"
@ -58,7 +59,7 @@ type SCEP struct {
 	encryptionAlgorithm           int
 	challengeValidationController *challengeValidationController
 	notificationController        *notificationController
-	keyManager                    SCEPKeyManager
+	keyManager                    kmsapi.KeyManager
 	decrypter                     crypto.Decrypter
 	decrypterCertificate          *x509.Certificate
 	signer                        crypto.Signer
@ -268,38 +269,34 @@ func (s *SCEP) Init(config Config) (err error) {
 	)

 	// parse the decrypter key PEM contents if available
-	if len(s.DecrypterKeyPEM) > 0 {
+	if decryptionKeyPEM := s.DecrypterKeyPEM; len(decryptionKeyPEM) > 0 {
 		// try reading the PEM for validation
-		block, rest := pem.Decode(s.DecrypterKeyPEM)
+		block, rest := pem.Decode(decryptionKeyPEM)
 		if len(rest) > 0 {
 			return errors.New("failed parsing decrypter key: trailing data")
 		}
 		if block == nil {
 			return errors.New("failed parsing decrypter key: no PEM block found")
 		}
-
 		opts := kms.Options{
 			Type: kmsapi.SoftKMS,
 		}
-		km, err := kms.New(context.Background(), opts)
-		if err != nil {
+		if s.keyManager, err = kms.New(context.Background(), opts); err != nil {
 			return fmt.Errorf("failed initializing kms: %w", err)
 		}
-		scepKeyManager, ok := km.(SCEPKeyManager)
+		kmsDecrypter, ok := s.keyManager.(kmsapi.Decrypter)
 		if !ok {
 			return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type)
 		}
-		s.keyManager = scepKeyManager
-
-		if s.decrypter, err = s.keyManager.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
-			DecryptionKeyPEM: s.DecrypterKeyPEM,
+		if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
+			DecryptionKeyPEM: decryptionKeyPEM,
 			Password:         []byte(s.DecrypterKeyPassword),
 			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
 			return fmt.Errorf("failed creating decrypter: %w", err)
 		}
 		if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
-			SigningKeyPEM:    s.DecrypterKeyPEM, // TODO(hs): support distinct signer key in the future?
+			SigningKeyPEM:    decryptionKeyPEM, // TODO(hs): support distinct signer key in the future?
 			Password:         []byte(s.DecrypterKeyPassword),
 			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
@ -307,44 +304,41 @@ func (s *SCEP) Init(config Config) (err error) {
 		}
 	}

-	if s.DecrypterKeyURI != "" {
-		kmsType, err := kmsapi.TypeOf(s.DecrypterKeyURI)
+	if decryptionKeyURI := s.DecrypterKeyURI; len(decryptionKeyURI) > 0 {
+		u, err := uri.Parse(s.DecrypterKeyURI)
 		if err != nil {
 			return fmt.Errorf("failed parsing decrypter key: %w", err)
 		}
-
-		if config.SCEPKeyManager != nil {
-			s.keyManager = config.SCEPKeyManager
-		} else {
-			if kmsType == kmsapi.DefaultKMS {
-				kmsType = kmsapi.SoftKMS
-			}
-			opts := kms.Options{
-				Type: kmsType,
-				URI:  s.DecrypterKeyURI,
-			}
-			km, err := kms.New(context.Background(), opts)
-			if err != nil {
-				return fmt.Errorf("failed initializing kms: %w", err)
-			}
-			scepKeyManager, ok := km.(SCEPKeyManager)
-			if !ok {
-				return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type)
-			}
-			s.keyManager = scepKeyManager
-		}
-
-		// Create decrypter and signer with the same key:
-		// TODO(hs): support distinct signer key in the future?
-		if s.decrypter, err = s.keyManager.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
-			DecryptionKey:    s.DecrypterKeyURI,
+		var kmsType kmsapi.Type
+		switch {
+		case u.Scheme != "":
+			kmsType = kms.Type(u.Scheme)
+		default:
+			kmsType = kmsapi.SoftKMS
+		}
+		opts := kms.Options{
+			Type: kmsType,
+			URI:  s.DecrypterKeyURI,
+		}
+		if s.keyManager, err = kms.New(context.Background(), opts); err != nil {
+			return fmt.Errorf("failed initializing kms: %w", err)
+		}
+		kmsDecrypter, ok := s.keyManager.(kmsapi.Decrypter)
+		if !ok {
+			return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type)
+		}
+		if kmsType != "softkms" { // TODO(hs): this should likely become more transparent?
+			decryptionKeyURI = u.Opaque
+		}
+		if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
+			DecryptionKey:    decryptionKeyURI,
 			Password:         []byte(s.DecrypterKeyPassword),
 			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
 			return fmt.Errorf("failed creating decrypter: %w", err)
 		}
 		if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
-			SigningKey:       s.DecrypterKeyURI,
+			SigningKey:       decryptionKeyURI, // TODO(hs): support distinct signer key in the future?
 			Password:         []byte(s.DecrypterKeyPassword),
 			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
--- a/authority/provisioner/scep_test.go
+++ b/authority/provisioner/scep_test.go
@ -2,27 +2,19 @@ package provisioner

 import (
 	"context"
-	"crypto"
-	"crypto/rand"
-	"crypto/rsa"
 	"crypto/x509"
-	"crypto/x509/pkix"
 	"encoding/json"
-	"encoding/pem"
 	"errors"
 	"net/http"
 	"net/http/httptest"
-	"os"
-	"path/filepath"
 	"testing"

-	"github.com/smallstep/certificates/webhook"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"go.step.sm/crypto/kms/softkms"
-	"go.step.sm/crypto/minica"
-	"go.step.sm/crypto/pemutil"
+
 	"go.step.sm/linkedca"
+
+	"github.com/smallstep/certificates/webhook"
 )

 func Test_challengeValidationController_Validate(t *testing.T) {
@ -374,270 +366,3 @@ func TestSCEP_ValidateChallenge(t *testing.T) {
 		})
 	}
 }
-
-func TestSCEP_Init(t *testing.T) {
-	serialize := func(key crypto.PrivateKey, password string) []byte {
-		var opts []pemutil.Options
-		if password == "" {
-			opts = append(opts, pemutil.WithPasswordPrompt("no password", func(s string) ([]byte, error) {
-				return nil, nil
-			}))
-		} else {
-			opts = append(opts, pemutil.WithPassword([]byte("password")))
-		}
-		block, err := pemutil.Serialize(key, opts...)
-		require.NoError(t, err)
-		return pem.EncodeToMemory(block)
-	}
-
-	ca, err := minica.New()
-	require.NoError(t, err)
-
-	key, err := rsa.GenerateKey(rand.Reader, 2048)
-	require.NoError(t, err)
-	badKey, err := rsa.GenerateKey(rand.Reader, 2048)
-	require.NoError(t, err)
-
-	cert, err := ca.Sign(&x509.Certificate{
-		Subject:   pkix.Name{CommonName: "SCEP decryptor"},
-		PublicKey: key.Public(),
-	})
-	require.NoError(t, err)
-
-	certPEM := pem.EncodeToMemory(&pem.Block{
-		Type: "CERTIFICATE", Bytes: cert.Raw,
-	})
-	certPEMWithIntermediate := append(pem.EncodeToMemory(&pem.Block{
-		Type: "CERTIFICATE", Bytes: cert.Raw,
-	}), pem.EncodeToMemory(&pem.Block{
-		Type: "CERTIFICATE", Bytes: ca.Intermediate.Raw,
-	})...)
-
-	keyPEM := serialize(key, "password")
-	keyPEMNoPassword := serialize(key, "")
-	badKeyPEM := serialize(badKey, "password")
-
-	tmp := t.TempDir()
-	path := filepath.Join(tmp, "rsa.priv")
-	pathNoPassword := filepath.Join(tmp, "rsa.key")
-
-	require.NoError(t, os.WriteFile(path, keyPEM, 0600))
-	require.NoError(t, os.WriteFile(pathNoPassword, keyPEMNoPassword, 0600))
-
-	type args struct {
-		config Config
-	}
-	tests := []struct {
-		name    string
-		s       *SCEP
-		args    args
-		wantErr bool
-	}{
-		{"ok", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        0,
-			DecrypterCertificate:          certPEM,
-			DecrypterKeyPEM:               keyPEM,
-			DecrypterKeyPassword:          "password",
-			EncryptionAlgorithmIdentifier: 0,
-		}, args{Config{Claims: globalProvisionerClaims}}, false},
-		{"ok no password", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        0,
-			DecrypterCertificate:          certPEM,
-			DecrypterKeyPEM:               keyPEMNoPassword,
-			DecrypterKeyPassword:          "",
-			EncryptionAlgorithmIdentifier: 1,
-		}, args{Config{Claims: globalProvisionerClaims}}, false},
-		{"ok with uri", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        1024,
-			DecrypterCertificate:          certPEM,
-			DecrypterKeyURI:               "softkms:path=" + path,
-			DecrypterKeyPassword:          "password",
-			EncryptionAlgorithmIdentifier: 2,
-		}, args{Config{Claims: globalProvisionerClaims}}, false},
-		{"ok with uri no password", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        2048,
-			DecrypterCertificate:          certPEM,
-			DecrypterKeyURI:               "softkms:path=" + pathNoPassword,
-			DecrypterKeyPassword:          "",
-			EncryptionAlgorithmIdentifier: 3,
-		}, args{Config{Claims: globalProvisionerClaims}}, false},
-		{"ok with SCEPKeyManager", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        2048,
-			DecrypterCertificate:          certPEM,
-			DecrypterKeyURI:               "softkms:path=" + pathNoPassword,
-			DecrypterKeyPassword:          "",
-			EncryptionAlgorithmIdentifier: 4,
-		}, args{Config{Claims: globalProvisionerClaims, SCEPKeyManager: &softkms.SoftKMS{}}}, false},
-		{"ok intermediate", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        0,
-			DecrypterCertificate:          nil,
-			DecrypterKeyPEM:               nil,
-			DecrypterKeyPassword:          "",
-			EncryptionAlgorithmIdentifier: 0,
-		}, args{Config{Claims: globalProvisionerClaims}}, false},
-		{"fail type", &SCEP{
-			Type:                          "",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        0,
-			DecrypterCertificate:          certPEM,
-			DecrypterKeyPEM:               keyPEM,
-			DecrypterKeyPassword:          "password",
-			EncryptionAlgorithmIdentifier: 0,
-		}, args{Config{Claims: globalProvisionerClaims}}, true},
-		{"fail name", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        0,
-			DecrypterCertificate:          certPEM,
-			DecrypterKeyPEM:               keyPEM,
-			DecrypterKeyPassword:          "password",
-			EncryptionAlgorithmIdentifier: 0,
-		}, args{Config{Claims: globalProvisionerClaims}}, true},
-		{"fail minimumPublicKeyLength", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        2001,
-			DecrypterCertificate:          certPEM,
-			DecrypterKeyPEM:               keyPEM,
-			DecrypterKeyPassword:          "password",
-			EncryptionAlgorithmIdentifier: 0,
-		}, args{Config{Claims: globalProvisionerClaims}}, true},
-		{"fail encryptionAlgorithmIdentifier", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        0,
-			DecrypterCertificate:          certPEM,
-			DecrypterKeyPEM:               keyPEM,
-			DecrypterKeyPassword:          "password",
-			EncryptionAlgorithmIdentifier: 5,
-		}, args{Config{Claims: globalProvisionerClaims}}, true},
-		{"fail negative encryptionAlgorithmIdentifier", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        0,
-			DecrypterCertificate:          certPEM,
-			DecrypterKeyPEM:               keyPEM,
-			DecrypterKeyPassword:          "password",
-			EncryptionAlgorithmIdentifier: -1,
-		}, args{Config{Claims: globalProvisionerClaims}}, true},
-		{"fail key decode", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        0,
-			DecrypterCertificate:          certPEM,
-			DecrypterKeyPEM:               []byte("not a pem"),
-			DecrypterKeyPassword:          "password",
-			EncryptionAlgorithmIdentifier: 0,
-		}, args{Config{Claims: globalProvisionerClaims}}, true},
-		{"fail certificate decode", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        0,
-			DecrypterCertificate:          []byte("not a pem"),
-			DecrypterKeyPEM:               keyPEM,
-			DecrypterKeyPassword:          "password",
-			EncryptionAlgorithmIdentifier: 0,
-		}, args{Config{Claims: globalProvisionerClaims}}, true},
-		{"fail certificate with intermediate", &SCEP{
-			Type:                   "SCEP",
-			Name:                   "scep",
-			ChallengePassword:      "password123",
-			MinimumPublicKeyLength: 0,
-			DecrypterCertificate:   certPEMWithIntermediate,
-			DecrypterKeyPEM:        keyPEM,
-			DecrypterKeyPassword:   "password",
-		}, args{Config{Claims: globalProvisionerClaims}}, true},
-		{"fail decrypter password", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        0,
-			DecrypterCertificate:          certPEM,
-			DecrypterKeyPEM:               keyPEM,
-			DecrypterKeyPassword:          "badpassword",
-			EncryptionAlgorithmIdentifier: 0,
-		}, args{Config{Claims: globalProvisionerClaims}}, true},
-		{"fail uri", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        0,
-			DecrypterCertificate:          certPEM,
-			DecrypterKeyURI:               "softkms:path=missing.key",
-			DecrypterKeyPassword:          "password",
-			EncryptionAlgorithmIdentifier: 0,
-		}, args{Config{Claims: globalProvisionerClaims}}, true},
-		{"fail uri password", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        0,
-			DecrypterCertificate:          certPEM,
-			DecrypterKeyURI:               "softkms:path=" + path,
-			DecrypterKeyPassword:          "badpassword",
-			EncryptionAlgorithmIdentifier: 0,
-		}, args{Config{Claims: globalProvisionerClaims}}, true},
-		{"fail uri type", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        0,
-			DecrypterCertificate:          certPEM,
-			DecrypterKeyURI:               "foo:path=" + path,
-			DecrypterKeyPassword:          "password",
-			EncryptionAlgorithmIdentifier: 0,
-		}, args{Config{Claims: globalProvisionerClaims}}, true},
-		{"fail missing certificate", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        0,
-			DecrypterCertificate:          nil,
-			DecrypterKeyPEM:               keyPEM,
-			DecrypterKeyPassword:          "password",
-			EncryptionAlgorithmIdentifier: 0,
-		}, args{Config{Claims: globalProvisionerClaims}}, true},
-		{"fail key match", &SCEP{
-			Type:                          "SCEP",
-			Name:                          "scep",
-			ChallengePassword:             "password123",
-			MinimumPublicKeyLength:        0,
-			DecrypterCertificate:          certPEM,
-			DecrypterKeyPEM:               badKeyPEM,
-			DecrypterKeyPassword:          "password",
-			EncryptionAlgorithmIdentifier: 0,
-		}, args{Config{Claims: globalProvisionerClaims}}, true},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if err := tt.s.Init(tt.args.config); (err != nil) != tt.wantErr {
-				t.Errorf("SCEP.Init() error = %v, wantErr %v", err, tt.wantErr)
-			}
-		})
-	}
-}
--- a/authority/provisioner/sign_options.go
+++ b/authority/provisioner/sign_options.go
@ -369,8 +369,8 @@ type validityValidator struct {
 }

 // newValidityValidator return a new validity validator.
-func newValidityValidator(minDur, maxDur time.Duration) *validityValidator {
-	return &validityValidator{min: minDur, max: maxDur}
+func newValidityValidator(min, max time.Duration) *validityValidator {
+	return &validityValidator{min: min, max: max}
 }

 // Valid validates the certificate validity settings (notBefore/notAfter) and
--- a/authority/provisioner/sign_ssh_options.go
+++ b/authority/provisioner/sign_ssh_options.go
@ -276,14 +276,14 @@ func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOpti
 		return errs.BadRequest("ssh certificate validBefore cannot be before validAfter")
 	}

-	var minDur, maxDur time.Duration
+	var min, max time.Duration
 	switch cert.CertType {
 	case ssh.UserCert:
-		minDur = v.MinUserSSHCertDuration()
-		maxDur = v.MaxUserSSHCertDuration()
+		min = v.MinUserSSHCertDuration()
+		max = v.MaxUserSSHCertDuration()
 	case ssh.HostCert:
-		minDur = v.MinHostSSHCertDuration()
-		maxDur = v.MaxHostSSHCertDuration()
+		min = v.MinHostSSHCertDuration()
+		max = v.MaxHostSSHCertDuration()
 	case 0:
 		return errs.BadRequest("ssh certificate type has not been set")
 	default:
@ -295,10 +295,10 @@ func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOpti
 	dur := time.Duration(cert.ValidBefore-cert.ValidAfter) * time.Second

 	switch {
-	case dur < minDur:
-		return errs.Forbidden("requested duration of %s is less than minimum accepted duration for selected provisioner of %s", dur, minDur)
-	case dur > maxDur+opts.Backdate:
-		return errs.Forbidden("requested duration of %s is greater than maximum accepted duration for selected provisioner of %s", dur, maxDur+opts.Backdate)
+	case dur < min:
+		return errs.Forbidden("requested duration of %s is less than minimum accepted duration for selected provisioner of %s", dur, min)
+	case dur > max+opts.Backdate:
+		return errs.Forbidden("requested duration of %s is greater than maximum accepted duration for selected provisioner of %s", dur, max+opts.Backdate)
 	default:
 		return nil
 	}
--- a/authority/provisioner/webhook.go
+++ b/authority/provisioner/webhook.go
@ -15,7 +15,6 @@ import (
 	"time"

 	"github.com/pkg/errors"
-	"github.com/smallstep/certificates/middleware/requestid"
 	"github.com/smallstep/certificates/templates"
 	"github.com/smallstep/certificates/webhook"
 	"go.step.sm/linkedca"
@ -37,7 +36,7 @@ type WebhookController struct {

 // Enrich fetches data from remote servers and adds returned data to the
 // templateData
-func (wc *WebhookController) Enrich(ctx context.Context, req *webhook.RequestBody) error {
+func (wc *WebhookController) Enrich(req *webhook.RequestBody) error {
 	if wc == nil {
 		return nil
 	}
@ -56,11 +55,7 @@ func (wc *WebhookController) Enrich(ctx context.Context, req *webhook.RequestBod
 		if !wc.isCertTypeOK(wh) {
 			continue
 		}
-
-		whCtx, cancel := context.WithTimeout(ctx, time.Second*10)
-		defer cancel() //nolint:gocritic // every request canceled with its own timeout
-
-		resp, err := wh.DoWithContext(whCtx, wc.client, req, wc.TemplateData)
+		resp, err := wh.Do(wc.client, req, wc.TemplateData)
 		if err != nil {
 			return err
 		}
@ -73,7 +68,7 @@ func (wc *WebhookController) Enrich(ctx context.Context, req *webhook.RequestBod
 }

 // Authorize checks that all remote servers allow the request
-func (wc *WebhookController) Authorize(ctx context.Context, req *webhook.RequestBody) error {
+func (wc *WebhookController) Authorize(req *webhook.RequestBody) error {
 	if wc == nil {
 		return nil
 	}
@ -92,11 +87,7 @@ func (wc *WebhookController) Authorize(ctx context.Context, req *webhook.Request
 		if !wc.isCertTypeOK(wh) {
 			continue
 		}
-
-		whCtx, cancel := context.WithTimeout(ctx, time.Second*10)
-		defer cancel() //nolint:gocritic // every request canceled with its own timeout
-
-		resp, err := wh.DoWithContext(whCtx, wc.client, req, wc.TemplateData)
+		resp, err := wh.Do(wc.client, req, wc.TemplateData)
 		if err != nil {
 			return err
 		}
@ -132,6 +123,13 @@ type Webhook struct {
 	} `json:"-"`
 }

+func (w *Webhook) Do(client *http.Client, reqBody *webhook.RequestBody, data any) (*webhook.ResponseBody, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
+	defer cancel()
+
+	return w.DoWithContext(ctx, client, reqBody, data)
+}
+
 func (w *Webhook) DoWithContext(ctx context.Context, client *http.Client, reqBody *webhook.RequestBody, data any) (*webhook.ResponseBody, error) {
 	tmpl, err := template.New("url").Funcs(templates.StepFuncMap()).Parse(w.URL)
 	if err != nil {
@ -171,10 +169,6 @@ retry:
 		return nil, err
 	}

-	if requestID, ok := requestid.FromContext(ctx); ok {
-		req.Header.Set("X-Request-Id", requestID)
-	}
-
 	secret, err := base64.StdEncoding.DecodeString(w.Secret)
 	if err != nil {
 		return nil, err
--- a/authority/provisioner/webhook_test.go
+++ b/authority/provisioner/webhook_test.go
@ -1,7 +1,6 @@
 package provisioner

 import (
-	"context"
 	"crypto/hmac"
 	"crypto/sha256"
 	"crypto/tls"
@ -9,23 +8,18 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
 	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"

+	"github.com/pkg/errors"
+	"github.com/smallstep/assert"
+	"github.com/smallstep/certificates/webhook"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 	"go.step.sm/linkedca"
-
-	"github.com/smallstep/certificates/middleware/requestid"
-	"github.com/smallstep/certificates/webhook"
 )

 func TestWebhookController_isCertTypeOK(t *testing.T) {
@ -98,25 +92,19 @@ func TestWebhookController_isCertTypeOK(t *testing.T) {
 	}
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
-			assert.Equal(t, test.want, test.wc.isCertTypeOK(test.wh))
+			assert.Equals(t, test.want, test.wc.isCertTypeOK(test.wh))
 		})
 	}
 }

-// withRequestID is a helper that calls into [requestid.NewContext] and returns
-// a new context with the requestID added.
-func withRequestID(t *testing.T, ctx context.Context, requestID string) context.Context {
-	t.Helper()
-	return requestid.NewContext(ctx, requestID)
-}
-
 func TestWebhookController_Enrich(t *testing.T) {
 	cert, err := pemutil.ReadCertificate("testdata/certs/x5c-leaf.crt", pemutil.WithFirstBlock())
-	require.NoError(t, err)
+	if err != nil {
+		t.Fatal(err)
+	}

 	type test struct {
 		ctl                *WebhookController
-		ctx                context.Context
 		req                *webhook.RequestBody
 		responses          []*webhook.ResponseBody
 		expectErr          bool
@ -141,7 +129,6 @@ func TestWebhookController_Enrich(t *testing.T) {
 				webhooks:     []*Webhook{{Name: "people", Kind: "ENRICHING"}},
 				TemplateData: x509util.TemplateData{},
 			},
-			ctx:                withRequestID(t, context.Background(), "reqID"),
 			req:                &webhook.RequestBody{},
 			responses:          []*webhook.ResponseBody{{Allow: true, Data: map[string]any{"role": "bar"}}},
 			expectErr:          false,
@ -156,7 +143,6 @@ func TestWebhookController_Enrich(t *testing.T) {
 				},
 				TemplateData: x509util.TemplateData{},
 			},
-			ctx: withRequestID(t, context.Background(), "reqID"),
 			req: &webhook.RequestBody{},
 			responses: []*webhook.ResponseBody{
 				{Allow: true, Data: map[string]any{"role": "bar"}},
@ -180,7 +166,6 @@ func TestWebhookController_Enrich(t *testing.T) {
 				TemplateData: x509util.TemplateData{},
 				certType:     linkedca.Webhook_X509,
 			},
-			ctx: withRequestID(t, context.Background(), "reqID"),
 			req: &webhook.RequestBody{},
 			responses: []*webhook.ResponseBody{
 				{Allow: true, Data: map[string]any{"role": "bar"}},
@ -200,15 +185,14 @@ func TestWebhookController_Enrich(t *testing.T) {
 				TemplateData: x509util.TemplateData{},
 				options:      []webhook.RequestBodyOption{webhook.WithX5CCertificate(cert)},
 			},
-			ctx:                withRequestID(t, context.Background(), "reqID"),
 			req:                &webhook.RequestBody{},
 			responses:          []*webhook.ResponseBody{{Allow: true, Data: map[string]any{"role": "bar"}}},
 			expectErr:          false,
 			expectTemplateData: x509util.TemplateData{"Webhooks": map[string]any{"people": map[string]any{"role": "bar"}}},
 			assertRequest: func(t *testing.T, req *webhook.RequestBody) {
 				key, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
-				require.NoError(t, err)
-				assert.Equal(t, &webhook.X5CCertificate{
+				assert.FatalError(t, err)
+				assert.Equals(t, &webhook.X5CCertificate{
 					Raw:                cert.Raw,
 					PublicKey:          key,
 					PublicKeyAlgorithm: cert.PublicKeyAlgorithm.String(),
@ -223,7 +207,6 @@ func TestWebhookController_Enrich(t *testing.T) {
 				webhooks:     []*Webhook{{Name: "people", Kind: "ENRICHING"}},
 				TemplateData: x509util.TemplateData{},
 			},
-			ctx:                withRequestID(t, context.Background(), "reqID"),
 			req:                &webhook.RequestBody{},
 			responses:          []*webhook.ResponseBody{{Allow: false}},
 			expectErr:          true,
@ -238,7 +221,6 @@ func TestWebhookController_Enrich(t *testing.T) {
 					PublicKey: []byte("bad"),
 				})},
 			},
-			ctx:                withRequestID(t, context.Background(), "reqID"),
 			req:                &webhook.RequestBody{},
 			responses:          []*webhook.ResponseBody{{Allow: false}},
 			expectErr:          true,
@ -250,21 +232,19 @@ func TestWebhookController_Enrich(t *testing.T) {
 			for i, wh := range test.ctl.webhooks {
 				var j = i
 				ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-					assert.Equal(t, "reqID", r.Header.Get("X-Request-ID"))
-
 					err := json.NewEncoder(w).Encode(test.responses[j])
-					require.NoError(t, err)
+					assert.FatalError(t, err)
 				}))
 				// nolint: gocritic // defer in loop isn't a memory leak
 				defer ts.Close()
 				wh.URL = ts.URL
 			}

-			err := test.ctl.Enrich(test.ctx, test.req)
+			err := test.ctl.Enrich(test.req)
 			if (err != nil) != test.expectErr {
 				t.Fatalf("Got err %v, want %v", err, test.expectErr)
 			}
-			assert.Equal(t, test.expectTemplateData, test.ctl.TemplateData)
+			assert.Equals(t, test.expectTemplateData, test.ctl.TemplateData)
 			if test.assertRequest != nil {
 				test.assertRequest(t, test.req)
 			}
@ -274,11 +254,12 @@ func TestWebhookController_Enrich(t *testing.T) {

 func TestWebhookController_Authorize(t *testing.T) {
 	cert, err := pemutil.ReadCertificate("testdata/certs/x5c-leaf.crt", pemutil.WithFirstBlock())
-	require.NoError(t, err)
+	if err != nil {
+		t.Fatal(err)
+	}

 	type test struct {
 		ctl           *WebhookController
-		ctx           context.Context
 		req           *webhook.RequestBody
 		responses     []*webhook.ResponseBody
 		expectErr     bool
@ -299,7 +280,6 @@ func TestWebhookController_Authorize(t *testing.T) {
 				client:   http.DefaultClient,
 				webhooks: []*Webhook{{Name: "people", Kind: "AUTHORIZING"}},
 			},
-			ctx:       withRequestID(t, context.Background(), "reqID"),
 			req:       &webhook.RequestBody{},
 			responses: []*webhook.ResponseBody{{Allow: true}},
 			expectErr: false,
@ -310,7 +290,6 @@ func TestWebhookController_Authorize(t *testing.T) {
 				webhooks: []*Webhook{{Name: "people", Kind: "AUTHORIZING", CertType: linkedca.Webhook_X509.String()}},
 				certType: linkedca.Webhook_SSH,
 			},
-			ctx:       withRequestID(t, context.Background(), "reqID"),
 			req:       &webhook.RequestBody{},
 			responses: []*webhook.ResponseBody{{Allow: false}},
 			expectErr: false,
@ -321,14 +300,13 @@ func TestWebhookController_Authorize(t *testing.T) {
 				webhooks: []*Webhook{{Name: "people", Kind: "AUTHORIZING"}},
 				options:  []webhook.RequestBodyOption{webhook.WithX5CCertificate(cert)},
 			},
-			ctx:       withRequestID(t, context.Background(), "reqID"),
 			req:       &webhook.RequestBody{},
 			responses: []*webhook.ResponseBody{{Allow: true}},
 			expectErr: false,
 			assertRequest: func(t *testing.T, req *webhook.RequestBody) {
 				key, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
-				require.NoError(t, err)
-				assert.Equal(t, &webhook.X5CCertificate{
+				assert.FatalError(t, err)
+				assert.Equals(t, &webhook.X5CCertificate{
 					Raw:                cert.Raw,
 					PublicKey:          key,
 					PublicKeyAlgorithm: cert.PublicKeyAlgorithm.String(),
@ -342,7 +320,6 @@ func TestWebhookController_Authorize(t *testing.T) {
 				client:   http.DefaultClient,
 				webhooks: []*Webhook{{Name: "people", Kind: "AUTHORIZING"}},
 			},
-			ctx:       withRequestID(t, context.Background(), "reqID"),
 			req:       &webhook.RequestBody{},
 			responses: []*webhook.ResponseBody{{Allow: false}},
 			expectErr: true,
@ -355,7 +332,6 @@ func TestWebhookController_Authorize(t *testing.T) {
 					PublicKey: []byte("bad"),
 				})},
 			},
-			ctx:       withRequestID(t, context.Background(), "reqID"),
 			req:       &webhook.RequestBody{},
 			responses: []*webhook.ResponseBody{{Allow: false}},
 			expectErr: true,
@ -366,17 +342,15 @@ func TestWebhookController_Authorize(t *testing.T) {
 			for i, wh := range test.ctl.webhooks {
 				var j = i
 				ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-					assert.Equal(t, "reqID", r.Header.Get("X-Request-ID"))
-
 					err := json.NewEncoder(w).Encode(test.responses[j])
-					require.NoError(t, err)
+					assert.FatalError(t, err)
 				}))
 				// nolint: gocritic // defer in loop isn't a memory leak
 				defer ts.Close()
 				wh.URL = ts.URL
 			}

-			err := test.ctl.Authorize(test.ctx, test.req)
+			err := test.ctl.Authorize(test.req)
 			if (err != nil) != test.expectErr {
 				t.Fatalf("Got err %v, want %v", err, test.expectErr)
 			}
@ -392,7 +366,6 @@ func TestWebhook_Do(t *testing.T) {
 	type test struct {
 		webhook         Webhook
 		dataArg         any
-		requestID       string
 		webhookResponse webhook.ResponseBody
 		expectPath      string
 		errStatusCode   int
@ -402,16 +375,6 @@ func TestWebhook_Do(t *testing.T) {
 	}
 	tests := map[string]test{
 		"ok": {
-			webhook: Webhook{
-				ID:     "abc123",
-				Secret: "c2VjcmV0Cg==",
-			},
-			requestID: "reqID",
-			webhookResponse: webhook.ResponseBody{
-				Data: map[string]interface{}{"role": "dba"},
-			},
-		},
-		"ok/no-request-id": {
 			webhook: Webhook{
 				ID:     "abc123",
 				Secret: "c2VjcmV0Cg==",
@ -426,7 +389,6 @@ func TestWebhook_Do(t *testing.T) {
 				Secret:      "c2VjcmV0Cg==",
 				BearerToken: "mytoken",
 			},
-			requestID: "reqID",
 			webhookResponse: webhook.ResponseBody{
 				Data: map[string]interface{}{"role": "dba"},
 			},
@ -443,7 +405,6 @@ func TestWebhook_Do(t *testing.T) {
 					Password: "mypass",
 				},
 			},
-			requestID: "reqID",
 			webhookResponse: webhook.ResponseBody{
 				Data: map[string]interface{}{"role": "dba"},
 			},
@ -455,8 +416,7 @@ func TestWebhook_Do(t *testing.T) {
 				URL:    "/users/{{ .username }}?region={{ .region }}",
 				Secret: "c2VjcmV0Cg==",
 			},
-			requestID: "reqID",
-			dataArg:   map[string]interface{}{"username": "areed", "region": "central"},
+			dataArg: map[string]interface{}{"username": "areed", "region": "central"},
 			webhookResponse: webhook.ResponseBody{
 				Data: map[string]interface{}{"role": "dba"},
 			},
@ -491,7 +451,6 @@ func TestWebhook_Do(t *testing.T) {
 				ID:     "abc123",
 				Secret: "c2VjcmV0Cg==",
 			},
-			requestID: "reqID",
 			webhookResponse: webhook.ResponseBody{
 				Allow: true,
 			},
@ -504,7 +463,6 @@ func TestWebhook_Do(t *testing.T) {
 			webhookResponse: webhook.ResponseBody{
 				Data: map[string]interface{}{"role": "dba"},
 			},
-			requestID:     "reqID",
 			errStatusCode: 404,
 			serverErrMsg:  "item not found",
 			expectErr:     errors.New("Webhook server responded with 404"),
@ -513,20 +471,17 @@ func TestWebhook_Do(t *testing.T) {
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
 			ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				if tc.requestID != "" {
-					assert.Equal(t, tc.requestID, r.Header.Get("X-Request-ID"))
-				}
-
-				assert.Equal(t, tc.webhook.ID, r.Header.Get("X-Smallstep-Webhook-ID"))
+				id := r.Header.Get("X-Smallstep-Webhook-ID")
+				assert.Equals(t, tc.webhook.ID, id)

 				sig, err := hex.DecodeString(r.Header.Get("X-Smallstep-Signature"))
-				assert.NoError(t, err)
+				assert.FatalError(t, err)

 				body, err := io.ReadAll(r.Body)
-				assert.NoError(t, err)
+				assert.FatalError(t, err)

 				secret, err := base64.StdEncoding.DecodeString(tc.webhook.Secret)
-				assert.NoError(t, err)
+				assert.FatalError(t, err)
 				h := hmac.New(sha256.New, secret)
 				h.Write(body)
 				mac := h.Sum(nil)
@ -535,19 +490,19 @@ func TestWebhook_Do(t *testing.T) {
 				switch {
 				case tc.webhook.BearerToken != "":
 					ah := fmt.Sprintf("Bearer %s", tc.webhook.BearerToken)
-					assert.Equal(t, ah, r.Header.Get("Authorization"))
+					assert.Equals(t, ah, r.Header.Get("Authorization"))
 				case tc.webhook.BasicAuth.Username != "" || tc.webhook.BasicAuth.Password != "":
 					whReq, err := http.NewRequest("", "", http.NoBody)
-					require.NoError(t, err)
+					assert.FatalError(t, err)
 					whReq.SetBasicAuth(tc.webhook.BasicAuth.Username, tc.webhook.BasicAuth.Password)
 					ah := whReq.Header.Get("Authorization")
-					assert.Equal(t, ah, whReq.Header.Get("Authorization"))
+					assert.Equals(t, ah, whReq.Header.Get("Authorization"))
 				default:
-					assert.Equal(t, "", r.Header.Get("Authorization"))
+					assert.Equals(t, "", r.Header.Get("Authorization"))
 				}

 				if tc.expectPath != "" {
-					assert.Equal(t, tc.expectPath, r.URL.Path+"?"+r.URL.RawQuery)
+					assert.Equals(t, tc.expectPath, r.URL.Path+"?"+r.URL.RawQuery)
 				}

 				if tc.errStatusCode != 0 {
@ -557,33 +512,26 @@ func TestWebhook_Do(t *testing.T) {

 				reqBody := new(webhook.RequestBody)
 				err = json.Unmarshal(body, reqBody)
-				require.NoError(t, err)
+				assert.FatalError(t, err)
+				// assert.Equals(t, tc.expectToken, reqBody.Token)

 				err = json.NewEncoder(w).Encode(tc.webhookResponse)
-				require.NoError(t, err)
+				assert.FatalError(t, err)
 			}))
 			defer ts.Close()

 			tc.webhook.URL = ts.URL + tc.webhook.URL

 			reqBody, err := webhook.NewRequestBody(webhook.WithX509CertificateRequest(csr))
-			require.NoError(t, err)
-
-			ctx := context.Background()
-			if tc.requestID != "" {
-				ctx = withRequestID(t, ctx, tc.requestID)
-			}
-			ctx, cancel := context.WithTimeout(ctx, time.Second*10)
-			defer cancel()
-
-			got, err := tc.webhook.DoWithContext(ctx, http.DefaultClient, reqBody, tc.dataArg)
+			assert.FatalError(t, err)
+			got, err := tc.webhook.Do(http.DefaultClient, reqBody, tc.dataArg)
 			if tc.expectErr != nil {
-				assert.Equal(t, tc.expectErr.Error(), err.Error())
+				assert.Equals(t, tc.expectErr.Error(), err.Error())
 				return
 			}
-			assert.NoError(t, err)
+			assert.FatalError(t, err)

-			assert.Equal(t, &tc.webhookResponse, got)
+			assert.Equals(t, got, &tc.webhookResponse)
 		})
 	}

@ -596,7 +544,7 @@ func TestWebhook_Do(t *testing.T) {
 			URL: ts.URL,
 		}
 		cert, err := tls.LoadX509KeyPair("testdata/certs/foo.crt", "testdata/secrets/foo.key")
-		require.NoError(t, err)
+		assert.FatalError(t, err)
 		transport := http.DefaultTransport.(*http.Transport).Clone()
 		transport.TLSClientConfig = &tls.Config{
 			InsecureSkipVerify: true,
@ -606,19 +554,12 @@ func TestWebhook_Do(t *testing.T) {
 			Transport: transport,
 		}
 		reqBody, err := webhook.NewRequestBody(webhook.WithX509CertificateRequest(csr))
-		require.NoError(t, err)
-
-		ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
-		defer cancel()
-
-		_, err = wh.DoWithContext(ctx, client, reqBody, nil)
-		require.NoError(t, err)
-
-		ctx, cancel = context.WithTimeout(context.Background(), time.Second*10)
-		defer cancel()
+		assert.FatalError(t, err)
+		_, err = wh.Do(client, reqBody, nil)
+		assert.FatalError(t, err)

 		wh.DisableTLSClientAuth = true
-		_, err = wh.DoWithContext(ctx, client, reqBody, nil)
-		require.Error(t, err)
+		_, err = wh.Do(client, reqBody, nil)
+		assert.Error(t, err)
 	})
 }
--- a/authority/provisioner/wire/dpop_options.go
+++ b/authority/provisioner/wire/dpop_options.go
@ -0,0 +1,45 @@
+package wire
+
+import (
+	"bytes"
+	"crypto"
+	"fmt"
+	"text/template"
+
+	"go.step.sm/crypto/pemutil"
+)
+
+type DPOPOptions struct {
+	// Public part of the  signing key for DPoP access token in PEM format
+	SigningKey []byte `json:"key"`
+	// URI template for the URI the ACME client must call to fetch the DPoP challenge proof (an access token from wire-server)
+	Target string `json:"target"`
+
+	signingKey crypto.PublicKey
+	target     *template.Template
+}
+
+func (o *DPOPOptions) GetSigningKey() crypto.PublicKey {
+	return o.signingKey
+}
+
+func (o *DPOPOptions) EvaluateTarget(deviceID string) (string, error) {
+	buf := new(bytes.Buffer)
+	if err := o.target.Execute(buf, struct{ DeviceID string }{DeviceID: deviceID}); err != nil {
+		return "", fmt.Errorf("failed executing dpop template: %w", err)
+	}
+	return buf.String(), nil
+}
+
+func (o *DPOPOptions) validateAndInitialize() (err error) {
+	o.signingKey, err = pemutil.Parse(o.SigningKey)
+	if err != nil {
+		return fmt.Errorf("failed parsing key: %w", err)
+	}
+	o.target, err = template.New("DeviceID").Parse(o.Target)
+	if err != nil {
+		return fmt.Errorf("failed parsing DPoP template: %w", err)
+	}
+
+	return nil
+}
--- a/authority/provisioner/wire/oidc_options.go
+++ b/authority/provisioner/wire/oidc_options.go
@ -0,0 +1,157 @@
+package wire
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/url"
+	"text/template"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"go.step.sm/crypto/x509util"
+)
+
+type Provider struct {
+	IssuerURL   string   `json:"issuer,omitempty"`
+	AuthURL     string   `json:"authorization_endpoint,omitempty"`
+	TokenURL    string   `json:"token_endpoint,omitempty"`
+	JWKSURL     string   `json:"jwks_uri,omitempty"`
+	UserInfoURL string   `json:"userinfo_endpoint,omitempty"`
+	Algorithms  []string `json:"id_token_signing_alg_values_supported,omitempty"`
+}
+
+type Config struct {
+	ClientID            string   `json:"clientId,omitempty"`
+	SignatureAlgorithms []string `json:"signatureAlgorithms,omitempty"`
+
+	// the properties below are only used for testing
+	SkipClientIDCheck          bool             `json:"-"`
+	SkipExpiryCheck            bool             `json:"-"`
+	SkipIssuerCheck            bool             `json:"-"`
+	InsecureSkipSignatureCheck bool             `json:"-"`
+	Now                        func() time.Time `json:"-"`
+}
+
+type OIDCOptions struct {
+	Provider          *Provider `json:"provider,omitempty"`
+	Config            *Config   `json:"config,omitempty"`
+	TransformTemplate string    `json:"transform,omitempty"`
+
+	oidcProviderConfig *oidc.ProviderConfig
+	target             *template.Template
+	transform          *template.Template
+}
+
+func (o *OIDCOptions) GetProvider(ctx context.Context) *oidc.Provider {
+	if o == nil || o.Provider == nil || o.oidcProviderConfig == nil {
+		return nil
+	}
+	return o.oidcProviderConfig.NewProvider(ctx)
+}
+
+func (o *OIDCOptions) GetConfig() *oidc.Config {
+	if o == nil || o.Config == nil {
+		return &oidc.Config{}
+	}
+
+	return &oidc.Config{
+		ClientID:                   o.Config.ClientID,
+		SupportedSigningAlgs:       o.Config.SignatureAlgorithms,
+		SkipClientIDCheck:          o.Config.SkipClientIDCheck,
+		SkipExpiryCheck:            o.Config.SkipExpiryCheck,
+		SkipIssuerCheck:            o.Config.SkipIssuerCheck,
+		Now:                        o.Config.Now,
+		InsecureSkipSignatureCheck: o.Config.InsecureSkipSignatureCheck,
+	}
+}
+
+const defaultTemplate = `{"name": "{{ .name }}", "preferred_username": "{{ .preferred_username }}"}`
+
+func (o *OIDCOptions) validateAndInitialize() (err error) {
+	if o.Provider == nil {
+		return errors.New("provider not set")
+	}
+	if o.Provider.IssuerURL == "" {
+		return errors.New("issuer URL must not be empty")
+	}
+
+	o.oidcProviderConfig, err = toOIDCProviderConfig(o.Provider)
+	if err != nil {
+		return fmt.Errorf("failed creationg OIDC provider config: %w", err)
+	}
+
+	o.target, err = template.New("DeviceID").Parse(o.Provider.IssuerURL)
+	if err != nil {
+		return fmt.Errorf("failed parsing OIDC template: %w", err)
+	}
+
+	o.transform, err = parseTransform(o.TransformTemplate)
+	if err != nil {
+		return fmt.Errorf("failed parsing OIDC transformation template: %w", err)
+	}
+
+	return nil
+}
+
+func parseTransform(transformTemplate string) (*template.Template, error) {
+	if transformTemplate == "" {
+		transformTemplate = defaultTemplate
+	}
+
+	return template.New("transform").Funcs(x509util.GetFuncMap()).Parse(transformTemplate)
+}
+
+func (o *OIDCOptions) EvaluateTarget(deviceID string) (string, error) {
+	buf := new(bytes.Buffer)
+	if err := o.target.Execute(buf, struct{ DeviceID string }{DeviceID: deviceID}); err != nil {
+		return "", fmt.Errorf("failed executing OIDC template: %w", err)
+	}
+	return buf.String(), nil
+}
+
+func (o *OIDCOptions) Transform(v map[string]any) (map[string]any, error) {
+	if o.transform == nil || v == nil {
+		return v, nil
+	}
+	// TODO(hs): add support for extracting error message from template "fail" function?
+	buf := new(bytes.Buffer)
+	if err := o.transform.Execute(buf, v); err != nil {
+		return nil, fmt.Errorf("failed executing OIDC transformation: %w", err)
+	}
+	var r map[string]any
+	if err := json.Unmarshal(buf.Bytes(), &r); err != nil {
+		return nil, fmt.Errorf("failed unmarshaling transformed OIDC token: %w", err)
+	}
+	// add original claims if not yet in the transformed result
+	for key, value := range v {
+		if _, ok := r[key]; !ok {
+			r[key] = value
+		}
+	}
+	return r, nil
+}
+
+func toOIDCProviderConfig(in *Provider) (*oidc.ProviderConfig, error) {
+	issuerURL, err := url.Parse(in.IssuerURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed parsing issuer URL: %w", err)
+	}
+	// Removes query params from the URL because we use it as a way to notify client about the actual OAuth ClientId
+	// for this provisioner.
+	// This URL is going to look like: "https://idp:5556/dex?clientid=foo"
+	// If we don't trim the query params here i.e. 'clientid' then the idToken verification is going to fail because
+	// the 'iss' claim of the idToken will be "https://idp:5556/dex"
+	issuerURL.RawQuery = ""
+	issuerURL.Fragment = ""
+	return &oidc.ProviderConfig{
+		IssuerURL:   issuerURL.String(),
+		AuthURL:     in.AuthURL,
+		TokenURL:    in.TokenURL,
+		UserInfoURL: in.UserInfoURL,
+		JWKSURL:     in.JWKSURL,
+		Algorithms:  in.Algorithms,
+	}, nil
+}
--- a/authority/provisioner/wire/oidc_options_test.go
+++ b/authority/provisioner/wire/oidc_options_test.go
@ -0,0 +1,121 @@
+package wire
+
+import (
+	"testing"
+	"text/template"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestOIDCOptions_Transform(t *testing.T) {
+	defaultTransform, err := parseTransform(``)
+	require.NoError(t, err)
+	swapTransform, err := parseTransform(`{"name": "{{ .preferred_username }}", "preferred_username": "{{ .name }}"}`)
+	require.NoError(t, err)
+	funcTransform, err := parseTransform(`{"name": "{{ .name }}", "preferred_username": "{{ first .usernames }}"}`)
+	require.NoError(t, err)
+	type fields struct {
+		transform *template.Template
+	}
+	type args struct {
+		v map[string]any
+	}
+	tests := []struct {
+		name        string
+		fields      fields
+		args        args
+		want        map[string]any
+		expectedErr error
+	}{
+		{
+			name: "ok/no-transform",
+			fields: fields{
+				transform: nil,
+			},
+			args: args{
+				v: map[string]any{
+					"name":               "Example",
+					"preferred_username": "Preferred",
+				},
+			},
+			want: map[string]any{
+				"name":               "Example",
+				"preferred_username": "Preferred",
+			},
+		},
+		{
+			name: "ok/empty-data",
+			fields: fields{
+				transform: nil,
+			},
+			args: args{
+				v: map[string]any{},
+			},
+			want: map[string]any{},
+		},
+		{
+			name: "ok/default-transform",
+			fields: fields{
+				transform: defaultTransform,
+			},
+			args: args{
+				v: map[string]any{
+					"name":               "Example",
+					"preferred_username": "Preferred",
+				},
+			},
+			want: map[string]any{
+				"name":               "Example",
+				"preferred_username": "Preferred",
+			},
+		},
+		{
+			name: "ok/swap-transform",
+			fields: fields{
+				transform: swapTransform,
+			},
+			args: args{
+				v: map[string]any{
+					"name":               "Example",
+					"preferred_username": "Preferred",
+				},
+			},
+			want: map[string]any{
+				"name":               "Preferred",
+				"preferred_username": "Example",
+			},
+		},
+		{
+			name: "ok/transform-with-functions",
+			fields: fields{
+				transform: funcTransform,
+			},
+			args: args{
+				v: map[string]any{
+					"name":      "Example",
+					"usernames": []string{"name-1", "name-2", "name-3"},
+				},
+			},
+			want: map[string]any{
+				"name":               "Example",
+				"preferred_username": "name-1",
+				"usernames":          []string{"name-1", "name-2", "name-3"},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			o := &OIDCOptions{
+				transform: tt.fields.transform,
+			}
+			got, err := o.Transform(tt.args.v)
+			if tt.expectedErr != nil {
+				assert.Error(t, err)
+				return
+			}
+
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/authority/provisioner/wire/wire_options.go
+++ b/authority/provisioner/wire/wire_options.go
@ -0,0 +1,51 @@
+package wire
+
+import (
+	"errors"
+	"fmt"
+)
+
+// Options holds the Wire ACME extension options
+type Options struct {
+	OIDC *OIDCOptions `json:"oidc,omitempty"`
+	DPOP *DPOPOptions `json:"dpop,omitempty"`
+}
+
+// GetOIDCOptions returns the OIDC options.
+func (o *Options) GetOIDCOptions() *OIDCOptions {
+	if o == nil {
+		return nil
+	}
+	return o.OIDC
+}
+
+// GetDPOPOptions returns the DPoP options.
+func (o *Options) GetDPOPOptions() *DPOPOptions {
+	if o == nil {
+		return nil
+	}
+	return o.DPOP
+}
+
+// Validate validates and initializes the Wire OIDC and DPoP options.
+//
+// TODO(hs): find a good way to perform this only once.
+func (o *Options) Validate() error {
+	if oidc := o.GetOIDCOptions(); oidc != nil {
+		if err := oidc.validateAndInitialize(); err != nil {
+			return fmt.Errorf("failed initializing OIDC options: %w", err)
+		}
+	} else {
+		return errors.New("no OIDC options available")
+	}
+
+	if dpop := o.GetDPOPOptions(); dpop != nil {
+		if err := dpop.validateAndInitialize(); err != nil {
+			return fmt.Errorf("failed initializing DPoP options: %w", err)
+		}
+	} else {
+		return errors.New("no DPoP options available")
+	}
+
+	return nil
+}
--- a/authority/provisioner/wire/wire_options_test.go
+++ b/authority/provisioner/wire/wire_options_test.go
@ -0,0 +1,163 @@
+package wire
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestOptions_Validate(t *testing.T) {
+	key := []byte(`-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
+-----END PUBLIC KEY-----`)
+
+	type fields struct {
+		OIDC *OIDCOptions
+		DPOP *DPOPOptions
+	}
+	tests := []struct {
+		name        string
+		fields      fields
+		expectedErr error
+	}{
+		{
+			name: "ok",
+			fields: fields{
+				OIDC: &OIDCOptions{
+					Provider: &Provider{
+						IssuerURL: "https://example.com",
+					},
+					Config: &Config{},
+				},
+				DPOP: &DPOPOptions{
+					SigningKey: key,
+				},
+			},
+			expectedErr: nil,
+		},
+		{
+			name: "fail/no-oidc-options",
+			fields: fields{
+				OIDC: nil,
+				DPOP: &DPOPOptions{},
+			},
+			expectedErr: errors.New("no OIDC options available"),
+		},
+		{
+			name: "fail/empty-issuer-url",
+			fields: fields{
+				OIDC: &OIDCOptions{
+					Provider: &Provider{
+						IssuerURL: "",
+					},
+					Config: &Config{},
+				},
+				DPOP: &DPOPOptions{},
+			},
+			expectedErr: errors.New("failed initializing OIDC options: issuer URL must not be empty"),
+		},
+		{
+			name: "fail/invalid-issuer-url",
+			fields: fields{
+				OIDC: &OIDCOptions{
+					Provider: &Provider{
+						IssuerURL: "\x00",
+					},
+					Config: &Config{},
+				},
+				DPOP: &DPOPOptions{},
+			},
+			expectedErr: errors.New(`failed initializing OIDC options: failed creationg OIDC provider config: failed parsing issuer URL: parse "\x00": net/url: invalid control character in URL`),
+		},
+		{
+			name: "fail/issuer-url-template",
+			fields: fields{
+				OIDC: &OIDCOptions{
+					Provider: &Provider{
+						IssuerURL: "https://issuer.example.com/{{}",
+					},
+					Config: &Config{},
+				},
+				DPOP: &DPOPOptions{},
+			},
+			expectedErr: errors.New(`failed initializing OIDC options: failed parsing OIDC template: template: DeviceID:1: unexpected "}" in command`),
+		},
+		{
+			name: "fail/invalid-transform-template",
+			fields: fields{
+				OIDC: &OIDCOptions{
+					Provider: &Provider{
+						IssuerURL: "https://example.com",
+					},
+					Config:            &Config{},
+					TransformTemplate: "{{}",
+				},
+				DPOP: &DPOPOptions{
+					SigningKey: key,
+				},
+			},
+			expectedErr: errors.New(`failed initializing OIDC options: failed parsing OIDC transformation template: template: transform:1: unexpected "}" in command`),
+		},
+		{
+			name: "fail/no-dpop-options",
+			fields: fields{
+				OIDC: &OIDCOptions{
+					Provider: &Provider{
+						IssuerURL: "https://example.com",
+					},
+					Config: &Config{},
+				},
+				DPOP: nil,
+			},
+			expectedErr: errors.New("no DPoP options available"),
+		},
+		{
+			name: "fail/invalid-key",
+			fields: fields{
+				OIDC: &OIDCOptions{
+					Provider: &Provider{
+						IssuerURL: "https://example.com",
+					},
+					Config: &Config{},
+				},
+				DPOP: &DPOPOptions{
+					SigningKey: []byte{0x00},
+					Target:     "",
+				},
+			},
+			expectedErr: errors.New(`failed initializing DPoP options: failed parsing key: error decoding PEM: not a valid PEM encoded block`),
+		},
+		{
+			name: "fail/target-template",
+			fields: fields{
+				OIDC: &OIDCOptions{
+					Provider: &Provider{
+						IssuerURL: "https://example.com",
+					},
+					Config: &Config{},
+				},
+				DPOP: &DPOPOptions{
+					SigningKey: key,
+					Target:     "{{}",
+				},
+			},
+			expectedErr: errors.New(`failed initializing DPoP options: failed parsing DPoP template: template: DeviceID:1: unexpected "}" in command`),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			o := &Options{
+				OIDC: tt.fields.OIDC,
+				DPOP: tt.fields.DPOP,
+			}
+			err := o.Validate()
+			if tt.expectedErr != nil {
+				assert.EqualError(t, err, tt.expectedErr.Error())
+				return
+			}
+
+			assert.NoError(t, err)
+		})
+	}
+}
--- a/authority/provisioner/x5c_test.go
+++ b/authority/provisioner/x5c_test.go
@ -813,7 +813,7 @@ func TestX5C_AuthorizeSSHSign(t *testing.T) {
 							}
 							tot++
 						}
-						if tc.claims.Step.SSH.CertType != "" {
+						if len(tc.claims.Step.SSH.CertType) > 0 {
 							assert.Equals(t, tot, 12)
 						} else {
 							assert.Equals(t, tot, 10)
--- a/authority/provisioners.go
+++ b/authority/provisioners.go
@ -201,7 +201,6 @@ func (a *Authority) generateProvisionerConfig(ctx context.Context) (provisioner.
 		AuthorizeRenewFunc:    a.authorizeRenewFunc,
 		AuthorizeSSHRenewFunc: a.authorizeSSHRenewFunc,
 		WebhookClient:         a.webhookClient,
-		SCEPKeyManager:        a.scepKeyManager,
 	}, nil
 }

@ -426,25 +425,25 @@ func ValidateClaims(c *linkedca.Claims) error {
 // ValidateDurations validates the Durations type.
 func ValidateDurations(d *linkedca.Durations) error {
 	var (
-		err                 error
-		minDur, maxDur, def *provisioner.Duration
+		err           error
+		min, max, def *provisioner.Duration
 	)

 	if d.Min != "" {
-		minDur, err = provisioner.NewDuration(d.Min)
+		min, err = provisioner.NewDuration(d.Min)
 		if err != nil {
 			return admin.WrapError(admin.ErrorBadRequestType, err, "min duration '%s' is invalid", d.Min)
 		}
-		if minDur.Value() < 0 {
+		if min.Value() < 0 {
 			return admin.WrapError(admin.ErrorBadRequestType, err, "min duration '%s' cannot be less than 0", d.Min)
 		}
 	}
 	if d.Max != "" {
-		maxDur, err = provisioner.NewDuration(d.Max)
+		max, err = provisioner.NewDuration(d.Max)
 		if err != nil {
 			return admin.WrapError(admin.ErrorBadRequestType, err, "max duration '%s' is invalid", d.Max)
 		}
-		if maxDur.Value() < 0 {
+		if max.Value() < 0 {
 			return admin.WrapError(admin.ErrorBadRequestType, err, "max duration '%s' cannot be less than 0", d.Max)
 		}
 	}
@ -457,15 +456,15 @@ func ValidateDurations(d *linkedca.Durations) error {
 			return admin.WrapError(admin.ErrorBadRequestType, err, "default duration '%s' cannot be less than 0", d.Default)
 		}
 	}
-	if d.Min != "" && d.Max != "" && minDur.Value() > maxDur.Value() {
+	if d.Min != "" && d.Max != "" && min.Value() > max.Value() {
 		return admin.NewError(admin.ErrorBadRequestType,
 			"min duration '%s' cannot be greater than max duration '%s'", d.Min, d.Max)
 	}
-	if d.Min != "" && d.Default != "" && minDur.Value() > def.Value() {
+	if d.Min != "" && d.Default != "" && min.Value() > def.Value() {
 		return admin.NewError(admin.ErrorBadRequestType,
 			"min duration '%s' cannot be greater than default duration '%s'", d.Min, d.Default)
 	}
-	if d.Default != "" && d.Max != "" && minDur.Value() > def.Value() {
+	if d.Default != "" && d.Max != "" && min.Value() > def.Value() {
 		return admin.NewError(admin.ErrorBadRequestType,
 			"default duration '%s' cannot be greater than max duration '%s'", d.Default, d.Max)
 	}
@ -608,20 +607,20 @@ func provisionerWebhookToLinkedca(pwh *provisioner.Webhook) *linkedca.Webhook {
 	return lwh
 }

-func durationsToCertificates(d *linkedca.Durations) (minDur, maxDur, def *provisioner.Duration, err error) {
-	if d.Min != "" {
-		minDur, err = provisioner.NewDuration(d.Min)
+func durationsToCertificates(d *linkedca.Durations) (min, max, def *provisioner.Duration, err error) {
+	if len(d.Min) > 0 {
+		min, err = provisioner.NewDuration(d.Min)
 		if err != nil {
 			return nil, nil, nil, admin.WrapErrorISE(err, "error parsing minimum duration '%s'", d.Min)
 		}
 	}
-	if d.Max != "" {
-		maxDur, err = provisioner.NewDuration(d.Max)
+	if len(d.Max) > 0 {
+		max, err = provisioner.NewDuration(d.Max)
 		if err != nil {
 			return nil, nil, nil, admin.WrapErrorISE(err, "error parsing maximum duration '%s'", d.Max)
 		}
 	}
-	if d.Default != "" {
+	if len(d.Default) > 0 {
 		def, err = provisioner.NewDuration(d.Default)
 		if err != nil {
 			return nil, nil, nil, admin.WrapErrorISE(err, "error parsing default duration '%s'", d.Default)
@ -918,8 +917,6 @@ func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface,
 			Domains:               cfg.Domains,
 			Groups:                cfg.Groups,
 			ListenAddress:         cfg.ListenAddress,
-			Scopes:                cfg.Scopes,
-			AuthParams:            cfg.AuthParams,
 			Claims:                claims,
 			Options:               options,
 		}, nil
@ -1068,8 +1065,6 @@ func ProvisionerToLinkedca(p provisioner.Interface) (*linkedca.Provisioner, erro
 						Groups:                p.Groups,
 						ListenAddress:         p.ListenAddress,
 						TenantId:              p.TenantID,
-						Scopes:                p.Scopes,
-						AuthParams:            p.AuthParams,
 					},
 				},
 			},
--- a/authority/provisioners_test.go
+++ b/authority/provisioners_test.go
@ -149,7 +149,7 @@ func TestAuthority_LoadProvisionerByCertificate(t *testing.T) {
 		opts, err := a.Authorize(ctx, token)
 		require.NoError(t, err)
 		opts = append(opts, extraOpts...)
-		certs, err := a.SignWithContext(ctx, csr, provisioner.SignOptions{}, opts...)
+		certs, err := a.Sign(csr, provisioner.SignOptions{}, opts...)
 		require.NoError(t, err)
 		return certs[0]
 	}
--- a/authority/root.go
+++ b/authority/root.go
@ -45,7 +45,7 @@ func (a *Authority) GetRoots() ([]*x509.Certificate, error) {
 // GetFederation returns all the root certificates in the federation.
 // This method implements the Authority interface.
 func (a *Authority) GetFederation() (federation []*x509.Certificate, err error) {
-	a.certificates.Range(func(_, v interface{}) bool {
+	a.certificates.Range(func(k, v interface{}) bool {
 		crt, ok := v.(*x509.Certificate)
 		if !ok {
 			federation = nil
@ -57,26 +57,3 @@ func (a *Authority) GetFederation() (federation []*x509.Certificate, err error)
 	})
 	return
 }
-
-// GetIntermediateCertificate return the intermediate certificate that issues
-// the leaf certificates in the CA.
-//
-// This method can return nil if the CA is configured with a Certificate
-// Authority Service (CAS) that does not implement the
-// CertificateAuthorityGetter interface.
-func (a *Authority) GetIntermediateCertificate() *x509.Certificate {
-	if len(a.intermediateX509Certs) > 0 {
-		return a.intermediateX509Certs[0]
-	}
-	return nil
-}
-
-// GetIntermediateCertificates returns a list of all intermediate certificates
-// configured. The first certificate in the list will be the issuer certificate.
-//
-// This method can return an empty list or nil if the CA is configured with a
-// Certificate Authority Service (CAS) that does not implement the
-// CertificateAuthorityGetter interface.
-func (a *Authority) GetIntermediateCertificates() []*x509.Certificate {
-	return a.intermediateX509Certs
-}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Herman Slatman	675e418fc3	Merge branch 'master' into wire-acme-extensions	5 months ago
Herman Slatman	502334fd82	Merge pull request #1689 from smallstep/beltram/wire-acme-extensions Use two separate Wire identifier types	5 months ago
Herman Slatman	a38132aa58	Fix policy check for Wire user and device identifiers	5 months ago
Herman Slatman	93ba1654ea	Fix tests to work with Wire `UserID` and `DeviceID`	5 months ago
beltram	9eed61a9c5	use switch statement	5 months ago
beltram	b8eb559ee9	Update acme/order.go Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>	5 months ago
beltram	a3de984ee3	fix: use 2 separate identifiers for Wire	5 months ago
Herman Slatman	7e6356ece2	Merge pull request #1670 from smallstep/herman/remove-rusty-cli Remove `rusty-jwt-cli`	5 months ago
Herman Slatman	51d1270541	Merge pull request #1681 from smallstep/herman/fix-wire-extensions Improve access and dpop token validation	5 months ago
Herman Slatman	19dbd02451	Add audience validation to access, dpop and id token	5 months ago
Herman Slatman	2f3819aa4e	Use key authorization from ID token and `handle` -> `preferred_username`	5 months ago
Herman Slatman	36e14de882	Improve Wire persistence errors	5 months ago
Herman Slatman	f150a4f850	Remove `sync.Once` for Wire configuration validation	5 months ago
Herman Slatman	f221232a80	Fix ACME `Validate` test for Wire DPoP challenge	5 months ago
Herman Slatman	b9254744a2	Fix validations for DPoP client ID, nonce and issuer	5 months ago
Herman Slatman	0a7fe6ebe9	Comment DPoP token checks that fail e2e test (currently)	5 months ago
Herman Slatman	0f0f060149	Improve access and dpop token validation	5 months ago
Herman Slatman	17578b57f2	Merge pull request #1673 from smallstep/herman/wire-template-transform Add OIDC token template transformation	5 months ago
Herman Slatman	31bba6fbd8	Merge branch 'wire-acme-extensions' into herman/remove-rusty-cli	5 months ago
Herman Slatman	33be5523da	Merge branch 'master' into wire-acme-extensions	5 months ago
Herman Slatman	7680da7c57	Add realistic OIDC payload to Wire integration test	5 months ago
Herman Slatman	99934ec9a3	Improve test coverage for `wireOIDC01Validate`	5 months ago
Herman Slatman	37106a438a	Fix Wire integration test by acting on realistic access/dpop token	5 months ago
Herman Slatman	7520736f5b	Improve test coverage for `wireDPOP01Validate`	5 months ago
Herman Slatman	a24b2a5c84	Add test case for `validateWireOIDCClaims`	5 months ago
Herman Slatman	8f129a6ced	Add test for `wireDPOP01Validate`	5 months ago
Herman Slatman	d84abac4df	Add test for `wireOIDC01Validate`	5 months ago
Herman Slatman	a2304c8498	Add tests for Wire ID parsing	5 months ago
Herman Slatman	c46434f6e0	Make the example Wire handle consistent	5 months ago
Herman Slatman	bca179d611	Make the Wire API integration test a bit more like the real flow	5 months ago
Herman Slatman	2efd1f682d	Fix expected error type check	5 months ago
Herman Slatman	7d5a79190d	Add tests for Wire `OIDC` and `DPoP` token persistence	5 months ago
Herman Slatman	768a08965d	Store transformed OIDC token	5 months ago
Herman Slatman	29202eff26	Add support for functions in OIDC token transformation template	5 months ago
Herman Slatman	d5b0d92bce	Fix Wire ID token test comment	5 months ago
Herman Slatman	0ad381b092	Add OIDC token template transformation	5 months ago
Herman Slatman	2c27e865cb	Fix linting issue	5 months ago
Herman Slatman	9bb1b24bf1	Change `kid` and `dpop` validation	5 months ago
Herman Slatman	3f37feae78	Merge pull request #1671 from smallstep/herman/wire-configuration-refactor Wire ACME extension configuration refactor	5 months ago
Herman Slatman	c8160caacd	Fix test; reworded error message	5 months ago
Herman Slatman	24795720e1	Perform initialization of DPoP and OIDC options once	5 months ago
Herman Slatman	79739e5073	Change signature algorithm property name	5 months ago
Herman Slatman	7eacb68361	Merge branch 'herman/remove-rusty-cli' into herman/wire-configuration-refactor	5 months ago
Herman Slatman	44721a7d58	Remove debug err print	5 months ago
Herman Slatman	348363abce	Add Wire `DPoP` proof claims verification	5 months ago
Herman Slatman	1bf807add3	Use base64 encoded signing key format	5 months ago
Herman Slatman	1f5f756fce	Make Wire options more robust	5 months ago
Herman Slatman	6ef64b6ed6	Refactor the `Wire` option configuration	5 months ago
Herman Slatman	b6fc0005d5	Add verification of maximum expiry time for Wire tokens	5 months ago
Herman Slatman	b964c97750	Add validation of `handle` and `token` to Wire verification	5 months ago
Herman Slatman	acad227b25	Put Wire options in lower level `wire` struct	5 months ago
Herman Slatman	cd9480ab14	Fix test for `parseAndVerifyWireAccessToken`	5 months ago
Herman Slatman	897688a831	Merge branch 'wire-acme-extensions' into herman/remove-rusty-cli	5 months ago
Herman Slatman	ca8855767d	Fix and add more tests to Wire order identifier validation	5 months ago
Herman Slatman	70a2f431fa	Address review remarks	5 months ago
Herman Slatman	de25740567	Change name of test for Wire Order	5 months ago
Herman Slatman	c7892e9cd3	Remove the `rusty-jwt-cli` configuration	5 months ago
Herman Slatman	a423151207	Merge branch 'wire-acme-extensions' into herman/remove-rusty-cli	5 months ago
Herman Slatman	ffd887f8cc	Fix tests for ACME Wire provisioner	5 months ago
Herman Slatman	8997ce1a1e	Disable `wire-dpop-01` and `wire-oidc-01` by default	5 months ago
Herman Slatman	bf8c17e3ec	Remove the Wire `oidc` and `dpop` from attestation formats	5 months ago
Herman Slatman	033aef9f9d	Merge branch 'wire-acme-extensions' into herman/remove-rusty-cli	5 months ago
Herman Slatman	6a98fea1f3	Fix linter issues	5 months ago
Herman Slatman	8faf26c593	Change `KeyAuth` back to old behavior (for now)	5 months ago
beltram	bf5f1201ea	fix: keyauth was not bound to the id token	5 months ago
Herman Slatman	e2a2e00526	Make template use `DeviceId` for now	5 months ago
Herman Slatman	29fa6621b1	Remove the Wire CLI invocatation	5 months ago
Herman Slatman	7a464cdb17	Use `require` to check for errors in Wire integration test	5 months ago
Herman Slatman	776a839a42	Fix linter issues and improve error handling	5 months ago
Herman Slatman	f5a2f436df	Fix missing `DPoP` and `OIDC` tokens for Wire integration test	5 months ago
Herman Slatman	eb9893bd21	Refactor logic for processing `WireID` identifiers in Order Processing `WireID` identifiers, the Wire subject, and the Wire DPoP and OIDC tokens is now conditional.	5 months ago
Herman Slatman	40668ae09e	Refactor `WireID` target processing a bit	5 months ago
Herman Slatman	01169b2483	Make the `Target` optional in `Challenge` object This is a non-standard property in the ACME challenge response, so we shouldn't return it if it's not set. Also made it an optional field in the DB.	5 months ago
Herman Slatman	85309bb8ec	Fix the integration test	5 months ago
Herman Slatman	fdea5e7db3	Fix tests for new ACME orders with Wire IDs	5 months ago
Herman Slatman	c1a7acc306	Make it compile with Go 1.20 again	5 months ago
beltram	84e9682476	feat: change the separator between user-id & device-id in a client-id. Use '!' instead of ':'	5 months ago
beltram	90b5347887	feat: try using the new ClientId & Handle format (i.e. plain URIs)	5 months ago
beltram	39bf889925	feat: remove query parameters from OIDC issuerUrl so that it allows us to use it to carry the OAuth ClientId in the Challenge.target field without at the same time undermining the idToken verification which relies on a issuer (iss) claim without this query parameter	5 months ago
beltram	d6ceebba94	feat: update the protocol by including team & handle in the client dpop token, verifying the handle in the dpop challenge	5 months ago
beltram	6ffd913e28	feat: remove custom hardcoded OIDC challenge for Google	5 months ago
beltram	2be77385f6	fix: same issue as with oidc challenge	5 months ago
beltram	ff07fdc0fd	fix: oups	5 months ago
beltram	13df461e97	fix: could not reuse a signing key otherwise it would create in accounts & orders and fail the OIDC challenge. The OIDC challenge was not retryable	5 months ago
beltram	83f76433a8	b64 encode the kid since apparently it wasn't	5 months ago
beltram	8fd0192da3	print kid for debugging	5 months ago
beltram	4d028f7813	client jwk was there the whole time	5 months ago
beltram	ed2bce9a3c	fix: access token verification in DPoP challenge. Was previously verifying 'cnf.kid' against backend key whereas it must be against client's key	5 months ago
beltram	5fdf036a4d	fix: invalid OID for display name in CSR	5 months ago
beltram	9d5c974f44	fix: PR review	5 months ago
beltram	1b32957ff6	fix: verify custom display_name extension is present	5 months ago
Herman Slatman	ab9e1ddb28	Make `MockDB` implement `acme.DB` interface again	5 months ago
beltram	7b5740153d	support for oidc id token	5 months ago
beltram	f5b346ee36	i'm tired	5 months ago
beltram	03dbd91418	fix dpop token json serialization to db	5 months ago
beltram	613e6cae6e	wip	5 months ago
Herman Slatman	0b68e1bbcf	Add `GetAllOrdersByAccountID` to `MockDB`	5 months ago
beltram	8888262e45	cheat by allowing also looking up for ready orders	5 months ago
beltram	0bc530c98e	log more things	5 months ago
beltram	2e128056dc	have updateOrder also update the update joint table [order by account]	5 months ago
Herman Slatman	1a711e1b91	Add new Wire DB methods to `acme.DB` interface	5 months ago
beltram	abe86002ee	try by storing everything in db	5 months ago
beltram	76dfcb00e4	try silencing template data for dichotomies	5 months ago
beltram	a32bb66e47	trying to pass access token to template	5 months ago
beltram	ff41a1193d	fix deviceId computing in dpop challenge	5 months ago
Stefan Berthold	5ceed08ae0	Reorganize parsing target	5 months ago
Stefan Berthold	83ba0bdc51	Replace field access by accessor functions	5 months ago
beltram	c4fb19d01f	passing expected issuer to rusty-jwt-cli	5 months ago
beltram	2b1223a080	simpler	5 months ago
beltram	036a144e09	add oidc target	5 months ago
beltram	97002040a5	fix: challenge target field was not mapped to db entity	5 months ago
beltram	d32a3e23f0	wip	5 months ago
beltram	b58de27675	fix: do not convert URIs to lowercase for comparison purpose	5 months ago
beltram	7c9f8020d5	fix: add URI prefix to handle	5 months ago
beltram	680b6ea08f	adapt google demo for wire's special handle format "{firstname}_wire"	5 months ago
beltram	a97991aa83	infer domain from google email address	5 months ago
beltram	49ad2d9967	fix google id token matching in oidc challenge	5 months ago
beltram	a49966f4c9	try using google oidc for demo purpose	5 months ago
beltram	3576cc30c8	forward displayName in CSR with custom OID	5 months ago
beltram	4172b69816	remove displayName validation, potentially harmful	5 months ago
beltram	79501df5a2	fix: exclude displayName from SAN DNS	5 months ago
beltram	3f474f77d4	feat: change from impp prefix to just im	5 months ago
beltram	b6ec4422b4	feat: adapt to dex and pass the 'keyauth' in payload instead of in id_token. Also have a different mapping for id_token claims name	5 months ago
Stefan Berthold	af31a167c6	skip empty entries for uniqueSortedLowerNames	5 months ago
beltram	01ef526d08	change uri prefix to impp:wireapp=	5 months ago
beltram	cc5fd0a6a5	fix san validation	5 months ago
beltram	b3dd169190	cleanup my mess	5 months ago
beltram	3eb0ff43c0	fix orderNames size	5 months ago
beltram	c41a99ad75	(finalize) have both display name & domain in SANs	5 months ago
beltram	5ba0ab3e44	fix csr domain validation in finalize	5 months ago
beltram	73ec6c89d0	fix csr org validation in finalize	5 months ago
beltram	ca01c74333	avoid manipulating the key PEM format and take a plain PEM key as input	5 months ago
beltram	74ddad69dc	fix: challenge is '.token' and not '.id'	5 months ago
beltram	83f6be1f58	print oidc options	5 months ago
Stefan Berthold	2208b03744	avoid panic when OIDC config is not provided	5 months ago
beltram	1fe61bee7b	better observability	5 months ago
Stefan Berthold	e6dd211637	acquire DPoP signing key from provisioner	5 months ago
beltram	227e932624	use json struct for challenge request payload otherwise it's a hell to craft from client side	5 months ago
Stefan Berthold	5ca744567c	simplify OIDC verification	5 months ago
Stefan Berthold	da1e64aa53	update wire challenges' status on happy end	5 months ago
Stefan Berthold	8e0e35532c	Add Wire authz and challenges (OIDC+DPOP)	5 months ago