87 changed files with 1069 additions and 2984 deletions
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@ -6,6 +6,17 @@ permissions:
  pull-requests: write
 jobs:
-  dependabot-auto-merge:
+  dependabot:
-    uses: smallstep/workflows/.github/workflows/dependabot-auto-merge.yml@main
+    runs-on: ubuntu-latest
-    secrets: inherit
+    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1.6.0
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for Dependabot PRs
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -45,12 +45,12 @@ jobs:
          echo "DOCKER_TAGS_HSM=${{ env.DOCKER_TAGS_HSM }},${{ env.DOCKER_IMAGE }}:hsm" >> "${GITHUB_ENV}"
      - name: Create Release
        id: create_release
-        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
+        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: ${{ github.ref }}
-          name: Release ${{ github.ref }}
+          release_name: Release ${{ github.ref }}
          draft: false
          prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -98,7 +98,7 @@ signs:
 - cmd: cosign
  signature: "${artifact}.sig"
  certificate: "${artifact}.pem"
-  args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}", "--yes"]
+  args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"]
  artifacts: all
 snapshot:
@ -268,7 +268,7 @@ winget:
    # Release notes URL.
    #
    # Templates: allowed
-    release_notes_url: "https://github.com/smallstep/certificates/releases/tag/{{ .Tag }}"
+    release_notes_url: "https://github.com/smallstep/certificates/releases/tag/{{.Version}}"
    # Create the PR - for testing
    skip_upload: auto
@ -283,7 +283,7 @@ winget:
    repository:
      owner: smallstep
      name: winget-pkgs
-      branch: "step-ca-{{.Version}}"
+      branch: step
      # Optionally a token can be provided, if it differs from the token
      # provided to GoReleaser
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -25,63 +25,6 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ---
 ## [0.26.2] - 2024-06-13
 ### Added
 - Add provisionerID to ACME accounts (smallstep/certificates#1830)
 - Enable verifying ACME provisioner using provisionerID if available (smallstep/certificates#1844)
 - Add methods to Authority to get intermediate certificates (smallstep/certificates#1848)
 - Add GetX509Signer method (smallstep/certificates#1850)
 ### Changed
 - Make ISErrNotFound more flexible (smallstep/certificates#1819)
 - Log errors using slog.Logger (smallstep/certificates#1849)
 - Update hardcoded AWS certificates (smallstep/certificates#1881)
 ## [0.26.1] - 2024-04-22
 ### Added
 - Allow configuration of a custom SCEP key manager (smallstep/certificates#1797)
 ### Fixed
 - id-scep-failInfoText OID (smallstep/certificates#1794)
 - CA startup with Vault RA configuration (smallstep/certificates#1803)
 ## [0.26.0] - 2024-03-28
 ### Added 
 - [TPM KMS](https://github.com/smallstep/crypto/tree/master/kms/tpmkms) support for CA keys (smallstep/certificates#1772)
 - Propagation of HTTP request identifier using X-Request-Id header (smallstep/certificates#1743, smallstep/certificates#1542)
 - Expires header in CRL response (smallstep/certificates#1708)
 - Support for providing TLS configuration programmatically (smallstep/certificates#1685)
 - Support for providing external CAS implementation (smallstep/certificates#1684)
 - AWS `ca-west-1` identity document root certificate (smallstep/certificates#1715)
 - [COSE RS1](https://www.rfc-editor.org/rfc/rfc8812.html#section-2) as a supported algorithm with ACME `device-attest-01` challenge (smallstep/certificates#1663)
 ### Changed 
 - In an RA setup, let the CA decide the RA certificate lifetime (smallstep/certificates#1764)
 - Use Debian Bookworm in Docker containers (smallstep/certificates#1615)
 - Error message for CSR validation (smallstep/certificates#1665)
 - Updated dependencies
 ### Fixed
 - Stop CA when any of the required servers fails to start (smallstep/certificates#1751). Before the fix, the CA would continue running and only log the server failure when stopped.
 - Configuration loading errors when not using context were not returned. Fixed in [cli-utils/109](https://github.com/smallstep/cli-utils/pull/109).
 - HTTP_PROXY and HTTPS_PROXY support for ACME validation client (smallstep/certificates#1658).
 ### Security
 - Upgrade to using cosign v2 for signing artifacts
 ## [0.25.1] - 2023-11-28
 ### Added
--- a/acme/account.go
+++ b/acme/account.go
@ -21,7 +21,6 @@ type Account struct {
 	OrdersURL              string           `json:"orders"`
 	ExternalAccountBinding interface{}      `json:"externalAccountBinding,omitempty"`
 	LocationPrefix         string           `json:"-"`
 	ProvisionerID          string           `json:"-"`
 	ProvisionerName        string           `json:"-"`
 }
--- a/acme/api/account.go
+++ b/acme/api/account.go
@ -82,23 +82,23 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {
 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	var nar NewAccountRequest
 	if err := json.Unmarshal(payload.value, &nar); err != nil {
-		render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err,
+		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err,
 			"failed to unmarshal new-account request payload"))
 		return
 	}
 	if err := nar.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	prov, err := acmeProvisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -108,26 +108,26 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {
 		var acmeErr *acme.Error
 		if !errors.As(err, &acmeErr) || acmeErr.Status != http.StatusBadRequest {
 			// Something went wrong ...
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		// Account does not exist //
 		if nar.OnlyReturnExisting {
-			render.Error(w, r, acme.NewError(acme.ErrorAccountDoesNotExistType,
+			render.Error(w, acme.NewError(acme.ErrorAccountDoesNotExistType,
 				"account does not exist"))
 			return
 		}
 		jwk, err := jwkFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		eak, err := validateExternalAccountBinding(ctx, &nar)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
@ -136,21 +136,20 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {
 			Contact:         nar.Contact,
 			Status:          acme.StatusValid,
 			LocationPrefix:  getAccountLocationPath(ctx, linker, ""),
-			ProvisionerID:   prov.ID,
+			ProvisionerName: prov.GetName(),
 			ProvisionerName: prov.Name,
 		}
 		if err := db.CreateAccount(ctx, acc); err != nil {
-			render.Error(w, r, acme.WrapErrorISE(err, "error creating account"))
+			render.Error(w, acme.WrapErrorISE(err, "error creating account"))
 			return
 		}
 		if eak != nil { // means that we have a (valid) External Account Binding key that should be bound, updated and sent in the response
 			if err := eak.BindTo(acc); err != nil {
-				render.Error(w, r, err)
+				render.Error(w, err)
 				return
 			}
 			if err := db.UpdateExternalAccountKey(ctx, prov.ID, eak); err != nil {
-				render.Error(w, r, acme.WrapErrorISE(err, "error updating external account binding key"))
+				render.Error(w, acme.WrapErrorISE(err, "error updating external account binding key"))
 				return
 			}
 			acc.ExternalAccountBinding = nar.ExternalAccountBinding
@ -163,7 +162,7 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {
 	linker.LinkAccount(ctx, acc)
 	w.Header().Set("Location", getAccountLocationPath(ctx, linker, acc.ID))
-	render.JSONStatus(w, r, acc, httpStatus)
+	render.JSONStatus(w, acc, httpStatus)
 }
 // GetOrUpdateAccount is the api for updating an ACME account.
@ -174,12 +173,12 @@ func GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {
 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -188,12 +187,12 @@ func GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {
 	if !payload.isPostAsGet {
 		var uar UpdateAccountRequest
 		if err := json.Unmarshal(payload.value, &uar); err != nil {
-			render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err,
+			render.Error(w, acme.WrapError(acme.ErrorMalformedType, err,
 				"failed to unmarshal new-account request payload"))
 			return
 		}
 		if err := uar.Validate(); err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		if len(uar.Status) > 0 || len(uar.Contact) > 0 {
@ -204,7 +203,7 @@ func GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {
 			}
 			if err := db.UpdateAccount(ctx, acc); err != nil {
-				render.Error(w, r, acme.WrapErrorISE(err, "error updating account"))
+				render.Error(w, acme.WrapErrorISE(err, "error updating account"))
 				return
 			}
 		}
@ -213,7 +212,7 @@ func GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {
 	linker.LinkAccount(ctx, acc)
 	w.Header().Set("Location", linker.GetLink(ctx, acme.AccountLinkType, acc.ID))
-	render.JSON(w, r, acc)
+	render.JSON(w, acc)
 }
 func logOrdersByAccount(w http.ResponseWriter, oids []string) {
@ -233,23 +232,23 @@ func GetOrdersByAccountID(w http.ResponseWriter, r *http.Request) {
 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	accID := chi.URLParam(r, "accID")
 	if acc.ID != accID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType, "account ID '%s' does not match url param '%s'", acc.ID, accID))
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType, "account ID '%s' does not match url param '%s'", acc.ID, accID))
 		return
 	}
 	orders, err := db.GetOrdersByAccountID(ctx, acc.ID)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	linker.LinkOrdersByAccountID(ctx, orders)
-	render.JSON(w, r, orders)
+	render.JSON(w, orders)
 	logOrdersByAccount(w, orders)
 }
--- a/acme/api/account_test.go
+++ b/acme/api/account_test.go
@ -14,7 +14,6 @@ import (
 	"time"
 	"github.com/go-chi/chi/v5"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"go.step.sm/crypto/jose"
@ -67,19 +66,6 @@ func newProv() acme.Provisioner {
 	return p
 }
 func newProvWithID() acme.Provisioner {
 	// Initialize provisioners
 	p := &provisioner.ACME{
 		ID:   uuid.NewString(),
 		Type: "ACME",
 		Name: "test@acme-<test>provisioner.com",
 	}
 	if err := p.Init(provisioner.Config{Claims: globalProvisionerClaims}); err != nil {
 		fmt.Printf("%v", err)
 	}
 	return p
 }
 func newProvWithOptions(options *provisioner.Options) acme.Provisioner {
 	// Initialize provisioners
 	p := &provisioner.ACME{
--- a/acme/api/handler.go
+++ b/acme/api/handler.go
@ -223,13 +223,13 @@ func GetDirectory(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	acmeProv, err := acmeProvisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	linker := acme.MustLinkerFromContext(ctx)
-	render.JSON(w, r, &Directory{
+	render.JSON(w, &Directory{
 		NewNonce:   linker.GetLink(ctx, acme.NewNonceLinkType),
 		NewAccount: linker.GetLink(ctx, acme.NewAccountLinkType),
 		NewOrder:   linker.GetLink(ctx, acme.NewOrderLinkType),
@ -273,8 +273,8 @@ func shouldAddMetaObject(p *provisioner.ACME) bool {
 // NotImplemented returns a 501 and is generally a placeholder for functionality which
 // MAY be added at some point in the future but is not in any way a guarantee of such.
-func NotImplemented(w http.ResponseWriter, r *http.Request) {
+func NotImplemented(w http.ResponseWriter, _ *http.Request) {
-	render.Error(w, r, acme.NewError(acme.ErrorNotImplementedType, "this API is not implemented"))
+	render.Error(w, acme.NewError(acme.ErrorNotImplementedType, "this API is not implemented"))
 }
 // GetAuthorization ACME api for retrieving an Authz.
@ -285,28 +285,28 @@ func GetAuthorization(w http.ResponseWriter, r *http.Request) {
 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	az, err := db.GetAuthorization(ctx, chi.URLParam(r, "authzID"))
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving authorization"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving authorization"))
 		return
 	}
 	if acc.ID != az.AccountID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own authorization '%s'", acc.ID, az.ID))
 		return
 	}
 	if err = az.UpdateStatus(ctx, db); err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error updating authorization status"))
+		render.Error(w, acme.WrapErrorISE(err, "error updating authorization status"))
 		return
 	}
 	linker.LinkAuthorization(ctx, az)
 	w.Header().Set("Location", linker.GetLink(ctx, acme.AuthzLinkType, az.ID))
-	render.JSON(w, r, az)
+	render.JSON(w, az)
 }
 // GetChallenge ACME api for retrieving a Challenge.
@ -317,13 +317,13 @@ func GetChallenge(w http.ResponseWriter, r *http.Request) {
 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -336,22 +336,22 @@ func GetChallenge(w http.ResponseWriter, r *http.Request) {
 	azID := chi.URLParam(r, "authzID")
 	ch, err := db.GetChallenge(ctx, chi.URLParam(r, "chID"), azID)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving challenge"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving challenge"))
 		return
 	}
 	ch.AuthorizationID = azID
 	if acc.ID != ch.AccountID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own challenge '%s'", acc.ID, ch.ID))
 		return
 	}
 	jwk, err := jwkFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	if err = ch.Validate(ctx, db, jwk, payload.value); err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error validating challenge"))
+		render.Error(w, acme.WrapErrorISE(err, "error validating challenge"))
 		return
 	}
@ -359,7 +359,7 @@ func GetChallenge(w http.ResponseWriter, r *http.Request) {
 	w.Header().Add("Link", link(linker.GetLink(ctx, acme.AuthzLinkType, azID), "up"))
 	w.Header().Set("Location", linker.GetLink(ctx, acme.ChallengeLinkType, azID, ch.ID))
-	render.JSON(w, r, ch)
+	render.JSON(w, ch)
 }
 // GetCertificate ACME api for retrieving a Certificate.
@ -369,18 +369,18 @@ func GetCertificate(w http.ResponseWriter, r *http.Request) {
 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	certID := chi.URLParam(r, "certID")
 	cert, err := db.GetCertificate(ctx, certID)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving certificate"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving certificate"))
 		return
 	}
 	if cert.AccountID != acc.ID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own certificate '%s'", acc.ID, certID))
 		return
 	}
--- a/acme/api/middleware.go
+++ b/acme/api/middleware.go
@ -36,7 +36,7 @@ func addNonce(next nextHTTP) nextHTTP {
 		db := acme.MustDatabaseFromContext(r.Context())
 		nonce, err := db.CreateNonce(r.Context())
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		w.Header().Set("Replay-Nonce", string(nonce))
@ -64,7 +64,7 @@ func verifyContentType(next nextHTTP) nextHTTP {
 	return func(w http.ResponseWriter, r *http.Request) {
 		p, err := provisionerFromContext(r.Context())
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
@ -88,7 +88,7 @@ func verifyContentType(next nextHTTP) nextHTTP {
 				return
 			}
 		}
-		render.Error(w, r, acme.NewError(acme.ErrorMalformedType,
+		render.Error(w, acme.NewError(acme.ErrorMalformedType,
 			"expected content-type to be in %s, but got %s", expected, ct))
 	}
 }
@ -98,12 +98,12 @@ func parseJWS(next nextHTTP) nextHTTP {
 	return func(w http.ResponseWriter, r *http.Request) {
 		body, err := io.ReadAll(r.Body)
 		if err != nil {
-			render.Error(w, r, acme.WrapErrorISE(err, "failed to read request body"))
+			render.Error(w, acme.WrapErrorISE(err, "failed to read request body"))
 			return
 		}
 		jws, err := jose.ParseJWS(string(body))
 		if err != nil {
-			render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err, "failed to parse JWS from request body"))
+			render.Error(w, acme.WrapError(acme.ErrorMalformedType, err, "failed to parse JWS from request body"))
 			return
 		}
 		ctx := context.WithValue(r.Context(), jwsContextKey, jws)
@ -133,15 +133,15 @@ func validateJWS(next nextHTTP) nextHTTP {
 		jws, err := jwsFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		if len(jws.Signatures) == 0 {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "request body does not contain a signature"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "request body does not contain a signature"))
 			return
 		}
 		if len(jws.Signatures) > 1 {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "request body contains more than one signature"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "request body contains more than one signature"))
 			return
 		}
@ -152,7 +152,7 @@ func validateJWS(next nextHTTP) nextHTTP {
 			uh.Algorithm != "" ||
 			uh.Nonce != "" ||
 			len(uh.ExtraHeaders) > 0 {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "unprotected header must not be used"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "unprotected header must not be used"))
 			return
 		}
 		hdr := sig.Protected
@ -162,13 +162,13 @@ func validateJWS(next nextHTTP) nextHTTP {
 				switch k := hdr.JSONWebKey.Key.(type) {
 				case *rsa.PublicKey:
 					if k.Size() < keyutil.MinRSAKeyBytes {
-						render.Error(w, r, acme.NewError(acme.ErrorMalformedType,
+						render.Error(w, acme.NewError(acme.ErrorMalformedType,
 							"rsa keys must be at least %d bits (%d bytes) in size",
 							8*keyutil.MinRSAKeyBytes, keyutil.MinRSAKeyBytes))
 						return
 					}
 				default:
-					render.Error(w, r, acme.NewError(acme.ErrorMalformedType,
+					render.Error(w, acme.NewError(acme.ErrorMalformedType,
 						"jws key type and algorithm do not match"))
 					return
 				}
@ -176,35 +176,35 @@ func validateJWS(next nextHTTP) nextHTTP {
 		case jose.ES256, jose.ES384, jose.ES512, jose.EdDSA:
 			// we good
 		default:
-			render.Error(w, r, acme.NewError(acme.ErrorBadSignatureAlgorithmType, "unsuitable algorithm: %s", hdr.Algorithm))
+			render.Error(w, acme.NewError(acme.ErrorBadSignatureAlgorithmType, "unsuitable algorithm: %s", hdr.Algorithm))
 			return
 		}
 		// Check the validity/freshness of the Nonce.
 		if err := db.DeleteNonce(ctx, acme.Nonce(hdr.Nonce)); err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		// Check that the JWS url matches the requested url.
 		jwsURL, ok := hdr.ExtraHeaders["url"].(string)
 		if !ok {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "jws missing url protected header"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "jws missing url protected header"))
 			return
 		}
 		reqURL := &url.URL{Scheme: "https", Host: r.Host, Path: r.URL.Path}
 		if jwsURL != reqURL.String() {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType,
+			render.Error(w, acme.NewError(acme.ErrorMalformedType,
 				"url header in JWS (%s) does not match request url (%s)", jwsURL, reqURL))
 			return
 		}
 		if hdr.JSONWebKey != nil && hdr.KeyID != "" {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "jwk and kid are mutually exclusive"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "jwk and kid are mutually exclusive"))
 			return
 		}
 		if hdr.JSONWebKey == nil && hdr.KeyID == "" {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "either jwk or kid must be defined in jws protected header"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "either jwk or kid must be defined in jws protected header"))
 			return
 		}
 		next(w, r)
@ -221,23 +221,23 @@ func extractJWK(next nextHTTP) nextHTTP {
 		jws, err := jwsFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		jwk := jws.Signatures[0].Protected.JSONWebKey
 		if jwk == nil {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "jwk expected in protected header"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "jwk expected in protected header"))
 			return
 		}
 		if !jwk.Valid() {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "invalid jwk in protected header"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "invalid jwk in protected header"))
 			return
 		}
 		// Overwrite KeyID with the JWK thumbprint.
 		jwk.KeyID, err = acme.KeyToID(jwk)
 		if err != nil {
-			render.Error(w, r, acme.WrapErrorISE(err, "error getting KeyID from JWK"))
+			render.Error(w, acme.WrapErrorISE(err, "error getting KeyID from JWK"))
 			return
 		}
@ -247,15 +247,15 @@ func extractJWK(next nextHTTP) nextHTTP {
 		// Get Account OR continue to generate a new one OR continue Revoke with certificate private key
 		acc, err := db.GetAccountByKeyID(ctx, jwk.KeyID)
 		switch {
-		case acme.IsErrNotFound(err):
+		case errors.Is(err, acme.ErrNotFound):
 			// For NewAccount and Revoke requests ...
 			break
 		case err != nil:
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		default:
 			if !acc.IsValid() {
-				render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType, "account is not active"))
+				render.Error(w, acme.NewError(acme.ErrorUnauthorizedType, "account is not active"))
 				return
 			}
 			ctx = context.WithValue(ctx, accContextKey, acc)
@ -274,11 +274,11 @@ func checkPrerequisites(next nextHTTP) nextHTTP {
 		if ok {
 			ok, err := checkFunc(ctx)
 			if err != nil {
-				render.Error(w, r, acme.WrapErrorISE(err, "error checking acme provisioner prerequisites"))
+				render.Error(w, acme.WrapErrorISE(err, "error checking acme provisioner prerequisites"))
 				return
 			}
 			if !ok {
-				render.Error(w, r, acme.NewError(acme.ErrorNotImplementedType, "acme provisioner configuration lacks prerequisites"))
+				render.Error(w, acme.NewError(acme.ErrorNotImplementedType, "acme provisioner configuration lacks prerequisites"))
 				return
 			}
 		}
@ -296,13 +296,13 @@ func lookupJWK(next nextHTTP) nextHTTP {
 		jws, err := jwsFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		kid := jws.Signatures[0].Protected.KeyID
 		if kid == "" {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "signature missing 'kid'"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "signature missing 'kid'"))
 			return
 		}
@ -310,14 +310,14 @@ func lookupJWK(next nextHTTP) nextHTTP {
 		acc, err := db.GetAccount(ctx, accID)
 		switch {
 		case acme.IsErrNotFound(err):
-			render.Error(w, r, acme.NewError(acme.ErrorAccountDoesNotExistType, "account with ID '%s' not found", accID))
+			render.Error(w, acme.NewError(acme.ErrorAccountDoesNotExistType, "account with ID '%s' not found", accID))
 			return
 		case err != nil:
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		default:
 			if !acc.IsValid() {
-				render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType, "account is not active"))
+				render.Error(w, acme.NewError(acme.ErrorUnauthorizedType, "account is not active"))
 				return
 			}
@ -325,7 +325,7 @@ func lookupJWK(next nextHTTP) nextHTTP {
 				if kid != storedLocation {
 					// ACME accounts should have a stored location equivalent to the
 					// kid in the ACME request.
-					render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+					render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 						"kid does not match stored account location; expected %s, but got %s",
 						storedLocation, kid))
 					return
@ -334,16 +334,14 @@ func lookupJWK(next nextHTTP) nextHTTP {
 				// Verify that the provisioner with which the account was created
 				// matches the provisioner in the request URL.
 				reqProv := acme.MustProvisionerFromContext(ctx)
-				switch {
+				reqProvName := reqProv.GetName()
-				case acc.ProvisionerID == "" && acc.ProvisionerName != reqProv.GetName():
+				accProvName := acc.ProvisionerName
-					render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+				if reqProvName != accProvName {
-						"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
+					// Provisioner in the URL must match the provisioner with
-						acc.ProvisionerName, reqProv.GetName()))
+					// which the account was created.
-					return
+					render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 				case acc.ProvisionerID != "" && acc.ProvisionerID != reqProv.GetID():
 					render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
 						"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
-						acc.ProvisionerID, reqProv.GetID()))
+						accProvName, reqProvName))
 					return
 				}
 			} else {
@ -355,7 +353,7 @@ func lookupJWK(next nextHTTP) nextHTTP {
 				linker := acme.MustLinkerFromContext(ctx)
 				kidPrefix := linker.GetLink(ctx, acme.AccountLinkType, "")
 				if !strings.HasPrefix(kid, kidPrefix) {
-					render.Error(w, r, acme.NewError(acme.ErrorMalformedType,
+					render.Error(w, acme.NewError(acme.ErrorMalformedType,
 						"kid does not have required prefix; expected %s, but got %s",
 						kidPrefix, kid))
 					return
@ -376,7 +374,7 @@ func extractOrLookupJWK(next nextHTTP) nextHTTP {
 		ctx := r.Context()
 		jws, err := jwsFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
@ -412,16 +410,16 @@ func verifyAndExtractJWSPayload(next nextHTTP) nextHTTP {
 		ctx := r.Context()
 		jws, err := jwsFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		jwk, err := jwkFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		if jwk.Algorithm != "" && jwk.Algorithm != jws.Signatures[0].Protected.Algorithm {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "verifier and signature algorithm do not match"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "verifier and signature algorithm do not match"))
 			return
 		}
@ -430,11 +428,11 @@ func verifyAndExtractJWSPayload(next nextHTTP) nextHTTP {
 		case errors.Is(err, jose.ErrCryptoFailure):
 			payload, err = retryVerificationWithPatchedSignatures(jws, jwk)
 			if err != nil {
-				render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err, "error verifying jws with patched signature(s)"))
+				render.Error(w, acme.WrapError(acme.ErrorMalformedType, err, "error verifying jws with patched signature(s)"))
 				return
 			}
 		case err != nil:
-			render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err, "error verifying jws"))
+			render.Error(w, acme.WrapError(acme.ErrorMalformedType, err, "error verifying jws"))
 			return
 		}
@ -551,11 +549,11 @@ func isPostAsGet(next nextHTTP) nextHTTP {
 	return func(w http.ResponseWriter, r *http.Request) {
 		payload, err := payloadFromContext(r.Context())
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		if !payload.isPostAsGet {
-			render.Error(w, r, acme.NewError(acme.ErrorMalformedType, "expected POST-as-GET"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType, "expected POST-as-GET"))
 			return
 		}
 		next(w, r)
--- a/acme/api/middleware_test.go
+++ b/acme/api/middleware_test.go
@ -15,7 +15,6 @@ import (
 	"strings"
 	"testing"
 	"github.com/google/uuid"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/acme"
 	tassert "github.com/stretchr/testify/assert"
@ -832,37 +831,8 @@ func TestHandler_lookupJWK(t *testing.T) {
 				},
 				statusCode: http.StatusUnauthorized,
 				err: acme.NewError(acme.ErrorUnauthorizedType,
-					"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
+					"account provisioner does not match requested provisioner; account provisioner = %s, reqested provisioner = %s",
-					"other", prov.GetName()),
+					prov.GetName(), "other"),
 			}
 		},
 		"fail/account-with-location-prefix/bad-provisioner-id": func(t *testing.T) test {
 			p := newProvWithID()
 			acc := &acme.Account{LocationPrefix: prefix + accID, Status: "valid", Key: jwk, ProvisionerID: uuid.NewString()}
 			ctx := acme.NewProvisionerContext(context.Background(), p)
 			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
 			return test{
 				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
 				db: &acme.MockDB{
 					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
 						assert.Equals(t, id, accID)
 						return acc, nil
 					},
 				},
 				ctx: ctx,
 				next: func(w http.ResponseWriter, r *http.Request) {
 					_acc, err := accountFromContext(r.Context())
 					assert.FatalError(t, err)
 					assert.Equals(t, _acc, acc)
 					_jwk, err := jwkFromContext(r.Context())
 					assert.FatalError(t, err)
 					assert.Equals(t, _jwk, jwk)
 					w.Write(testBody)
 				},
 				statusCode: http.StatusUnauthorized,
 				err: acme.NewError(acme.ErrorUnauthorizedType,
 					"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
 					acc.ProvisionerID, p.GetID()),
 			}
 		},
 		"ok/account-with-location-prefix": func(t *testing.T) test {
@ -915,32 +885,6 @@ func TestHandler_lookupJWK(t *testing.T) {
 				statusCode: 200,
 			}
 		},
 		"ok/account-with-provisioner-id": func(t *testing.T) test {
 			p := newProvWithID()
 			acc := &acme.Account{LocationPrefix: prefix + accID, Status: "valid", Key: jwk, ProvisionerID: p.GetID()}
 			ctx := acme.NewProvisionerContext(context.Background(), p)
 			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
 			return test{
 				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
 				db: &acme.MockDB{
 					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
 						assert.Equals(t, id, accID)
 						return acc, nil
 					},
 				},
 				ctx: ctx,
 				next: func(w http.ResponseWriter, r *http.Request) {
 					_acc, err := accountFromContext(r.Context())
 					assert.FatalError(t, err)
 					assert.Equals(t, _acc, acc)
 					_jwk, err := jwkFromContext(r.Context())
 					assert.FatalError(t, err)
 					assert.Equals(t, _jwk, jwk)
 					w.Write(testBody)
 				},
 				statusCode: 200,
 			}
 		},
 	}
 	for name, run := range tests {
 		tc := run(t)
--- a/acme/api/order.go
+++ b/acme/api/order.go
@ -99,29 +99,29 @@ func NewOrder(w http.ResponseWriter, r *http.Request) {
 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	prov, err := provisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	var nor NewOrderRequest
 	if err := json.Unmarshal(payload.value, &nor); err != nil {
-		render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err,
+		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err,
 			"failed to unmarshal new-order request payload"))
 		return
 	}
 	if err := nor.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -130,39 +130,39 @@ func NewOrder(w http.ResponseWriter, r *http.Request) {
 	acmeProv, err := acmeProvisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	var eak *acme.ExternalAccountKey
 	if acmeProv.RequireEAB {
 		if eak, err = db.GetExternalAccountKeyByAccountID(ctx, prov.GetID(), acc.ID); err != nil {
-			render.Error(w, r, acme.WrapErrorISE(err, "error retrieving external account binding key"))
+			render.Error(w, acme.WrapErrorISE(err, "error retrieving external account binding key"))
 			return
 		}
 	}
 	acmePolicy, err := newACMEPolicyEngine(eak)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error creating ACME policy engine"))
+		render.Error(w, acme.WrapErrorISE(err, "error creating ACME policy engine"))
 		return
 	}
 	for _, identifier := range nor.Identifiers {
 		// evaluate the ACME account level policy
 		if err = isIdentifierAllowed(acmePolicy, identifier); err != nil {
-			render.Error(w, r, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
+			render.Error(w, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
 			return
 		}
 		// evaluate the provisioner level policy
 		orderIdentifier := provisioner.ACMEIdentifier{Type: provisioner.ACMEIdentifierType(identifier.Type), Value: identifier.Value}
 		if err = prov.AuthorizeOrderIdentifier(ctx, orderIdentifier); err != nil {
-			render.Error(w, r, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
+			render.Error(w, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
 			return
 		}
 		// evaluate the authority level policy
 		if err = ca.AreSANsAllowed(ctx, []string{identifier.Value}); err != nil {
-			render.Error(w, r, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
+			render.Error(w, acme.WrapError(acme.ErrorRejectedIdentifierType, err, "not authorized"))
 			return
 		}
 	}
@ -188,7 +188,7 @@ func NewOrder(w http.ResponseWriter, r *http.Request) {
 			Status:     acme.StatusPending,
 		}
 		if err := newAuthorization(ctx, az); err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		o.AuthorizationIDs[i] = az.ID
@ -207,14 +207,14 @@ func NewOrder(w http.ResponseWriter, r *http.Request) {
 	}
 	if err := db.CreateOrder(ctx, o); err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error creating order"))
+		render.Error(w, acme.WrapErrorISE(err, "error creating order"))
 		return
 	}
 	linker.LinkOrder(ctx, o)
 	w.Header().Set("Location", linker.GetLink(ctx, acme.OrderLinkType, o.ID))
-	render.JSONStatus(w, r, o, http.StatusCreated)
+	render.JSONStatus(w, o, http.StatusCreated)
 }
 func isIdentifierAllowed(acmePolicy policy.X509Policy, identifier acme.Identifier) error {
@ -226,7 +226,6 @@ func isIdentifierAllowed(acmePolicy policy.X509Policy, identifier acme.Identifie
 func newACMEPolicyEngine(eak *acme.ExternalAccountKey) (policy.X509Policy, error) {
 	if eak == nil {
 		//nolint:nilnil,nolintlint // expected values
 		return nil, nil
 	}
 	return policy.NewX509PolicyEngine(eak.Policy)
@ -289,39 +288,39 @@ func GetOrder(w http.ResponseWriter, r *http.Request) {
 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	prov, err := provisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	o, err := db.GetOrder(ctx, chi.URLParam(r, "ordID"))
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving order"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving order"))
 		return
 	}
 	if acc.ID != o.AccountID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own order '%s'", acc.ID, o.ID))
 		return
 	}
 	if prov.GetID() != o.ProvisionerID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"provisioner '%s' does not own order '%s'", prov.GetID(), o.ID))
 		return
 	}
 	if err = o.UpdateStatus(ctx, db); err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error updating order status"))
+		render.Error(w, acme.WrapErrorISE(err, "error updating order status"))
 		return
 	}
 	linker.LinkOrder(ctx, o)
 	w.Header().Set("Location", linker.GetLink(ctx, acme.OrderLinkType, o.ID))
-	render.JSON(w, r, o)
+	render.JSON(w, o)
 }
 // FinalizeOrder attempts to finalize an order and create a certificate.
@ -332,56 +331,56 @@ func FinalizeOrder(w http.ResponseWriter, r *http.Request) {
 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	prov, err := provisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	var fr FinalizeRequest
 	if err := json.Unmarshal(payload.value, &fr); err != nil {
-		render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err,
+		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err,
 			"failed to unmarshal finalize-order request payload"))
 		return
 	}
 	if err := fr.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	o, err := db.GetOrder(ctx, chi.URLParam(r, "ordID"))
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving order"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving order"))
 		return
 	}
 	if acc.ID != o.AccountID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own order '%s'", acc.ID, o.ID))
 		return
 	}
 	if prov.GetID() != o.ProvisionerID {
-		render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"provisioner '%s' does not own order '%s'", prov.GetID(), o.ID))
 		return
 	}
 	ca := mustAuthority(ctx)
 	if err = o.Finalize(ctx, db, fr.csr, ca, prov); err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error finalizing order"))
+		render.Error(w, acme.WrapErrorISE(err, "error finalizing order"))
 		return
 	}
 	linker.LinkOrder(ctx, o)
 	w.Header().Set("Location", linker.GetLink(ctx, acme.OrderLinkType, o.ID))
-	render.JSON(w, r, o)
+	render.JSON(w, o)
 }
 // challengeTypes determines the types of challenges that should be used
--- a/acme/api/revoke.go
+++ b/acme/api/revoke.go
@ -33,65 +33,65 @@ func RevokeCert(w http.ResponseWriter, r *http.Request) {
 	jws, err := jwsFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	prov, err := provisionerFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	var p revokePayload
 	err = json.Unmarshal(payload.value, &p)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error unmarshaling payload"))
+		render.Error(w, acme.WrapErrorISE(err, "error unmarshaling payload"))
 		return
 	}
 	certBytes, err := base64.RawURLEncoding.DecodeString(p.Certificate)
 	if err != nil {
 		// in this case the most likely cause is a client that didn't properly encode the certificate
-		render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err, "error base64url decoding payload certificate property"))
+		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err, "error base64url decoding payload certificate property"))
 		return
 	}
 	certToBeRevoked, err := x509.ParseCertificate(certBytes)
 	if err != nil {
 		// in this case a client may have encoded something different than a certificate
-		render.Error(w, r, acme.WrapError(acme.ErrorMalformedType, err, "error parsing certificate"))
+		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err, "error parsing certificate"))
 		return
 	}
 	serial := certToBeRevoked.SerialNumber.String()
 	dbCert, err := db.GetCertificateBySerial(ctx, serial)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving certificate by serial"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving certificate by serial"))
 		return
 	}
 	if !bytes.Equal(dbCert.Leaf.Raw, certToBeRevoked.Raw) {
 		// this should never happen
-		render.Error(w, r, acme.NewErrorISE("certificate raw bytes are not equal"))
+		render.Error(w, acme.NewErrorISE("certificate raw bytes are not equal"))
 		return
 	}
 	if shouldCheckAccountFrom(jws) {
 		account, err := accountFromContext(ctx)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		acmeErr := isAccountAuthorized(ctx, dbCert, certToBeRevoked, account)
 		if acmeErr != nil {
-			render.Error(w, r, acmeErr)
+			render.Error(w, acmeErr)
 			return
 		}
 	} else {
@ -100,7 +100,7 @@ func RevokeCert(w http.ResponseWriter, r *http.Request) {
 		_, err := jws.Verify(certToBeRevoked.PublicKey)
 		if err != nil {
 			// TODO(hs): possible to determine an error vs. unauthorized and thus provide an ISE vs. Unauthorized?
-			render.Error(w, r, wrapUnauthorizedError(certToBeRevoked, nil, "verification of jws using certificate public key failed", err))
+			render.Error(w, wrapUnauthorizedError(certToBeRevoked, nil, "verification of jws using certificate public key failed", err))
 			return
 		}
 	}
@ -108,19 +108,19 @@ func RevokeCert(w http.ResponseWriter, r *http.Request) {
 	ca := mustAuthority(ctx)
 	hasBeenRevokedBefore, err := ca.IsRevoked(serial)
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error retrieving revocation status of certificate"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving revocation status of certificate"))
 		return
 	}
 	if hasBeenRevokedBefore {
-		render.Error(w, r, acme.NewError(acme.ErrorAlreadyRevokedType, "certificate was already revoked"))
+		render.Error(w, acme.NewError(acme.ErrorAlreadyRevokedType, "certificate was already revoked"))
 		return
 	}
 	reasonCode := p.ReasonCode
 	acmeErr := validateReasonCode(reasonCode)
 	if acmeErr != nil {
-		render.Error(w, r, acmeErr)
+		render.Error(w, acmeErr)
 		return
 	}
@ -128,14 +128,14 @@ func RevokeCert(w http.ResponseWriter, r *http.Request) {
 	ctx = provisioner.NewContextWithMethod(ctx, provisioner.RevokeMethod)
 	err = prov.AuthorizeRevoke(ctx, "")
 	if err != nil {
-		render.Error(w, r, acme.WrapErrorISE(err, "error authorizing revocation on provisioner"))
+		render.Error(w, acme.WrapErrorISE(err, "error authorizing revocation on provisioner"))
 		return
 	}
 	options := revokeOptions(serial, certToBeRevoked, reasonCode)
 	err = ca.Revoke(ctx, options)
 	if err != nil {
-		render.Error(w, r, wrapRevokeErr(err))
+		render.Error(w, wrapRevokeErr(err))
 		return
 	}
--- a/acme/challenge.go
+++ b/acme/challenge.go
@ -726,7 +726,7 @@ var (
 	oidTCGKpAIKCertificate       = asn1.ObjectIdentifier{2, 23, 133, 8, 3}
 )
-// validateAKCertificate validates the X.509 AK certificate to be
+// validateAKCertifiate validates the X.509 AK certificate to be
 // in accordance with the required properties. The requirements come from:
 // https://www.w3.org/TR/webauthn-2/#sctn-tpm-cert-requirements.
 //
@ -735,7 +735,7 @@ var (
 //   - The Subject Alternative Name extension MUST be set as defined
 //     in [TPMv2-EK-Profile] section 3.2.9.
 //   - The Extended Key Usage extension MUST contain the OID 2.23.133.8.3
-//     ("joint-iso-itu-t(2) international-organizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)").
+//     ("joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)").
 //   - The Basic Constraints extension MUST have the CA component set to false.
 //   - An Authority Information Access (AIA) extension with entry id-ad-ocsp
 //     and a CRL Distribution Point extension [RFC5280] are both OPTIONAL as
--- a/acme/common.go
+++ b/acme/common.go
@ -130,7 +130,7 @@ func (m *MockProvisioner) GetName() string {
 	return m.Mret1.(string)
 }
-// AuthorizeOrderIdentifier mock
+// AuthorizeOrderIdentifiers mock
 func (m *MockProvisioner) AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error {
 	if m.MauthorizeOrderIdentifier != nil {
 		return m.MauthorizeOrderIdentifier(ctx, identifier)
--- a/acme/db.go
+++ b/acme/db.go
@ -2,7 +2,6 @@ package acme
 import (
 	"context"
 	"database/sql"
 	"github.com/pkg/errors"
 )
@ -16,7 +15,7 @@ var ErrNotFound = errors.New("not found")
 // IsErrNotFound returns true if the error is a "not found" error. Returns false
 // otherwise.
 func IsErrNotFound(err error) bool {
-	return errors.Is(err, ErrNotFound) || errors.Is(err, sql.ErrNoRows)
+	return errors.Is(err, ErrNotFound)
 }
 // DB is the DB interface expected by the step-ca ACME API.
--- a/acme/db/nosql/account.go
+++ b/acme/db/nosql/account.go
@ -18,7 +18,6 @@ type dbAccount struct {
 	Contact         []string         `json:"contact,omitempty"`
 	Status          acme.Status      `json:"status"`
 	LocationPrefix  string           `json:"locationPrefix"`
 	ProvisionerID   string           `json:"provisionerID,omitempty"`
 	ProvisionerName string           `json:"provisionerName"`
 	CreatedAt       time.Time        `json:"createdAt"`
 	DeactivatedAt   time.Time        `json:"deactivatedAt"`
@ -70,7 +69,6 @@ func (db *DB) GetAccount(ctx context.Context, id string) (*acme.Account, error)
 		Key:             dbacc.Key,
 		ID:              dbacc.ID,
 		LocationPrefix:  dbacc.LocationPrefix,
 		ProvisionerID:   dbacc.ProvisionerID,
 		ProvisionerName: dbacc.ProvisionerName,
 	}, nil
 }
@ -99,7 +97,6 @@ func (db *DB) CreateAccount(ctx context.Context, acc *acme.Account) error {
 		Status:          acc.Status,
 		CreatedAt:       clock.Now(),
 		LocationPrefix:  acc.LocationPrefix,
 		ProvisionerID:   acc.ProvisionerID,
 		ProvisionerName: acc.ProvisionerName,
 	}
--- a/acme/db/nosql/account_test.go
+++ b/acme/db/nosql/account_test.go
@ -68,14 +68,12 @@ func TestDB_getDBAccount(t *testing.T) {
 			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 			assert.FatalError(t, err)
 			dbacc := &dbAccount{
-				ID:              accID,
+				ID:            accID,
-				Status:          acme.StatusDeactivated,
+				Status:        acme.StatusDeactivated,
-				CreatedAt:       now,
+				CreatedAt:     now,
-				DeactivatedAt:   now,
+				DeactivatedAt: now,
-				Contact:         []string{"foo", "bar"},
+				Contact:       []string{"foo", "bar"},
-				Key:             jwk,
+				Key:           jwk,
 				ProvisionerID:   "73d2c0f1-9753-448b-9b48-bf00fe434681",
 				ProvisionerName: "acme",
 			}
 			b, err := json.Marshal(dbacc)
 			assert.FatalError(t, err)
--- a/acme/db_test.go
+++ b/acme/db_test.go
@ -1,32 +0,0 @@
 package acme
 import (
 	"database/sql"
 	"errors"
 	"fmt"
 	"testing"
 )
 func TestIsErrNotFound(t *testing.T) {
 	type args struct {
 		err error
 	}
 	tests := []struct {
 		name string
 		args args
 		want bool
 	}{
 		{"true ErrNotFound", args{ErrNotFound}, true},
 		{"true sql.ErrNoRows", args{sql.ErrNoRows}, true},
 		{"true wrapped ErrNotFound", args{fmt.Errorf("something failed: %w", ErrNotFound)}, true},
 		{"true wrapped sql.ErrNoRows", args{fmt.Errorf("something failed: %w", sql.ErrNoRows)}, true},
 		{"false other", args{errors.New("not found")}, false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if got := IsErrNotFound(tt.args.err); got != tt.want {
 				t.Errorf("IsErrNotFound() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
--- a/acme/errors.go
+++ b/acme/errors.go
@ -424,7 +424,7 @@ func (e *Error) ToLog() (interface{}, error) {
 }
 // Render implements render.RenderableError for Error.
-func (e *Error) Render(w http.ResponseWriter, r *http.Request) {
+func (e *Error) Render(w http.ResponseWriter) {
 	w.Header().Set("Content-Type", "application/problem+json")
-	render.JSONStatus(w, r, e, e.StatusCode())
+	render.JSONStatus(w, e, e.StatusCode())
 }
--- a/acme/linker.go
+++ b/acme/linker.go
@ -186,19 +186,19 @@ func (l *linker) Middleware(next http.Handler) http.Handler {
 		nameEscaped := chi.URLParam(r, "provisionerID")
 		name, err := url.PathUnescape(nameEscaped)
 		if err != nil {
-			render.Error(w, r, WrapErrorISE(err, "error url unescaping provisioner name '%s'", nameEscaped))
+			render.Error(w, WrapErrorISE(err, "error url unescaping provisioner name '%s'", nameEscaped))
 			return
 		}
 		p, err := authority.MustFromContext(ctx).LoadProvisionerByName(name)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		acmeProv, ok := p.(*provisioner.ACME)
 		if !ok {
-			render.Error(w, r, NewError(ErrorAccountDoesNotExistType, "provisioner must be of type ACME"))
+			render.Error(w, NewError(ErrorAccountDoesNotExistType, "provisioner must be of type ACME"))
 			return
 		}
--- a/acme/order.go
+++ b/acme/order.go
@ -127,7 +127,7 @@ func (o *Order) UpdateStatus(ctx context.Context, db DB) error {
 	return nil
 }
-// getAuthorizationFingerprint returns a fingerprint from the list of authorizations. This
+// getKeyFingerprint returns a fingerprint from the list of authorizations. This
 // fingerprint is used on the device-attest-01 flow to verify the attestation
 // certificate public key with the CSR public key.
 //
--- a/api/api.go
+++ b/api/api.go
@ -353,15 +353,15 @@ func Route(r Router) {
 // Version is an HTTP handler that returns the version of the server.
 func Version(w http.ResponseWriter, r *http.Request) {
 	v := mustAuthority(r.Context()).Version()
-	render.JSON(w, r, VersionResponse{
+	render.JSON(w, VersionResponse{
 		Version:                     v.Version,
 		RequireClientAuthentication: v.RequireClientAuthentication,
 	})
 }
 // Health is an HTTP handler that returns the status of the server.
-func Health(w http.ResponseWriter, r *http.Request) {
+func Health(w http.ResponseWriter, _ *http.Request) {
-	render.JSON(w, r, HealthResponse{Status: "ok"})
+	render.JSON(w, HealthResponse{Status: "ok"})
 }
 // Root is an HTTP handler that using the SHA256 from the URL, returns the root
@ -372,11 +372,11 @@ func Root(w http.ResponseWriter, r *http.Request) {
 	// Load root certificate with the
 	cert, err := mustAuthority(r.Context()).Root(sum)
 	if err != nil {
-		render.Error(w, r, errs.Wrapf(http.StatusNotFound, err, "%s was not found", r.RequestURI))
+		render.Error(w, errs.Wrapf(http.StatusNotFound, err, "%s was not found", r.RequestURI))
 		return
 	}
-	render.JSON(w, r, &RootResponse{RootPEM: Certificate{cert}})
+	render.JSON(w, &RootResponse{RootPEM: Certificate{cert}})
 }
 func certChainToPEM(certChain []*x509.Certificate) []Certificate {
@ -391,17 +391,17 @@ func certChainToPEM(certChain []*x509.Certificate) []Certificate {
 func Provisioners(w http.ResponseWriter, r *http.Request) {
 	cursor, limit, err := ParseCursor(r)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	p, next, err := mustAuthority(r.Context()).GetProvisioners(cursor, limit)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
-	render.JSON(w, r, &ProvisionersResponse{
+	render.JSON(w, &ProvisionersResponse{
 		Provisioners: p,
 		NextCursor:   next,
 	})
@ -412,18 +412,18 @@ func ProvisionerKey(w http.ResponseWriter, r *http.Request) {
 	kid := chi.URLParam(r, "kid")
 	key, err := mustAuthority(r.Context()).GetEncryptedKey(kid)
 	if err != nil {
-		render.Error(w, r, errs.NotFoundErr(err))
+		render.Error(w, errs.NotFoundErr(err))
 		return
 	}
-	render.JSON(w, r, &ProvisionerKeyResponse{key})
+	render.JSON(w, &ProvisionerKeyResponse{key})
 }
 // Roots returns all the root certificates for the CA.
 func Roots(w http.ResponseWriter, r *http.Request) {
 	roots, err := mustAuthority(r.Context()).GetRoots()
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error getting roots"))
+		render.Error(w, errs.ForbiddenErr(err, "error getting roots"))
 		return
 	}
@ -432,7 +432,7 @@ func Roots(w http.ResponseWriter, r *http.Request) {
 		certs[i] = Certificate{roots[i]}
 	}
-	render.JSONStatus(w, r, &RootsResponse{
+	render.JSONStatus(w, &RootsResponse{
 		Certificates: certs,
 	}, http.StatusCreated)
 }
@ -441,7 +441,7 @@ func Roots(w http.ResponseWriter, r *http.Request) {
 func RootsPEM(w http.ResponseWriter, r *http.Request) {
 	roots, err := mustAuthority(r.Context()).GetRoots()
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
@ -454,7 +454,7 @@ func RootsPEM(w http.ResponseWriter, r *http.Request) {
 		})
 		if _, err := w.Write(block); err != nil {
-			log.Error(w, r, err)
+			log.Error(w, err)
 			return
 		}
 	}
@ -464,7 +464,7 @@ func RootsPEM(w http.ResponseWriter, r *http.Request) {
 func Federation(w http.ResponseWriter, r *http.Request) {
 	federated, err := mustAuthority(r.Context()).GetFederation()
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error getting federated roots"))
+		render.Error(w, errs.ForbiddenErr(err, "error getting federated roots"))
 		return
 	}
@ -473,7 +473,7 @@ func Federation(w http.ResponseWriter, r *http.Request) {
 		certs[i] = Certificate{federated[i]}
 	}
-	render.JSONStatus(w, r, &FederationResponse{
+	render.JSONStatus(w, &FederationResponse{
 		Certificates: certs,
 	}, http.StatusCreated)
 }
--- a/api/crl.go
+++ b/api/crl.go
@ -13,12 +13,12 @@ import (
 func CRL(w http.ResponseWriter, r *http.Request) {
 	crlInfo, err := mustAuthority(r.Context()).GetCertificateRevocationList()
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	if crlInfo == nil {
-		render.Error(w, r, errs.New(http.StatusNotFound, "no CRL available"))
+		render.Error(w, errs.New(http.StatusNotFound, "no CRL available"))
 		return
 	}
--- a/api/log/log.go
+++ b/api/log/log.go
@ -2,7 +2,6 @@
 package log
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"os"
@ -10,29 +9,6 @@ import (
 	"github.com/pkg/errors"
 )
 type errorLoggerKey struct{}
 // ErrorLogger is the function type used to log errors.
 type ErrorLogger func(http.ResponseWriter, *http.Request, error)
 func (fn ErrorLogger) call(w http.ResponseWriter, r *http.Request, err error) {
 	if fn == nil {
 		return
 	}
 	fn(w, r, err)
 }
 // WithErrorLogger returns a new context with the given error logger.
 func WithErrorLogger(ctx context.Context, fn ErrorLogger) context.Context {
 	return context.WithValue(ctx, errorLoggerKey{}, fn)
 }
 // ErrorLoggerFromContext returns an error logger from the context.
 func ErrorLoggerFromContext(ctx context.Context) (fn ErrorLogger) {
 	fn, _ = ctx.Value(errorLoggerKey{}).(ErrorLogger)
 	return
 }
 // StackTracedError is the set of errors implementing the StackTrace function.
 //
 // Errors implementing this interface have their stack traces logged when passed
@ -51,10 +27,8 @@ type fieldCarrier interface {
 // Error adds to the response writer the given error if it implements
 // logging.ResponseLogger. If it does not implement it, then writes the error
 // using the log package.
-func Error(w http.ResponseWriter, r *http.Request, err error) {
+func Error(rw http.ResponseWriter, err error) {
-	ErrorLoggerFromContext(r.Context()).call(w, r, err)
+	fc, ok := rw.(fieldCarrier)
 	fc, ok := w.(fieldCarrier)
 	if !ok {
 		return
 	}
@ -77,7 +51,7 @@ func Error(w http.ResponseWriter, r *http.Request, err error) {
 // EnabledResponse log the response object if it implements the EnableLogger
 // interface.
-func EnabledResponse(rw http.ResponseWriter, r *http.Request, v any) {
+func EnabledResponse(rw http.ResponseWriter, v any) {
 	type enableLogger interface {
 		ToLog() (any, error)
 	}
@ -85,7 +59,7 @@ func EnabledResponse(rw http.ResponseWriter, r *http.Request, v any) {
 	if el, ok := v.(enableLogger); ok {
 		out, err := el.ToLog()
 		if err != nil {
-			Error(rw, r, err)
+			Error(rw, err)
 			return
 		}
--- a/api/log/log_test.go
+++ b/api/log/log_test.go
@ -1,9 +1,6 @@
 package log
 import (
 	"bytes"
 	"encoding/json"
 	"log/slog"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@ -30,34 +27,21 @@ func (stackTracedError) StackTrace() pkgerrors.StackTrace {
 }
 func TestError(t *testing.T) {
 	var buf bytes.Buffer
 	logger := slog.New(slog.NewJSONHandler(&buf, &slog.HandlerOptions{}))
 	req := httptest.NewRequest("GET", "/test", http.NoBody)
 	reqWithLogger := req.WithContext(WithErrorLogger(req.Context(), func(w http.ResponseWriter, r *http.Request, err error) {
 		if err != nil {
 			logger.ErrorContext(r.Context(), "request failed", slog.Any("error", err))
 		}
 	}))
 	tests := []struct {
 		name string
 		error
 		rw               http.ResponseWriter
 		r                *http.Request
 		isFieldCarrier   bool
 		isSlogLogger     bool
 		stepDebug        bool
 		expectStackTrace bool
 	}{
-		{"noLogger", nil, nil, req, false, false, false, false},
+		{"noLogger", nil, nil, false, false, false},
-		{"noError", nil, logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, false, false},
+		{"noError", nil, logging.NewResponseLogger(httptest.NewRecorder()), true, false, false},
-		{"noErrorDebug", nil, logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, true, false},
+		{"noErrorDebug", nil, logging.NewResponseLogger(httptest.NewRecorder()), true, true, false},
-		{"anError", assert.AnError, logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, false, false},
+		{"anError", assert.AnError, logging.NewResponseLogger(httptest.NewRecorder()), true, false, false},
-		{"anErrorDebug", assert.AnError, logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, true, false},
+		{"anErrorDebug", assert.AnError, logging.NewResponseLogger(httptest.NewRecorder()), true, true, false},
-		{"stackTracedError", new(stackTracedError), logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, true, true},
+		{"stackTracedError", new(stackTracedError), logging.NewResponseLogger(httptest.NewRecorder()), true, true, true},
-		{"stackTracedErrorDebug", new(stackTracedError), logging.NewResponseLogger(httptest.NewRecorder()), req, true, false, true, true},
+		{"stackTracedErrorDebug", new(stackTracedError), logging.NewResponseLogger(httptest.NewRecorder()), true, true, true},
 		{"slogWithNoError", nil, logging.NewResponseLogger(httptest.NewRecorder()), reqWithLogger, true, true, false, false},
 		{"slogWithError", assert.AnError, logging.NewResponseLogger(httptest.NewRecorder()), reqWithLogger, true, true, false, false},
 	}
 	for _, tt := range tests {
@ -68,41 +52,27 @@ func TestError(t *testing.T) {
 				t.Setenv("STEPDEBUG", "0")
 			}
-			Error(tt.rw, tt.r, tt.error)
+			Error(tt.rw, tt.error)
 			// return early if test case doesn't use logger
-			if !tt.isFieldCarrier && !tt.isSlogLogger {
+			if !tt.isFieldCarrier {
 				return
 			}
-			if tt.isFieldCarrier {
+			fields := tt.rw.(logging.ResponseLogger).Fields()
 				fields := tt.rw.(logging.ResponseLogger).Fields()
 				// expect the error field to be (not) set and to be the same error that was fed to Error
 				if tt.error == nil {
 					assert.Nil(t, fields["error"])
 				} else {
 					assert.Same(t, tt.error, fields["error"])
 				}
-				// check if stack-trace is set when expected
+			// expect the error field to be (not) set and to be the same error that was fed to Error
-				if _, hasStackTrace := fields["stack-trace"]; tt.expectStackTrace && !hasStackTrace {
+			if tt.error == nil {
-					t.Error(`ResponseLogger["stack-trace"] not set`)
+				assert.Nil(t, fields["error"])
-				} else if !tt.expectStackTrace && hasStackTrace {
+			} else {
-					t.Error(`ResponseLogger["stack-trace"] was set`)
+				assert.Same(t, tt.error, fields["error"])
 				}
 			}
-			if tt.isSlogLogger {
+			// check if stack-trace is set when expected
-				b := buf.Bytes()
+			if _, hasStackTrace := fields["stack-trace"]; tt.expectStackTrace && !hasStackTrace {
-				if tt.error == nil {
+				t.Error(`ResponseLogger["stack-trace"] not set`)
-					assert.Empty(t, b)
+			} else if !tt.expectStackTrace && hasStackTrace {
-				} else if assert.NotEmpty(t, b) {
+				t.Error(`ResponseLogger["stack-trace"] was set`)
 					var m map[string]any
 					assert.NoError(t, json.Unmarshal(b, &m))
 					assert.Equal(t, tt.error.Error(), m["error"])
 				}
 				buf.Reset()
 			}
 		})
 	}
--- a/api/models/scep.go
+++ b/api/models/scep.go
@ -97,7 +97,7 @@ func (s *SCEP) AuthorizeSSHSign(context.Context, string) ([]provisioner.SignOpti
 	return nil, errDummyImplementation
 }
-// AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite
+// AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite
 // this method if they will support authorizing tokens for revoking SSH Certificates.
 func (s *SCEP) AuthorizeSSHRevoke(context.Context, string) error {
 	return errDummyImplementation
--- a/api/read/read.go
+++ b/api/read/read.go
@ -51,7 +51,7 @@ func (e badProtoJSONError) Error() string {
 }
 // Render implements render.RenderableError for badProtoJSONError
-func (e badProtoJSONError) Render(w http.ResponseWriter, r *http.Request) {
+func (e badProtoJSONError) Render(w http.ResponseWriter) {
 	v := struct {
 		Type    string `json:"type"`
 		Detail  string `json:"detail"`
@ -62,5 +62,5 @@ func (e badProtoJSONError) Render(w http.ResponseWriter, r *http.Request) {
 		// trim the proto prefix for the message
 		Message: strings.TrimSpace(strings.TrimPrefix(e.Error(), "proto:")),
 	}
-	render.JSONStatus(w, r, v, http.StatusBadRequest)
+	render.JSONStatus(w, v, http.StatusBadRequest)
 }
--- a/api/read/read_test.go
+++ b/api/read/read_test.go
@ -142,8 +142,7 @@ func Test_badProtoJSONError_Render(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			w := httptest.NewRecorder()
-			r := httptest.NewRequest("POST", "/test", http.NoBody)
+			tt.e.Render(w)
 			tt.e.Render(w, r)
 			res := w.Result()
 			defer res.Body.Close()
--- a/api/rekey.go
+++ b/api/rekey.go
@ -29,25 +29,25 @@ func (s *RekeyRequest) Validate() error {
 // Rekey is similar to renew except that the certificate will be renewed with new key from csr.
 func Rekey(w http.ResponseWriter, r *http.Request) {
 	if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
-		render.Error(w, r, errs.BadRequest("missing client certificate"))
+		render.Error(w, errs.BadRequest("missing client certificate"))
 		return
 	}
 	var body RekeyRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	a := mustAuthority(r.Context())
 	certChain, err := a.Rekey(r.TLS.PeerCertificates[0], body.CsrPEM.CertificateRequest.PublicKey)
 	if err != nil {
-		render.Error(w, r, errs.Wrap(http.StatusInternalServerError, err, "cahandler.Rekey"))
+		render.Error(w, errs.Wrap(http.StatusInternalServerError, err, "cahandler.Rekey"))
 		return
 	}
 	certChainPEM := certChainToPEM(certChain)
@ -57,7 +57,7 @@ func Rekey(w http.ResponseWriter, r *http.Request) {
 	}
 	LogCertificate(w, certChain[0])
-	render.JSONStatus(w, r, &SignResponse{
+	render.JSONStatus(w, &SignResponse{
 		ServerPEM:    certChainPEM[0],
 		CaPEM:        caPEM,
 		CertChainPEM: certChainPEM,
--- a/api/render/render.go
+++ b/api/render/render.go
@ -13,8 +13,8 @@ import (
 )
 // JSON is shorthand for JSONStatus(w, v, http.StatusOK).
-func JSON(w http.ResponseWriter, r *http.Request, v interface{}) {
+func JSON(w http.ResponseWriter, v interface{}) {
-	JSONStatus(w, r, v, http.StatusOK)
+	JSONStatus(w, v, http.StatusOK)
 }
 // JSONStatus marshals v into w. It additionally sets the status code of
@ -22,7 +22,7 @@ func JSON(w http.ResponseWriter, r *http.Request, v interface{}) {
 //
 // JSONStatus sets the Content-Type of w to application/json unless one is
 // specified.
-func JSONStatus(w http.ResponseWriter, r *http.Request, v interface{}, status int) {
+func JSONStatus(w http.ResponseWriter, v interface{}, status int) {
 	setContentTypeUnlessPresent(w, "application/json")
 	w.WriteHeader(status)
@ -43,7 +43,7 @@ func JSONStatus(w http.ResponseWriter, r *http.Request, v interface{}, status in
 		}
 	}
-	log.EnabledResponse(w, r, v)
+	log.EnabledResponse(w, v)
 }
 // ProtoJSON is shorthand for ProtoJSONStatus(w, m, http.StatusOK).
@ -80,22 +80,22 @@ func setContentTypeUnlessPresent(w http.ResponseWriter, contentType string) {
 type RenderableError interface {
 	error
-	Render(http.ResponseWriter, *http.Request)
+	Render(http.ResponseWriter)
 }
 // Error marshals the JSON representation of err to w. In case err implements
 // RenderableError its own Render method will be called instead.
-func Error(rw http.ResponseWriter, r *http.Request, err error) {
+func Error(w http.ResponseWriter, err error) {
-	log.Error(rw, r, err)
+	log.Error(w, err)
-	var re RenderableError
+	var r RenderableError
-	if errors.As(err, &re) {
+	if errors.As(err, &r) {
-		re.Render(rw, r)
+		r.Render(w)
 		return
 	}
-	JSONStatus(rw, r, err, statusCodeFromError(err))
+	JSONStatus(w, err, statusCodeFromError(err))
 }
 // StatusCodedError is the set of errors that implement the basic StatusCode
--- a/api/render/render_test.go
+++ b/api/render/render_test.go
@ -18,8 +18,8 @@ import (
 func TestJSON(t *testing.T) {
 	rec := httptest.NewRecorder()
 	rw := logging.NewResponseLogger(rec)
-	r := httptest.NewRequest("POST", "/test", http.NoBody)
+
-	JSON(rw, r, map[string]interface{}{"foo": "bar"})
+	JSON(rw, map[string]interface{}{"foo": "bar"})
 	assert.Equal(t, http.StatusOK, rec.Result().StatusCode)
 	assert.Equal(t, "application/json", rec.Header().Get("Content-Type"))
@ -64,8 +64,7 @@ func jsonPanicTest[T json.UnsupportedTypeError | json.UnsupportedValueError | js
 		assert.ErrorAs(t, err, &e)
 	}()
-	r := httptest.NewRequest("POST", "/test", http.NoBody)
+	JSON(httptest.NewRecorder(), v)
 	JSON(httptest.NewRecorder(), r, v)
 }
 type renderableError struct {
@ -77,9 +76,10 @@ func (err renderableError) Error() string {
 	return err.Message
 }
-func (err renderableError) Render(w http.ResponseWriter, r *http.Request) {
+func (err renderableError) Render(w http.ResponseWriter) {
 	w.Header().Set("Content-Type", "something/custom")
-	JSONStatus(w, r, err, err.Code)
+
 	JSONStatus(w, err, err.Code)
 }
 type statusedError struct {
@ -116,8 +116,8 @@ func TestError(t *testing.T) {
 		t.Run(strconv.Itoa(caseIndex), func(t *testing.T) {
 			rec := httptest.NewRecorder()
-			r := httptest.NewRequest("POST", "/test", http.NoBody)
+
-			Error(rec, r, kase.err)
+			Error(rec, kase.err)
 			assert.Equal(t, kase.code, rec.Result().StatusCode)
 			assert.Equal(t, kase.body, rec.Body.String())
--- a/api/renew.go
+++ b/api/renew.go
@ -23,20 +23,19 @@ func Renew(w http.ResponseWriter, r *http.Request) {
 	// Get the leaf certificate from the peer or the token.
 	cert, token, err := getPeerCertificate(r)
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	// The token can be used by RAs to renew a certificate.
 	if token != "" {
 		ctx = authority.NewTokenContext(ctx, token)
 		logOtt(w, token)
 	}
 	a := mustAuthority(ctx)
 	certChain, err := a.RenewContext(ctx, cert, nil)
 	if err != nil {
-		render.Error(w, r, errs.Wrap(http.StatusInternalServerError, err, "cahandler.Renew"))
+		render.Error(w, errs.Wrap(http.StatusInternalServerError, err, "cahandler.Renew"))
 		return
 	}
 	certChainPEM := certChainToPEM(certChain)
@ -46,7 +45,7 @@ func Renew(w http.ResponseWriter, r *http.Request) {
 	}
 	LogCertificate(w, certChain[0])
-	render.JSONStatus(w, r, &SignResponse{
+	render.JSONStatus(w, &SignResponse{
 		ServerPEM:    certChainPEM[0],
 		CaPEM:        caPEM,
 		CertChainPEM: certChainPEM,
--- a/api/revoke.go
+++ b/api/revoke.go
@ -57,12 +57,12 @@ func (r *RevokeRequest) Validate() (err error) {
 func Revoke(w http.ResponseWriter, r *http.Request) {
 	var body RevokeRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -81,7 +81,7 @@ func Revoke(w http.ResponseWriter, r *http.Request) {
 	if body.OTT != "" {
 		logOtt(w, body.OTT)
 		if _, err := a.Authorize(ctx, body.OTT); err != nil {
-			render.Error(w, r, errs.UnauthorizedErr(err))
+			render.Error(w, errs.UnauthorizedErr(err))
 			return
 		}
 		opts.OTT = body.OTT
@ -90,12 +90,12 @@ func Revoke(w http.ResponseWriter, r *http.Request) {
 		// the client certificate Serial Number must match the serial number
 		// being revoked.
 		if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
-			render.Error(w, r, errs.BadRequest("missing ott or client certificate"))
+			render.Error(w, errs.BadRequest("missing ott or client certificate"))
 			return
 		}
 		opts.Crt = r.TLS.PeerCertificates[0]
 		if opts.Crt.SerialNumber.String() != opts.Serial {
-			render.Error(w, r, errs.BadRequest("serial number in client certificate different than body"))
+			render.Error(w, errs.BadRequest("serial number in client certificate different than body"))
 			return
 		}
 		// TODO: should probably be checking if the certificate was revoked here.
@ -106,12 +106,12 @@ func Revoke(w http.ResponseWriter, r *http.Request) {
 	}
 	if err := a.Revoke(ctx, opts); err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error revoking certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error revoking certificate"))
 		return
 	}
 	logRevoke(w, opts)
-	render.JSON(w, r, &RevokeResponse{Status: "ok"})
+	render.JSON(w, &RevokeResponse{Status: "ok"})
 }
 func logRevoke(w http.ResponseWriter, ri *authority.RevokeOptions) {
--- a/api/sign.go
+++ b/api/sign.go
@ -52,13 +52,13 @@ type SignResponse struct {
 func Sign(w http.ResponseWriter, r *http.Request) {
 	var body SignRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}
 	logOtt(w, body.OTT)
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -74,13 +74,13 @@ func Sign(w http.ResponseWriter, r *http.Request) {
 	ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignMethod)
 	signOpts, err := a.Authorize(ctx, body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.UnauthorizedErr(err))
+		render.Error(w, errs.UnauthorizedErr(err))
 		return
 	}
 	certChain, err := a.SignWithContext(ctx, body.CsrPEM.CertificateRequest, opts, signOpts...)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error signing certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error signing certificate"))
 		return
 	}
 	certChainPEM := certChainToPEM(certChain)
@ -90,7 +90,7 @@ func Sign(w http.ResponseWriter, r *http.Request) {
 	}
 	LogCertificate(w, certChain[0])
-	render.JSONStatus(w, r, &SignResponse{
+	render.JSONStatus(w, &SignResponse{
 		ServerPEM:    certChainPEM[0],
 		CaPEM:        caPEM,
 		CertChainPEM: certChainPEM,
--- a/api/ssh.go
+++ b/api/ssh.go
@ -253,19 +253,19 @@ type SSHBastionResponse struct {
 func SSHSign(w http.ResponseWriter, r *http.Request) {
 	var body SSHSignRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}
 	logOtt(w, body.OTT)
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	publicKey, err := ssh.ParsePublicKey(body.PublicKey)
 	if err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error parsing publicKey"))
+		render.Error(w, errs.BadRequestErr(err, "error parsing publicKey"))
 		return
 	}
@ -273,7 +273,7 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 	if body.AddUserPublicKey != nil {
 		addUserPublicKey, err = ssh.ParsePublicKey(body.AddUserPublicKey)
 		if err != nil {
-			render.Error(w, r, errs.BadRequestErr(err, "error parsing addUserPublicKey"))
+			render.Error(w, errs.BadRequestErr(err, "error parsing addUserPublicKey"))
 			return
 		}
 	}
@ -293,13 +293,13 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 	a := mustAuthority(ctx)
 	signOpts, err := a.Authorize(ctx, body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.UnauthorizedErr(err))
+		render.Error(w, errs.UnauthorizedErr(err))
 		return
 	}
 	cert, err := a.SignSSH(ctx, publicKey, opts, signOpts...)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error signing ssh certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
 		return
 	}
@ -307,7 +307,7 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 	if addUserPublicKey != nil && authority.IsValidForAddUser(cert) == nil {
 		addUserCert, err := a.SignSSHAddUser(ctx, addUserPublicKey, cert)
 		if err != nil {
-			render.Error(w, r, errs.ForbiddenErr(err, "error signing ssh certificate"))
+			render.Error(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
 			return
 		}
 		addUserCertificate = &SSHCertificate{addUserCert}
@ -320,7 +320,7 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 		ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignIdentityMethod)
 		signOpts, err := a.Authorize(ctx, body.OTT)
 		if err != nil {
-			render.Error(w, r, errs.UnauthorizedErr(err))
+			render.Error(w, errs.UnauthorizedErr(err))
 			return
 		}
@ -332,14 +332,14 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 		certChain, err := a.SignWithContext(ctx, cr, provisioner.SignOptions{}, signOpts...)
 		if err != nil {
-			render.Error(w, r, errs.ForbiddenErr(err, "error signing identity certificate"))
+			render.Error(w, errs.ForbiddenErr(err, "error signing identity certificate"))
 			return
 		}
 		identityCertificate = certChainToPEM(certChain)
 	}
 	LogSSHCertificate(w, cert)
-	render.JSONStatus(w, r, &SSHSignResponse{
+	render.JSONStatus(w, &SSHSignResponse{
 		Certificate:         SSHCertificate{cert},
 		AddUserCertificate:  addUserCertificate,
 		IdentityCertificate: identityCertificate,
@ -352,12 +352,12 @@ func SSHRoots(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	keys, err := mustAuthority(ctx).GetSSHRoots(ctx)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
 	if len(keys.HostKeys) == 0 && len(keys.UserKeys) == 0 {
-		render.Error(w, r, errs.NotFound("no keys found"))
+		render.Error(w, errs.NotFound("no keys found"))
 		return
 	}
@ -369,7 +369,7 @@ func SSHRoots(w http.ResponseWriter, r *http.Request) {
 		resp.UserKeys = append(resp.UserKeys, SSHPublicKey{PublicKey: k})
 	}
-	render.JSON(w, r, resp)
+	render.JSON(w, resp)
 }
 // SSHFederation is an HTTP handler that returns the federated SSH public keys
@ -378,12 +378,12 @@ func SSHFederation(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	keys, err := mustAuthority(ctx).GetSSHFederation(ctx)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
 	if len(keys.HostKeys) == 0 && len(keys.UserKeys) == 0 {
-		render.Error(w, r, errs.NotFound("no keys found"))
+		render.Error(w, errs.NotFound("no keys found"))
 		return
 	}
@ -395,7 +395,7 @@ func SSHFederation(w http.ResponseWriter, r *http.Request) {
 		resp.UserKeys = append(resp.UserKeys, SSHPublicKey{PublicKey: k})
 	}
-	render.JSON(w, r, resp)
+	render.JSON(w, resp)
 }
 // SSHConfig is an HTTP handler that returns rendered templates for ssh clients
@ -403,18 +403,18 @@ func SSHFederation(w http.ResponseWriter, r *http.Request) {
 func SSHConfig(w http.ResponseWriter, r *http.Request) {
 	var body SSHConfigRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	ctx := r.Context()
 	ts, err := mustAuthority(ctx).GetSSHConfig(ctx, body.Type, body.Data)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
@ -425,32 +425,32 @@ func SSHConfig(w http.ResponseWriter, r *http.Request) {
 	case provisioner.SSHHostCert:
 		cfg.HostTemplates = ts
 	default:
-		render.Error(w, r, errs.InternalServer("it should hot get here"))
+		render.Error(w, errs.InternalServer("it should hot get here"))
 		return
 	}
-	render.JSON(w, r, cfg)
+	render.JSON(w, cfg)
 }
 // SSHCheckHost is the HTTP handler that returns if a hosts certificate exists or not.
 func SSHCheckHost(w http.ResponseWriter, r *http.Request) {
 	var body SSHCheckPrincipalRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	ctx := r.Context()
 	exists, err := mustAuthority(ctx).CheckSSHHost(ctx, body.Principal, body.Token)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
-	render.JSON(w, r, &SSHCheckPrincipalResponse{
+	render.JSON(w, &SSHCheckPrincipalResponse{
 		Exists: exists,
 	})
 }
@ -465,10 +465,10 @@ func SSHGetHosts(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	hosts, err := mustAuthority(ctx).GetSSHHosts(ctx, cert)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
-	render.JSON(w, r, &SSHGetHostsResponse{
+	render.JSON(w, &SSHGetHostsResponse{
 		Hosts: hosts,
 	})
 }
@ -477,22 +477,22 @@ func SSHGetHosts(w http.ResponseWriter, r *http.Request) {
 func SSHBastion(w http.ResponseWriter, r *http.Request) {
 	var body SSHBastionRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	ctx := r.Context()
 	bastion, err := mustAuthority(ctx).GetSSHBastion(ctx, body.User, body.Hostname)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
-	render.JSON(w, r, &SSHBastionResponse{
+	render.JSON(w, &SSHBastionResponse{
 		Hostname: body.Hostname,
 		Bastion:  bastion,
 	})
--- a/api/sshRekey.go
+++ b/api/sshRekey.go
@ -42,19 +42,19 @@ type SSHRekeyResponse struct {
 func SSHRekey(w http.ResponseWriter, r *http.Request) {
 	var body SSHRekeyRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}
 	logOtt(w, body.OTT)
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	publicKey, err := ssh.ParsePublicKey(body.PublicKey)
 	if err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error parsing publicKey"))
+		render.Error(w, errs.BadRequestErr(err, "error parsing publicKey"))
 		return
 	}
@ -64,18 +64,18 @@ func SSHRekey(w http.ResponseWriter, r *http.Request) {
 	a := mustAuthority(ctx)
 	signOpts, err := a.Authorize(ctx, body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.UnauthorizedErr(err))
+		render.Error(w, errs.UnauthorizedErr(err))
 		return
 	}
 	oldCert, _, err := provisioner.ExtractSSHPOPCert(body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
 	newCert, err := a.RekeySSH(ctx, oldCert, publicKey, signOpts...)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error rekeying ssh certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error rekeying ssh certificate"))
 		return
 	}
@ -85,12 +85,12 @@ func SSHRekey(w http.ResponseWriter, r *http.Request) {
 	identity, err := renewIdentityCertificate(r, notBefore, notAfter)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error renewing identity certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error renewing identity certificate"))
 		return
 	}
 	LogSSHCertificate(w, newCert)
-	render.JSONStatus(w, r, &SSHRekeyResponse{
+	render.JSONStatus(w, &SSHRekeyResponse{
 		Certificate:         SSHCertificate{newCert},
 		IdentityCertificate: identity,
 	}, http.StatusCreated)
--- a/api/sshRenew.go
+++ b/api/sshRenew.go
@ -40,13 +40,13 @@ type SSHRenewResponse struct {
 func SSHRenew(w http.ResponseWriter, r *http.Request) {
 	var body SSHRenewRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}
 	logOtt(w, body.OTT)
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -56,18 +56,18 @@ func SSHRenew(w http.ResponseWriter, r *http.Request) {
 	a := mustAuthority(ctx)
 	_, err := a.Authorize(ctx, body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.UnauthorizedErr(err))
+		render.Error(w, errs.UnauthorizedErr(err))
 		return
 	}
 	oldCert, _, err := provisioner.ExtractSSHPOPCert(body.OTT)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
 	newCert, err := a.RenewSSH(ctx, oldCert)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error renewing ssh certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error renewing ssh certificate"))
 		return
 	}
@ -77,12 +77,12 @@ func SSHRenew(w http.ResponseWriter, r *http.Request) {
 	identity, err := renewIdentityCertificate(r, notBefore, notAfter)
 	if err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error renewing identity certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error renewing identity certificate"))
 		return
 	}
 	LogSSHCertificate(w, newCert)
-	render.JSONStatus(w, r, &SSHSignResponse{
+	render.JSONStatus(w, &SSHSignResponse{
 		Certificate:         SSHCertificate{newCert},
 		IdentityCertificate: identity,
 	}, http.StatusCreated)
--- a/api/sshRevoke.go
+++ b/api/sshRevoke.go
@ -51,12 +51,12 @@ func (r *SSHRevokeRequest) Validate() (err error) {
 func SSHRevoke(w http.ResponseWriter, r *http.Request) {
 	var body SSHRevokeRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, errs.BadRequestErr(err, "error reading request body"))
+		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
 		return
 	}
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -75,18 +75,18 @@ func SSHRevoke(w http.ResponseWriter, r *http.Request) {
 	logOtt(w, body.OTT)
 	if _, err := a.Authorize(ctx, body.OTT); err != nil {
-		render.Error(w, r, errs.UnauthorizedErr(err))
+		render.Error(w, errs.UnauthorizedErr(err))
 		return
 	}
 	opts.OTT = body.OTT
 	if err := a.Revoke(ctx, opts); err != nil {
-		render.Error(w, r, errs.ForbiddenErr(err, "error revoking ssh certificate"))
+		render.Error(w, errs.ForbiddenErr(err, "error revoking ssh certificate"))
 		return
 	}
 	logSSHRevoke(w, opts)
-	render.JSON(w, r, &SSHRevokeResponse{Status: "ok"})
+	render.JSON(w, &SSHRevokeResponse{Status: "ok"})
 }
 func logSSHRevoke(w http.ResponseWriter, ri *authority.RevokeOptions) {
--- a/authority/admin/api/acme.go
+++ b/authority/admin/api/acme.go
@ -40,12 +40,12 @@ func requireEABEnabled(next http.HandlerFunc) http.HandlerFunc {
 		acmeProvisioner := prov.GetDetails().GetACME()
 		if acmeProvisioner == nil {
-			render.Error(w, r, admin.NewErrorISE("error getting ACME details for provisioner '%s'", prov.GetName()))
+			render.Error(w, admin.NewErrorISE("error getting ACME details for provisioner '%s'", prov.GetName()))
 			return
 		}
 		if !acmeProvisioner.RequireEab {
-			render.Error(w, r, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner '%s'", prov.GetName()))
+			render.Error(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner '%s'", prov.GetName()))
 			return
 		}
@ -69,18 +69,18 @@ func NewACMEAdminResponder() ACMEAdminResponder {
 }
 // GetExternalAccountKeys writes the response for the EAB keys GET endpoint
-func (h *acmeAdminResponder) GetExternalAccountKeys(w http.ResponseWriter, r *http.Request) {
+func (h *acmeAdminResponder) GetExternalAccountKeys(w http.ResponseWriter, _ *http.Request) {
-	render.Error(w, r, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
+	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
 }
 // CreateExternalAccountKey writes the response for the EAB key POST endpoint
-func (h *acmeAdminResponder) CreateExternalAccountKey(w http.ResponseWriter, r *http.Request) {
+func (h *acmeAdminResponder) CreateExternalAccountKey(w http.ResponseWriter, _ *http.Request) {
-	render.Error(w, r, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
+	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
 }
 // DeleteExternalAccountKey writes the response for the EAB key DELETE endpoint
-func (h *acmeAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, r *http.Request) {
+func (h *acmeAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, _ *http.Request) {
-	render.Error(w, r, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
+	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
 }
 func eakToLinked(k *acme.ExternalAccountKey) *linkedca.EABKey {
--- a/authority/admin/api/admin.go
+++ b/authority/admin/api/admin.go
@ -90,7 +90,7 @@ func GetAdmin(w http.ResponseWriter, r *http.Request) {
 	adm, ok := mustAuthority(r.Context()).LoadAdminByID(id)
 	if !ok {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType,
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType,
 			"admin %s not found", id))
 		return
 	}
@ -101,17 +101,17 @@ func GetAdmin(w http.ResponseWriter, r *http.Request) {
 func GetAdmins(w http.ResponseWriter, r *http.Request) {
 	cursor, limit, err := api.ParseCursor(r)
 	if err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err,
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err,
 			"error parsing cursor and limit from query params"))
 		return
 	}
 	admins, nextCursor, err := mustAuthority(r.Context()).GetAdmins(cursor, limit)
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error retrieving paginated admins"))
+		render.Error(w, admin.WrapErrorISE(err, "error retrieving paginated admins"))
 		return
 	}
-	render.JSON(w, r, &GetAdminsResponse{
+	render.JSON(w, &GetAdminsResponse{
 		Admins:     admins,
 		NextCursor: nextCursor,
 	})
@ -121,19 +121,19 @@ func GetAdmins(w http.ResponseWriter, r *http.Request) {
 func CreateAdmin(w http.ResponseWriter, r *http.Request) {
 	var body CreateAdminRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error reading request body"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error reading request body"))
 		return
 	}
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	auth := mustAuthority(r.Context())
 	p, err := auth.LoadProvisionerByName(body.Provisioner)
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", body.Provisioner))
+		render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", body.Provisioner))
 		return
 	}
 	adm := &linkedca.Admin{
@ -143,7 +143,7 @@ func CreateAdmin(w http.ResponseWriter, r *http.Request) {
 	}
 	// Store to authority collection.
 	if err := auth.StoreAdmin(r.Context(), adm, p); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error storing admin"))
+		render.Error(w, admin.WrapErrorISE(err, "error storing admin"))
 		return
 	}
@ -155,23 +155,23 @@ func DeleteAdmin(w http.ResponseWriter, r *http.Request) {
 	id := chi.URLParam(r, "id")
 	if err := mustAuthority(r.Context()).RemoveAdmin(r.Context(), id); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error deleting admin %s", id))
+		render.Error(w, admin.WrapErrorISE(err, "error deleting admin %s", id))
 		return
 	}
-	render.JSON(w, r, &DeleteResponse{Status: "ok"})
+	render.JSON(w, &DeleteResponse{Status: "ok"})
 }
 // UpdateAdmin updates an existing admin.
 func UpdateAdmin(w http.ResponseWriter, r *http.Request) {
 	var body UpdateAdminRequest
 	if err := read.JSON(r.Body, &body); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error reading request body"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error reading request body"))
 		return
 	}
 	if err := body.Validate(); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -179,7 +179,7 @@ func UpdateAdmin(w http.ResponseWriter, r *http.Request) {
 	auth := mustAuthority(r.Context())
 	adm, err := auth.UpdateAdmin(r.Context(), id, &linkedca.Admin{Type: body.Type})
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error updating admin %s", id))
+		render.Error(w, admin.WrapErrorISE(err, "error updating admin %s", id))
 		return
 	}
--- a/authority/admin/api/middleware.go
+++ b/authority/admin/api/middleware.go
@ -1,6 +1,7 @@
 package api
 import (
 	"errors"
 	"net/http"
 	"github.com/go-chi/chi/v5"
@ -19,7 +20,7 @@ import (
 func requireAPIEnabled(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if !mustAuthority(r.Context()).IsAdminAPIEnabled() {
-			render.Error(w, r, admin.NewError(admin.ErrorNotImplementedType, "administration API not enabled"))
+			render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "administration API not enabled"))
 			return
 		}
 		next(w, r)
@ -31,7 +32,7 @@ func extractAuthorizeTokenAdmin(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		tok := r.Header.Get("Authorization")
 		if tok == "" {
-			render.Error(w, r, admin.NewError(admin.ErrorUnauthorizedType,
+			render.Error(w, admin.NewError(admin.ErrorUnauthorizedType,
 				"missing authorization header token"))
 			return
 		}
@ -39,7 +40,7 @@ func extractAuthorizeTokenAdmin(next http.HandlerFunc) http.HandlerFunc {
 		ctx := r.Context()
 		adm, err := mustAuthority(ctx).AuthorizeAdminToken(r, tok)
 		if err != nil {
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
@ -64,13 +65,13 @@ func loadProvisionerByName(next http.HandlerFunc) http.HandlerFunc {
 		// TODO(hs): distinguish 404 vs. 500
 		if p, err = auth.LoadProvisionerByName(name); err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", name))
+			render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", name))
 			return
 		}
 		prov, err := adminDB.GetProvisioner(ctx, p.GetID())
 		if err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error retrieving provisioner %s", name))
+			render.Error(w, admin.WrapErrorISE(err, "error retrieving provisioner %s", name))
 			return
 		}
@ -91,7 +92,7 @@ func checkAction(next http.HandlerFunc, supportedInStandalone bool) http.Handler
 		// when an action is not supported in standalone mode and when
 		// using a nosql.DB backend, actions are not supported
 		if _, ok := admin.MustFromContext(r.Context()).(*nosql.DB); ok {
-			render.Error(w, r, admin.NewError(admin.ErrorNotImplementedType,
+			render.Error(w, admin.NewError(admin.ErrorNotImplementedType,
 				"operation not supported in standalone mode"))
 			return
 		}
@ -124,16 +125,16 @@ func loadExternalAccountKey(next http.HandlerFunc) http.HandlerFunc {
 		}
 		if err != nil {
-			if acme.IsErrNotFound(err) {
+			if errors.Is(err, acme.ErrNotFound) {
-				render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
+				render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
 				return
 			}
-			render.Error(w, r, admin.WrapErrorISE(err, "error retrieving ACME External Account Key"))
+			render.Error(w, admin.WrapErrorISE(err, "error retrieving ACME External Account Key"))
 			return
 		}
 		if eak == nil {
-			render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
+			render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
 			return
 		}
--- a/authority/admin/api/policy.go
+++ b/authority/admin/api/policy.go
@ -35,7 +35,7 @@ type PolicyAdminResponder interface {
 // policyAdminResponder implements PolicyAdminResponder.
 type policyAdminResponder struct{}
-// NewPolicyAdminResponder returns a new PolicyAdminResponder.
+// NewACMEAdminResponder returns a new PolicyAdminResponder.
 func NewPolicyAdminResponder() PolicyAdminResponder {
 	return &policyAdminResponder{}
 }
@ -44,7 +44,7 @@ func NewPolicyAdminResponder() PolicyAdminResponder {
 func (par *policyAdminResponder) GetAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -52,12 +52,12 @@ func (par *policyAdminResponder) GetAuthorityPolicy(w http.ResponseWriter, r *ht
 	authorityPolicy, err := auth.GetAuthorityPolicy(r.Context())
 	var ae *admin.Error
 	if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) {
-		render.Error(w, r, admin.WrapErrorISE(ae, "error retrieving authority policy"))
+		render.Error(w, admin.WrapErrorISE(ae, "error retrieving authority policy"))
 		return
 	}
 	if authorityPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
 		return
 	}
@ -68,7 +68,7 @@ func (par *policyAdminResponder) GetAuthorityPolicy(w http.ResponseWriter, r *ht
 func (par *policyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -77,26 +77,26 @@ func (par *policyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r
 	var ae *admin.Error
 	if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) {
-		render.Error(w, r, admin.WrapErrorISE(err, "error retrieving authority policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error retrieving authority policy"))
 		return
 	}
 	if authorityPolicy != nil {
 		adminErr := admin.NewError(admin.ErrorConflictType, "authority already has a policy")
-		render.Error(w, r, adminErr)
+		render.Error(w, adminErr)
 		return
 	}
 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	newPolicy.Deduplicate()
 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating authority policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating authority policy"))
 		return
 	}
@ -105,11 +105,11 @@ func (par *policyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r
 	var createdPolicy *linkedca.Policy
 	if createdPolicy, err = auth.CreateAuthorityPolicy(ctx, adm, newPolicy); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error storing authority policy"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error storing authority policy"))
 			return
 		}
-		render.Error(w, r, admin.WrapErrorISE(err, "error storing authority policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error storing authority policy"))
 		return
 	}
@ -120,7 +120,7 @@ func (par *policyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r
 func (par *policyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -129,25 +129,25 @@ func (par *policyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r
 	var ae *admin.Error
 	if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) {
-		render.Error(w, r, admin.WrapErrorISE(err, "error retrieving authority policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error retrieving authority policy"))
 		return
 	}
 	if authorityPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
 		return
 	}
 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	newPolicy.Deduplicate()
 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating authority policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating authority policy"))
 		return
 	}
@ -156,11 +156,11 @@ func (par *policyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r
 	var updatedPolicy *linkedca.Policy
 	if updatedPolicy, err = auth.UpdateAuthorityPolicy(ctx, adm, newPolicy); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error updating authority policy"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error updating authority policy"))
 			return
 		}
-		render.Error(w, r, admin.WrapErrorISE(err, "error updating authority policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error updating authority policy"))
 		return
 	}
@ -171,7 +171,7 @@ func (par *policyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r
 func (par *policyAdminResponder) DeleteAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -180,35 +180,35 @@ func (par *policyAdminResponder) DeleteAuthorityPolicy(w http.ResponseWriter, r
 	var ae *admin.Error
 	if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) {
-		render.Error(w, r, admin.WrapErrorISE(ae, "error retrieving authority policy"))
+		render.Error(w, admin.WrapErrorISE(ae, "error retrieving authority policy"))
 		return
 	}
 	if authorityPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
 		return
 	}
 	if err := auth.RemoveAuthorityPolicy(ctx); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error deleting authority policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error deleting authority policy"))
 		return
 	}
-	render.JSONStatus(w, r, DeleteResponse{Status: "ok"}, http.StatusOK)
+	render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
 }
 // GetProvisionerPolicy handles the GET /admin/provisioners/{name}/policy request
 func (par *policyAdminResponder) GetProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	prov := linkedca.MustProvisionerFromContext(ctx)
 	provisionerPolicy := prov.GetPolicy()
 	if provisionerPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
 		return
 	}
@ -219,7 +219,7 @@ func (par *policyAdminResponder) GetProvisionerPolicy(w http.ResponseWriter, r *
 func (par *policyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -227,20 +227,20 @@ func (par *policyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter,
 	provisionerPolicy := prov.GetPolicy()
 	if provisionerPolicy != nil {
 		adminErr := admin.NewError(admin.ErrorConflictType, "provisioner %s already has a policy", prov.Name)
-		render.Error(w, r, adminErr)
+		render.Error(w, adminErr)
 		return
 	}
 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	newPolicy.Deduplicate()
 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating provisioner policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating provisioner policy"))
 		return
 	}
@ -248,11 +248,11 @@ func (par *policyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter,
 	auth := mustAuthority(ctx)
 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error creating provisioner policy"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error creating provisioner policy"))
 			return
 		}
-		render.Error(w, r, admin.WrapErrorISE(err, "error creating provisioner policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error creating provisioner policy"))
 		return
 	}
@ -263,27 +263,27 @@ func (par *policyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter,
 func (par *policyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	prov := linkedca.MustProvisionerFromContext(ctx)
 	provisionerPolicy := prov.GetPolicy()
 	if provisionerPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
 		return
 	}
 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	newPolicy.Deduplicate()
 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating provisioner policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating provisioner policy"))
 		return
 	}
@ -291,11 +291,11 @@ func (par *policyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter,
 	auth := mustAuthority(ctx)
 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error updating provisioner policy"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error updating provisioner policy"))
 			return
 		}
-		render.Error(w, r, admin.WrapErrorISE(err, "error updating provisioner policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error updating provisioner policy"))
 		return
 	}
@ -306,13 +306,13 @@ func (par *policyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter,
 func (par *policyAdminResponder) DeleteProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	prov := linkedca.MustProvisionerFromContext(ctx)
 	if prov.Policy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
 		return
 	}
@ -321,24 +321,24 @@ func (par *policyAdminResponder) DeleteProvisionerPolicy(w http.ResponseWriter,
 	auth := mustAuthority(ctx)
 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error deleting provisioner policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error deleting provisioner policy"))
 		return
 	}
-	render.JSONStatus(w, r, DeleteResponse{Status: "ok"}, http.StatusOK)
+	render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
 }
 func (par *policyAdminResponder) GetACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	eak := linkedca.MustExternalAccountKeyFromContext(ctx)
 	eakPolicy := eak.GetPolicy()
 	if eakPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
 		return
 	}
@ -348,7 +348,7 @@ func (par *policyAdminResponder) GetACMEAccountPolicy(w http.ResponseWriter, r *
 func (par *policyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -357,20 +357,20 @@ func (par *policyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter,
 	eakPolicy := eak.GetPolicy()
 	if eakPolicy != nil {
 		adminErr := admin.NewError(admin.ErrorConflictType, "ACME EAK %s already has a policy", eak.Id)
-		render.Error(w, r, adminErr)
+		render.Error(w, adminErr)
 		return
 	}
 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	newPolicy.Deduplicate()
 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating ACME EAK policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating ACME EAK policy"))
 		return
 	}
@ -379,7 +379,7 @@ func (par *policyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter,
 	acmeEAK := linkedEAKToCertificates(eak)
 	acmeDB := acme.MustDatabaseFromContext(ctx)
 	if err := acmeDB.UpdateExternalAccountKey(ctx, prov.GetId(), acmeEAK); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error creating ACME EAK policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error creating ACME EAK policy"))
 		return
 	}
@ -389,7 +389,7 @@ func (par *policyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter,
 func (par *policyAdminResponder) UpdateACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -397,20 +397,20 @@ func (par *policyAdminResponder) UpdateACMEAccountPolicy(w http.ResponseWriter,
 	eak := linkedca.MustExternalAccountKeyFromContext(ctx)
 	eakPolicy := eak.GetPolicy()
 	if eakPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
 		return
 	}
 	var newPolicy = new(linkedca.Policy)
 	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	newPolicy.Deduplicate()
 	if err := validatePolicy(newPolicy); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error validating ACME EAK policy"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error validating ACME EAK policy"))
 		return
 	}
@ -418,7 +418,7 @@ func (par *policyAdminResponder) UpdateACMEAccountPolicy(w http.ResponseWriter,
 	acmeEAK := linkedEAKToCertificates(eak)
 	acmeDB := acme.MustDatabaseFromContext(ctx)
 	if err := acmeDB.UpdateExternalAccountKey(ctx, prov.GetId(), acmeEAK); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error updating ACME EAK policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error updating ACME EAK policy"))
 		return
 	}
@ -428,7 +428,7 @@ func (par *policyAdminResponder) UpdateACMEAccountPolicy(w http.ResponseWriter,
 func (par *policyAdminResponder) DeleteACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if err := blockLinkedCA(ctx); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -436,7 +436,7 @@ func (par *policyAdminResponder) DeleteACMEAccountPolicy(w http.ResponseWriter,
 	eak := linkedca.MustExternalAccountKeyFromContext(ctx)
 	eakPolicy := eak.GetPolicy()
 	if eakPolicy == nil {
-		render.Error(w, r, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
+		render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME EAK policy does not exist"))
 		return
 	}
@ -446,11 +446,11 @@ func (par *policyAdminResponder) DeleteACMEAccountPolicy(w http.ResponseWriter,
 	acmeEAK := linkedEAKToCertificates(eak)
 	acmeDB := acme.MustDatabaseFromContext(ctx)
 	if err := acmeDB.UpdateExternalAccountKey(ctx, prov.GetId(), acmeEAK); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error deleting ACME EAK policy"))
+		render.Error(w, admin.WrapErrorISE(err, "error deleting ACME EAK policy"))
 		return
 	}
-	render.JSONStatus(w, r, DeleteResponse{Status: "ok"}, http.StatusOK)
+	render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
 }
 // blockLinkedCA blocks all API operations on linked deployments
--- a/authority/admin/api/provisioner.go
+++ b/authority/admin/api/provisioner.go
@ -40,19 +40,19 @@ func GetProvisioner(w http.ResponseWriter, r *http.Request) {
 	if id != "" {
 		if p, err = auth.LoadProvisionerByID(id); err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", id))
+			render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", id))
 			return
 		}
 	} else {
 		if p, err = auth.LoadProvisionerByName(name); err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", name))
+			render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", name))
 			return
 		}
 	}
 	prov, err := db.GetProvisioner(ctx, p.GetID())
 	if err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	render.ProtoJSON(w, prov)
@ -62,17 +62,17 @@ func GetProvisioner(w http.ResponseWriter, r *http.Request) {
 func GetProvisioners(w http.ResponseWriter, r *http.Request) {
 	cursor, limit, err := api.ParseCursor(r)
 	if err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err,
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err,
 			"error parsing cursor and limit from query params"))
 		return
 	}
 	p, next, err := mustAuthority(r.Context()).GetProvisioners(cursor, limit)
 	if err != nil {
-		render.Error(w, r, errs.InternalServerErr(err))
+		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
-	render.JSON(w, r, &GetProvisionersResponse{
+	render.JSON(w, &GetProvisionersResponse{
 		Provisioners: p,
 		NextCursor:   next,
 	})
@ -82,24 +82,24 @@ func GetProvisioners(w http.ResponseWriter, r *http.Request) {
 func CreateProvisioner(w http.ResponseWriter, r *http.Request) {
 	var prov = new(linkedca.Provisioner)
 	if err := read.ProtoJSON(r.Body, prov); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	// TODO: Validate inputs
 	if err := authority.ValidateClaims(prov.Claims); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	// validate the templates and template data
 	if err := validateTemplates(prov.X509Template, prov.SshTemplate); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "invalid template"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "invalid template"))
 		return
 	}
 	if err := mustAuthority(r.Context()).StoreProvisioner(r.Context(), prov); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error storing provisioner %s", prov.Name))
+		render.Error(w, admin.WrapErrorISE(err, "error storing provisioner %s", prov.Name))
 		return
 	}
 	render.ProtoJSONStatus(w, prov, http.StatusCreated)
@ -118,29 +118,29 @@ func DeleteProvisioner(w http.ResponseWriter, r *http.Request) {
 	if id != "" {
 		if p, err = auth.LoadProvisionerByID(id); err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", id))
+			render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", id))
 			return
 		}
 	} else {
 		if p, err = auth.LoadProvisionerByName(name); err != nil {
-			render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner %s", name))
+			render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", name))
 			return
 		}
 	}
 	if err := auth.RemoveProvisioner(r.Context(), p.GetID()); err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error removing provisioner %s", p.GetName()))
+		render.Error(w, admin.WrapErrorISE(err, "error removing provisioner %s", p.GetName()))
 		return
 	}
-	render.JSON(w, r, &DeleteResponse{Status: "ok"})
+	render.JSON(w, &DeleteResponse{Status: "ok"})
 }
 // UpdateProvisioner updates an existing prov.
 func UpdateProvisioner(w http.ResponseWriter, r *http.Request) {
 	var nu = new(linkedca.Provisioner)
 	if err := read.ProtoJSON(r.Body, nu); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -151,51 +151,51 @@ func UpdateProvisioner(w http.ResponseWriter, r *http.Request) {
 	p, err := auth.LoadProvisionerByName(name)
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner from cached configuration '%s'", name))
+		render.Error(w, admin.WrapErrorISE(err, "error loading provisioner from cached configuration '%s'", name))
 		return
 	}
 	old, err := db.GetProvisioner(r.Context(), p.GetID())
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error loading provisioner from db '%s'", p.GetID()))
+		render.Error(w, admin.WrapErrorISE(err, "error loading provisioner from db '%s'", p.GetID()))
 		return
 	}
 	if nu.Id != old.Id {
-		render.Error(w, r, admin.NewErrorISE("cannot change provisioner ID"))
+		render.Error(w, admin.NewErrorISE("cannot change provisioner ID"))
 		return
 	}
 	if nu.Type != old.Type {
-		render.Error(w, r, admin.NewErrorISE("cannot change provisioner type"))
+		render.Error(w, admin.NewErrorISE("cannot change provisioner type"))
 		return
 	}
 	if nu.AuthorityId != old.AuthorityId {
-		render.Error(w, r, admin.NewErrorISE("cannot change provisioner authorityID"))
+		render.Error(w, admin.NewErrorISE("cannot change provisioner authorityID"))
 		return
 	}
 	if !nu.CreatedAt.AsTime().Equal(old.CreatedAt.AsTime()) {
-		render.Error(w, r, admin.NewErrorISE("cannot change provisioner createdAt"))
+		render.Error(w, admin.NewErrorISE("cannot change provisioner createdAt"))
 		return
 	}
 	if !nu.DeletedAt.AsTime().Equal(old.DeletedAt.AsTime()) {
-		render.Error(w, r, admin.NewErrorISE("cannot change provisioner deletedAt"))
+		render.Error(w, admin.NewErrorISE("cannot change provisioner deletedAt"))
 		return
 	}
 	// TODO: Validate inputs
 	if err := authority.ValidateClaims(nu.Claims); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	// validate the templates and template data
 	if err := validateTemplates(nu.X509Template, nu.SshTemplate); err != nil {
-		render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "invalid template"))
+		render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "invalid template"))
 		return
 	}
 	if err := auth.UpdateProvisioner(r.Context(), nu); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	render.ProtoJSON(w, nu)
--- a/authority/admin/api/webhook.go
+++ b/authority/admin/api/webhook.go
@ -71,28 +71,28 @@ func (war *webhookAdminResponder) CreateProvisionerWebhook(w http.ResponseWriter
 	var newWebhook = new(linkedca.Webhook)
 	if err := read.ProtoJSON(r.Body, newWebhook); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	if err := validateWebhook(newWebhook); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	if newWebhook.Secret != "" {
 		err := admin.NewError(admin.ErrorBadRequestType, "webhook secret must not be set")
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	if newWebhook.Id != "" {
 		err := admin.NewError(admin.ErrorBadRequestType, "webhook ID must not be set")
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	id, err := randutil.UUIDv4()
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error generating webhook id"))
+		render.Error(w, admin.WrapErrorISE(err, "error generating webhook id"))
 		return
 	}
 	newWebhook.Id = id
@ -101,14 +101,14 @@ func (war *webhookAdminResponder) CreateProvisionerWebhook(w http.ResponseWriter
 	for _, wh := range prov.Webhooks {
 		if wh.Name == newWebhook.Name {
 			err := admin.NewError(admin.ErrorConflictType, "provisioner %q already has a webhook with the name %q", prov.Name, newWebhook.Name)
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 	}
 	secret, err := randutil.Bytes(64)
 	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error generating webhook secret"))
+		render.Error(w, admin.WrapErrorISE(err, "error generating webhook secret"))
 		return
 	}
 	newWebhook.Secret = base64.StdEncoding.EncodeToString(secret)
@ -117,11 +117,11 @@ func (war *webhookAdminResponder) CreateProvisionerWebhook(w http.ResponseWriter
 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error creating provisioner webhook"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error creating provisioner webhook"))
 			return
 		}
-		render.Error(w, r, admin.WrapErrorISE(err, "error creating provisioner webhook"))
+		render.Error(w, admin.WrapErrorISE(err, "error creating provisioner webhook"))
 		return
 	}
@ -145,21 +145,21 @@ func (war *webhookAdminResponder) DeleteProvisionerWebhook(w http.ResponseWriter
 		}
 	}
 	if !found {
-		render.JSONStatus(w, r, DeleteResponse{Status: "ok"}, http.StatusOK)
+		render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
 		return
 	}
 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error deleting provisioner webhook"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error deleting provisioner webhook"))
 			return
 		}
-		render.Error(w, r, admin.WrapErrorISE(err, "error deleting provisioner webhook"))
+		render.Error(w, admin.WrapErrorISE(err, "error deleting provisioner webhook"))
 		return
 	}
-	render.JSONStatus(w, r, DeleteResponse{Status: "ok"}, http.StatusOK)
+	render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
 }
 func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter, r *http.Request) {
@ -170,12 +170,12 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter
 	var newWebhook = new(linkedca.Webhook)
 	if err := read.ProtoJSON(r.Body, newWebhook); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	if err := validateWebhook(newWebhook); err != nil {
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
@ -186,13 +186,13 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter
 		}
 		if newWebhook.Secret != "" && newWebhook.Secret != wh.Secret {
 			err := admin.NewError(admin.ErrorBadRequestType, "webhook secret cannot be updated")
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		newWebhook.Secret = wh.Secret
 		if newWebhook.Id != "" && newWebhook.Id != wh.Id {
 			err := admin.NewError(admin.ErrorBadRequestType, "webhook ID cannot be updated")
-			render.Error(w, r, err)
+			render.Error(w, err)
 			return
 		}
 		newWebhook.Id = wh.Id
@ -203,17 +203,17 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter
 	if !found {
 		msg := fmt.Sprintf("provisioner %q has no webhook with the name %q", prov.Name, newWebhook.Name)
 		err := admin.NewError(admin.ErrorNotFoundType, msg)
-		render.Error(w, r, err)
+		render.Error(w, err)
 		return
 	}
 	if err := auth.UpdateProvisioner(ctx, prov); err != nil {
 		if isBadRequest(err) {
-			render.Error(w, r, admin.WrapError(admin.ErrorBadRequestType, err, "error updating provisioner webhook"))
+			render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error updating provisioner webhook"))
 			return
 		}
-		render.Error(w, r, admin.WrapErrorISE(err, "error updating provisioner webhook"))
+		render.Error(w, admin.WrapErrorISE(err, "error updating provisioner webhook"))
 		return
 	}
--- a/authority/admin/errors.go
+++ b/authority/admin/errors.go
@ -205,8 +205,8 @@ func (e *Error) ToLog() (interface{}, error) {
 }
 // Render implements render.RenderableError for Error.
-func (e *Error) Render(w http.ResponseWriter, r *http.Request) {
+func (e *Error) Render(w http.ResponseWriter) {
 	e.Message = e.Err.Error()
-	render.JSONStatus(w, r, e, e.StatusCode())
+	render.JSONStatus(w, e, e.StatusCode())
 }
--- a/authority/authority.go
+++ b/authority/authority.go
@ -62,10 +62,9 @@ type Authority struct {
 	x509Enforcers         []provisioner.CertificateEnforcer
 	// SCEP CA
-	scepOptions    *scep.Options
+	scepOptions   *scep.Options
-	validateSCEP   bool
+	validateSCEP  bool
-	scepAuthority  *scep.Authority
+	scepAuthority *scep.Authority
 	scepKeyManager provisioner.SCEPKeyManager
 	// SSH CA
 	sshHostPassword         []byte
@ -140,7 +139,7 @@ func New(cfg *config.Config, opts ...Option) (*Authority, error) {
 		}
 	}
 	if a.keyManager != nil {
-		a.keyManager = newInstrumentedKeyManager(a.keyManager, a.meter)
+		a.keyManager = &instrumentedKeyManager{a.keyManager, a.meter}
 	}
 	if !a.skipInit {
@ -169,7 +168,7 @@ func NewEmbedded(opts ...Option) (*Authority, error) {
 		}
 	}
 	if a.keyManager != nil {
-		a.keyManager = newInstrumentedKeyManager(a.keyManager, a.meter)
+		a.keyManager = &instrumentedKeyManager{a.keyManager, a.meter}
 	}
 	// Validate required options
@ -350,7 +349,7 @@ func (a *Authority) init() error {
 			return err
 		}
-		a.keyManager = newInstrumentedKeyManager(a.keyManager, a.meter)
+		a.keyManager = &instrumentedKeyManager{a.keyManager, a.meter}
 	}
 	// Initialize linkedca client if necessary. On a linked RA, the issuer
@ -447,7 +446,6 @@ func (a *Authority) init() error {
 				return err
 			}
 			a.rootX509Certs = append(a.rootX509Certs, resp.RootCertificate)
 			a.intermediateX509Certs = append(a.intermediateX509Certs, resp.IntermediateCertificates...)
 		}
 	}
@ -696,42 +694,32 @@ func (a *Authority) init() error {
 			options := &scep.Options{
 				Roots:         a.rootX509Certs,
 				Intermediates: a.intermediateX509Certs,
 				SignerCert:    a.intermediateX509Certs[0],
 			}
-
+			if options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
-			// intermediate certificates can be empty in RA mode
+				SigningKey: a.config.IntermediateKey,
-			if len(a.intermediateX509Certs) > 0 {
+				Password:   a.password,
-				options.SignerCert = a.intermediateX509Certs[0]
+			}); err != nil {
 				return err
 			}
-
+			// TODO(hs): instead of creating the decrypter here, pass the
-			// attempt to create the (default) SCEP signer if the intermediate
+			// intermediate key + chain down to the SCEP authority,
-			// key is configured.
+			// and only instantiate it when required there. Is that possible?
-			if a.config.IntermediateKey != "" {
+			// Also with entering passwords?
-				if options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
+			// TODO(hs): if moving the logic, try improving the logic for the
-					SigningKey: a.config.IntermediateKey,
+			// decrypter password too? Right now it needs to be entered multiple
-					Password:   a.password,
+			// times; I've observed it to be three times maximum, every time
-				}); err != nil {
+			// the intermediate key is read.
-					return err
+			_, isRSA := options.Signer.Public().(*rsa.PublicKey)
-				}
+			if km, ok := a.keyManager.(kmsapi.Decrypter); ok && isRSA {
-
+				if decrypter, err := km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
-				// TODO(hs): instead of creating the decrypter here, pass the
+					DecryptionKey: a.config.IntermediateKey,
-				// intermediate key + chain down to the SCEP authority,
+					Password:      a.password,
-				// and only instantiate it when required there. Is that possible?
+				}); err == nil {
-				// Also with entering passwords?
+					// only pass the decrypter down when it was successfully created,
-				// TODO(hs): if moving the logic, try improving the logic for the
+					// meaning it's an RSA key, and `CreateDecrypter` did not fail.
-				// decrypter password too? Right now it needs to be entered multiple
+					options.Decrypter = decrypter
-				// times; I've observed it to be three times maximum, every time
+					options.DecrypterCert = options.Intermediates[0]
 				// the intermediate key is read.
 				_, isRSAKey := options.Signer.Public().(*rsa.PublicKey)
 				if km, ok := a.keyManager.(kmsapi.Decrypter); ok && isRSAKey {
 					if decrypter, err := km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
 						DecryptionKey: a.config.IntermediateKey,
 						Password:      a.password,
 					}); err == nil {
 						// only pass the decrypter down when it was successfully created,
 						// meaning it's an RSA key, and `CreateDecrypter` did not fail.
 						options.Decrypter = decrypter
 						options.DecrypterCert = options.Intermediates[0]
 					}
 				}
 			}
--- a/authority/authority_test.go
+++ b/authority/authority_test.go
@ -113,7 +113,7 @@ func TestAuthorityNew(t *testing.T) {
 			c.Root = []string{"foo"}
 			return &newTest{
 				config: c,
-				err:    errors.New(`error reading "foo": no such file or directory`),
+				err:    errors.New("error reading foo: no such file or directory"),
 			}
 		},
 		"fail bad password": func(t *testing.T) *newTest {
@ -131,7 +131,7 @@ func TestAuthorityNew(t *testing.T) {
 			c.IntermediateCert = "wrong"
 			return &newTest{
 				config: c,
-				err:    errors.New(`error reading "wrong": no such file or directory`),
+				err:    errors.New("error reading wrong: no such file or directory"),
 			}
 		},
 	}
--- a/authority/linkedca.go
+++ b/authority/linkedca.go
@ -110,7 +110,7 @@ func newLinkedCAClient(token string) (*linkedCaClient, error) {
 	tlsConfig.GetClientCertificate = renewer.GetClientCertificate
 	// Start mTLS client
-	conn, err := grpc.NewClient(u.Host, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)))
+	conn, err := grpc.Dial(u.Host, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)))
 	if err != nil {
 		return nil, errors.Wrapf(err, "error connecting %s", u.Host)
 	}
@ -478,7 +478,10 @@ func getAuthority(sans []string) (string, error) {
 // getRootCertificate creates an insecure majordomo client and returns the
 // verified root certificate.
 func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error) {
-	conn, err := grpc.NewClient(endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
+	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 	conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
 		//nolint:gosec // used in bootstrap protocol
 		InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check]
 	})))
@ -486,7 +489,7 @@ func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error)
 		return nil, errors.Wrapf(err, "error connecting %s", endpoint)
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	ctx, cancel = context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()
 	client := linkedca.NewMajordomoClient(conn)
@ -528,7 +531,11 @@ func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error)
 // login creates a new majordomo client with just the root ca pool and returns
 // the signed certificate and tls configuration.
 func login(authority, token string, csr *x509.CertificateRequest, signer crypto.PrivateKey, endpoint string, rootCAs *x509.CertPool) (*tls.Certificate, *tls.Config, error) {
-	conn, err := grpc.NewClient(endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
+	// Connect to majordomo
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 	conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
 		MinVersion: tls.VersionTLS12,
 		RootCAs:    rootCAs,
 	})))
@ -537,7 +544,7 @@ func login(authority, token string, csr *x509.CertificateRequest, signer crypto.
 	}
 	// Login to get the signed certificate
-	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	ctx, cancel = context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()
 	client := linkedca.NewMajordomoClient(conn)
--- a/authority/meter.go
+++ b/authority/meter.go
@ -66,22 +66,6 @@ type instrumentedKeyManager struct {
 	meter Meter
 }
 type instrumentedKeyAndDecrypterManager struct {
 	kms.KeyManager
 	decrypter kmsapi.Decrypter
 	meter     Meter
 }
 func newInstrumentedKeyManager(k kms.KeyManager, m Meter) kms.KeyManager {
 	decrypter, isDecrypter := k.(kmsapi.Decrypter)
 	switch {
 	case isDecrypter:
 		return &instrumentedKeyAndDecrypterManager{&instrumentedKeyManager{k, m}, decrypter, m}
 	default:
 		return &instrumentedKeyManager{k, m}
 	}
 }
 func (i *instrumentedKeyManager) CreateSigner(req *kmsapi.CreateSignerRequest) (s crypto.Signer, err error) {
 	if s, err = i.KeyManager.CreateSigner(req); err == nil {
 		s = &instrumentedKMSSigner{s, i.meter}
@ -90,10 +74,6 @@ func (i *instrumentedKeyManager) CreateSigner(req *kmsapi.CreateSignerRequest) (
 	return
 }
 func (i *instrumentedKeyAndDecrypterManager) CreateDecrypter(req *kmsapi.CreateDecrypterRequest) (s crypto.Decrypter, err error) {
 	return i.decrypter.CreateDecrypter(req)
 }
 type instrumentedKMSSigner struct {
 	crypto.Signer
 	meter Meter
@ -105,7 +85,3 @@ func (i *instrumentedKMSSigner) Sign(rand io.Reader, digest []byte, opts crypto.
 	return
 }
 var _ kms.KeyManager = (*instrumentedKeyManager)(nil)
 var _ kms.KeyManager = (*instrumentedKeyAndDecrypterManager)(nil)
 var _ kmsapi.Decrypter = (*instrumentedKeyAndDecrypterManager)(nil)
--- a/authority/options.go
+++ b/authority/options.go
@ -226,16 +226,6 @@ func WithFullSCEPOptions(options *scep.Options) Option {
 	}
 }
 // WithSCEPKeyManager defines the key manager used on SCEP provisioners.
 //
 // This feature is EXPERIMENTAL and might change at any time.
 func WithSCEPKeyManager(skm provisioner.SCEPKeyManager) Option {
 	return func(a *Authority) error {
 		a.scepKeyManager = skm
 		return nil
 	}
 }
 // WithSSHUserSigner defines the signer used to sign SSH user certificates.
 func WithSSHUserSigner(s crypto.Signer) Option {
 	return func(a *Authority) error {
--- a/authority/policy/policy.go
+++ b/authority/policy/policy.go
@ -21,7 +21,6 @@ type HostPolicy policy.SSHNamePolicyEngine
 func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy, error) {
 	// return early if no policy engine options to configure
 	if policyOptions == nil {
 		//nolint:nilnil,nolintlint // expected values
 		return nil, nil
 	}
@ -51,7 +50,6 @@ func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy,
 	// ensure no policy engine is returned when no name options were provided
 	if len(options) == 0 {
 		//nolint:nilnil,nolintlint // expected values
 		return nil, nil
 	}
@ -95,7 +93,6 @@ func NewSSHHostPolicyEngine(policyOptions SSHPolicyOptionsInterface) (HostPolicy
 func newSSHPolicyEngine(policyOptions SSHPolicyOptionsInterface, typ sshPolicyEngineType) (policy.SSHNamePolicyEngine, error) {
 	// return early if no policy engine options to configure
 	if policyOptions == nil {
 		//nolint:nilnil,nolintlint // expected values
 		return nil, nil
 	}
@ -137,7 +134,6 @@ func newSSHPolicyEngine(policyOptions SSHPolicyOptionsInterface, typ sshPolicyEn
 	// ensure no policy engine is returned when no name options were provided
 	if len(options) == 0 {
 		//nolint:nilnil,nolintlint // expected values
 		return nil, nil
 	}
--- a/authority/provisioner/aws_certificates.pem
+++ b/authority/provisioner/aws_certificates.pem
@ -1,89 +1,25 @@
 # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-signature.html
 # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/regions-certs.html use RSA format
-
+# default certificate for "other regions"
-# certificate for us-east-2
+-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----
+MIIDIjCCAougAwIBAgIJAKnL4UEDMN/FMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
-MIIDITCCAoqgAwIBAgIUVJTc+hOU+8Gk3JlqsX438Dk5c58wDQYJKoZIhvcNAQEL
+BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRgw
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
+FgYDVQQKEw9BbWF6b24uY29tIEluYy4xGjAYBgNVBAMTEWVjMi5hbWF6b25hd3Mu
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
+Y29tMB4XDTE0MDYwNTE0MjgwMloXDTI0MDYwNTE0MjgwMlowajELMAkGA1UEBhMC
-MB4XDTI0MDQyOTE3MTE0OVoXDTI5MDQyODE3MTE0OVowXDELMAkGA1UEBhMCVVMx
+VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxGDAWBgNV
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
+BAoTD0FtYXpvbi5jb20gSW5jLjEaMBgGA1UEAxMRZWMyLmFtYXpvbmF3cy5jb20w
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIe9GN//SRK2knbjySG0ho3yqQM3
-A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
+e2TDhWO8D2e8+XZqck754gFSo99AbT2RmXClambI7xsYHZFapbELC4H91ycihvrD
-UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
+jbST1ZjkLQgga0NE1q43eS68ZeTDccScXQSNivSlzJZS8HJZjgqzBlXjZftjtdJL
-vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
+XeE4hwvo0sD4f3j9AgMBAAGjgc8wgcwwHQYDVR0OBBYEFCXWzAgVyrbwnFncFFIs
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
+77VBdlE4MIGcBgNVHSMEgZQwgZGAFCXWzAgVyrbwnFncFFIs77VBdlE4oW6kbDBq
-UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
+dHRsZTEYMBYGA1UEChMPQW1hem9uLmNvbSBJbmMuMRowGAYDVQQDExFlYzIuYW1h
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUVJTc+hOU
+em9uYXdzLmNvbYIJAKnL4UEDMN/FMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
-+8Gk3JlqsX438Dk5c58wEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
+BQADgYEAFYcz1OgEhQBXIwIdsgCOS8vEtiJYF+j9uO6jz7VOmJqO+pRlAbRlvY8T
-AAOBgQAywJQaVNWJqW0R0T0xVOSoN1GLk9x9kKEuN67RN9CLin4dA97qa7Mr5W4P
+C1haGgSI/A1uZUKs/Zfnph0oEI0/hu1IIJ/SKBDtN5lvmZ/IzbOPIJWirlsllQIQ
-FZ6vnh5CjOhQBRXV9xJUeYSdqVItNAUFK/fEzDdjf1nUfPlQ3OJ49u6CV01NoJ9m
+7zvWbGd9c9+Rm3p04oTvhup99la7kZqevJK0QRdD/6NpCKsqP/0=
 usvY9kWcV46dqn2bk2MyfTTgvmeqP8fiMRPxxnVRkSzlldP5Fg==
 -----END CERTIFICATE-----
 # certificate for us-east-1
 -----BEGIN CERTIFICATE-----
 MIIDITCCAoqgAwIBAgIUE1y2NIKCU+Rg4uu4u32koG9QEYIwDQYJKoZIhvcNAQEL
 BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
 BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
 MB4XDTI0MDQyOTE3MzQwMVoXDTI5MDQyODE3MzQwMVowXDELMAkGA1UEBhMCVVMx
 GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
 BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
 UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
 vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
 o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
 UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
 BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
 ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUE1y2NIKC
 U+Rg4uu4u32koG9QEYIwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
 AAOBgQAlxSmwcWnhT4uAeSinJuz+1BTcKhVSWb5jT8pYjQb8ZoZkXXRGb09mvYeU
 NeqOBr27rvRAnaQ/9LUQf72+SahDFuS4CMI8nwowytqbmwquqFr4dxA/SDADyRiF
 ea1UoMuNHTY49J/1vPomqsVn7mugTp+TbjqCfOJTpu0temHcFA==
 -----END CERTIFICATE-----
 # certificate for us-west-1
 -----BEGIN CERTIFICATE-----
 MIIDITCCAoqgAwIBAgIUK2zmY9PUSTR7rc1k2OwPYu4+g7wwDQYJKoZIhvcNAQEL
 BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
 BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
 MB4XDTI0MDQyOTE3MDI0M1oXDTI5MDQyODE3MDI0M1owXDELMAkGA1UEBhMCVVMx
 GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
 BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
 UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
 vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
 o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
 UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
 BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
 ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUK2zmY9PU
 STR7rc1k2OwPYu4+g7wwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
 AAOBgQA1Ng4QmN4n7iPh5CnadSOc0ZfM7by0dBePwZJyGvOHdaw6P6E/vEk76KsC
 Q8p+akuzVzVPkU4kBK/TRqLp19wEWoVwhhTaxHjQ1tTRHqXIVlrkw4JrtFbeNM21
 GlkSLonuzmNZdivn9WuQYeGe7nUD4w3q9GgiF3CPorJe+UxtbA==
 -----END CERTIFICATE-----
 # certificate for us-west-2
 -----BEGIN CERTIFICATE-----
 MIIDITCCAoqgAwIBAgIUFx8PxCkbHwpD31bOyCtyz3GclbgwDQYJKoZIhvcNAQEL
 BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
 BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
 MB4XDTI0MDQyOTE3MjM1OVoXDTI5MDQyODE3MjM1OVowXDELMAkGA1UEBhMCVVMx
 GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
 BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
 UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
 vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
 o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
 UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
 BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
 ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUFx8PxCkb
 HwpD31bOyCtyz3GclbgwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
 AAOBgQBzOl+9Xy1+UsbUBI95HO9mbbdnuX+aMJXgG9uFZNjgNEbMcvx+h8P9IMko
 z7PzFdheQQ1NLjsHH9mSR1SyC4m9ja6BsejH5nLBWyCdjfdP3muZM4O5+r7vUa1O
 dWU+hP/T7DUrPAIVMOE7mpYa+WPWJrN6BlRwQkKQ7twm9kDalA==
 -----END CERTIFICATE-----
 # certificate for eu-south-1
@ -157,7 +93,7 @@ NTpxxcXmUKquX+pHmIkK1LKDO8rNE84jqxrxRsfDi6by82fjVYf2pgjJW8R1FAw+
 mL5WQRFexbfB5aXhcMo0AA==
 -----END CERTIFICATE-----
-# certificate for cn-north-1
+# certificate for cn-north-1, cn-northwest-1
 -----BEGIN CERTIFICATE-----
 MIIDCzCCAnSgAwIBAgIJALSOMbOoU2svMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
 BAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0
@ -178,48 +114,6 @@ oADS0ph+YUz5P/bUCm61wFjlxaTfwKcuTR3ytj7bFLoW5Bm7Sa+TCl3lOGb2taon
 SUDlRyNy1jJFstEZjOhs
 -----END CERTIFICATE-----
 # certificate for cn-northwest-1
 -----BEGIN CERTIFICATE-----
 MIIDCzCCAnSgAwIBAgIJALSOMbOoU2svMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
 BAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0
 dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0yMzA3MDQw
 ODM1MzlaFw0yODA3MDIwODM1MzlaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBX
 YXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6
 b24gV2ViIFNlcnZpY2VzIExMQzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
 uhhUNlqAZdcWWB/OSDVDGk3OA99EFzOn/mJlmciQ/Xwu2dFJWmSCqEAE6gjufCjQ
 q3voxAhC2CF+elKtJW/C0Sz/LYo60PUqd6iXF4h+upB9HkOOGuWHXsHBTsvgkgGA
 1CGgel4U0Cdq+23eANr8N8m28UzljjSnTlrYCHtzN4sCAwEAAaOB1DCB0TALBgNV
 HQ8EBAMCB4AwHQYDVR0OBBYEFBkZu3wT27NnYgrfH+xJz4HJaNJoMIGOBgNVHSME
 gYYwgYOAFBkZu3wT27NnYgrfH+xJz4HJaNJooWCkXjBcMQswCQYDVQQGEwJVUzEZ
 MBcGA1UECBMQV2FzaGluZ3RvbiBTdGF0ZTEQMA4GA1UEBxMHU2VhdHRsZTEgMB4G
 A1UEChMXQW1hem9uIFdlYiBTZXJ2aWNlcyBMTEOCCQC0jjGzqFNrLzASBgNVHRMB
 Af8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBCwUAA4GBAECji43p+oPkYqmzll7e8Hgb
 oADS0ph+YUz5P/bUCm61wFjlxaTfwKcuTR3ytj7bFLoW5Bm7Sa+TCl3lOGb2taon
 2h+9NirRK6JYk87LMNvbS40HGPFumJL2NzEsGUeK+MRiWu+Oh5/lJGii3qw4YByx
 SUDlRyNy1jJFstEZjOhs
 -----END CERTIFICATE-----
 # certificate for eu-central-1
 -----BEGIN CERTIFICATE-----
 MIIDITCCAoqgAwIBAgIUFD5GsmkxRuecttwsCG763m3u63UwDQYJKoZIhvcNAQEL
 BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
 BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
 MB4XDTI0MDQyOTE1NTUyOVoXDTI5MDQyODE1NTUyOVowXDELMAkGA1UEBhMCVVMx
 GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
 BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
 UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
 vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
 o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
 UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
 BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
 ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUFD5Gsmkx
 RuecttwsCG763m3u63UwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
 AAOBgQBBh0WaXlBsW56Hqk588MmJxsOrvcKfDjF57RgEDgnGnQaJcStCVWDO9UYO
 JX2tdsPw+E7AjDqjsuxYaotLn3Mr3mK0sNOXq9BljBnWD4pARg89KZnZI8FN35HQ
 O/LYOVHCknuPL123VmVRNs51qQA9hkPjvw21UzpDLxaUxt9Z/w==
 -----END CERTIFICATE-----
 # certificate for eu-central-2
 -----BEGIN CERTIFICATE-----
 MIICMzCCAZygAwIBAgIGAXjSGFGiMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
@ -236,27 +130,6 @@ NBElvPCDKFvTJl4QQhToy056llO5GvdS9RK+H8xrP2mrqngApoKTApv93vHBixgF
 Sn5KrczRO0YSm3OjkqbydU7DFlmkXXR7GYE+5jbHvQHYiT1J5sMu
 -----END CERTIFICATE-----
 # certificate for ap-south-1
 -----BEGIN CERTIFICATE-----
 MIIDITCCAoqgAwIBAgIUDLA+x6tTAP3LRTr0z6nOxfsozdMwDQYJKoZIhvcNAQEL
 BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
 BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
 MB4XDTI0MDQyOTE0MTMwMVoXDTI5MDQyODE0MTMwMVowXDELMAkGA1UEBhMCVVMx
 GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
 BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
 UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
 vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
 o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
 UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
 BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
 ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUDLA+x6tT
 AP3LRTr0z6nOxfsozdMwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
 AAOBgQAZ7rYKoAwwiiH1M5GJbrT/BEk3OO2VrEPw8ZxgpqQ/EKlzMlOs/0Cyrmp7
 UYyUgYFQe5nq37Z94rOUSeMgv/WRxaMwrLlLqD78cuF9DSkXaZIX/kECtVaUnjk8
 BZx0QhoIHOpQocJUSlm/dLeMuE0+0A3HNR6JVktGsUdv9ulmKw==
 -----END CERTIFICATE-----
 # certificate for ap-south-2
 -----BEGIN CERTIFICATE-----
 MIICMzCCAZygAwIBAgIGAXjwLj9CMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
@ -273,48 +146,6 @@ ETwUZ9mTq2vxlV0KvuetCDNS5u4cJsxe/TGGbYP0yP2qfMl0cCImzRI5W0gn8gog
 dervfeT7nH5ih0TWEy/QDWfkQ601L4erm4yh4YQq8vcqAPSkf04N
 -----END CERTIFICATE-----
 # certificate for ap-southeast-1
 -----BEGIN CERTIFICATE-----
 MIIDITCCAoqgAwIBAgIUSqP6ih+++5KF07NXngrWf26mhSUwDQYJKoZIhvcNAQEL
 BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
 BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
 MB4XDTI0MDQyOTE0MzAxNFoXDTI5MDQyODE0MzAxNFowXDELMAkGA1UEBhMCVVMx
 GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
 BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
 UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
 vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
 o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
 UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
 BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
 ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUSqP6ih++
 +5KF07NXngrWf26mhSUwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
 AAOBgQAw13BxW11U/JL58j//Fmk7qqtrZTqXmaz1qm2WlIpJpW750MOcP4ux1uPy
 eM0RdVZ4jHSMv5gtLAv/PjExBfw9n6vNCk+5GZG4Xec5DoapBZHXmfMo93sjxBFP
 4x9rWn0GuwAVO9ukjYPevq2Rerilrq5VvppHtbATVNY2qecXDA==
 -----END CERTIFICATE-----
 # certificate for ap-southeast-2
 -----BEGIN CERTIFICATE-----
 MIIDITCCAoqgAwIBAgIUFxWyAdk4oiXIOC9PxcgjYYh71mwwDQYJKoZIhvcNAQEL
 BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
 BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
 MB4XDTI0MDQyOTE1MjE0M1oXDTI5MDQyODE1MjE0M1owXDELMAkGA1UEBhMCVVMx
 GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
 BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
 UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
 vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
 o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
 UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
 BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
 ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUFxWyAdk4
 oiXIOC9PxcgjYYh71mwwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
 AAOBgQByjeQe6lr7fiIhoGdjBXYzDfkX0lGGvMIhRh57G1bbceQfaYdZd7Ptc0jl
 bpycKGaTvhUdkpMOiV2Hi9dOOYawkdhyJDstmDNKu6P9+b6Kak8He5z3NU1tUR2Y
 uTwcz7Ye8Nldx//ws3raErfTI7D6s9m63OX8cAJ/f8bNgikwpw==
 -----END CERTIFICATE-----
 # certificate for ap-southeast-3
 -----BEGIN CERTIFICATE-----
 MIICMzCCAZygAwIBAgIGAXbVDG2yMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
@ -395,46 +226,25 @@ WX00FTEj4hRVjameE1nENoO8Z7fUVloAFDlDo69fhkJeSvn51D1WRrPnoWGgEfr1
 +OfK1bAcKTtfkkkP9r4RdwSjKzO5Zu/B+Wqm3kVEz/QNcz6npmA6
 -----END CERTIFICATE-----
-# certificate for us-gov-east-1
+# certificate for us-gov-east-1 and us-gov-west-1
 -----BEGIN CERTIFICATE-----
 MIIDITCCAoqgAwIBAgIULVyrqjjwZ461qelPCiShB1KCCj4wDQYJKoZIhvcNAQEL
 BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
 BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
 MB4XDTI0MDUwNzE1MjIzNloXDTI5MDUwNjE1MjIzNlowXDELMAkGA1UEBhMCVVMx
 GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
 BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQCpohwYUVPH9I7Vbkb3WMe/JB0Y/bmfVj3VpcK445YBRO9K80al
 esjgBc2tAX4KYg4Lht4EBKccLHTzaNi51YEGX1aLNrSmxhz1+WtzNLNUsyY3zD9z
 vwX/3k1+JB2dRA+m+Cpwx4mjzZyAeQtHtegVaAytkmqtxQrSCexBxvqRqQIDAQAB
 o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQU1ZXneBYnPvYXkHVlVjg7918V
 gE8wgZkGA1UdIwSBkTCBjoAU1ZXneBYnPvYXkHVlVjg7918VgE+hYKReMFwxCzAJ
 BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
 ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IULVyrqjjw
 Z461qelPCiShB1KCCj4wEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
 AAOBgQBfAL/YZv0y3zmVbXjyxQCsDloeDCJjFKIu3ameEckeIWJbST9LMto0zViZ
 puIAf05x6GQiEqfBMk+YMxJfcTmJB4Ebaj4egFlslJPSHyC2xuydHlr3B04INOH5
 Z2oCM68u6GGbj0jZjg7GJonkReG9N72kDva/ukwZKgq8zErQVQ==
 -----END CERTIFICATE-----
 # certificate for us-gov-west-1
 -----BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIUe5wGF3jfb7lUHzvDxmM/ktGCLwwwDQYJKoZIhvcNAQEL
+MIIDCzCCAnSgAwIBAgIJAIe9Hnq82O7UMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
-BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
+BAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0
-BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
+dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0yMTA3MTQx
-MB4XDTI0MDUwNzE3MzAzMloXDTI5MDUwNjE3MzAzMlowXDELMAkGA1UEBhMCVVMx
+NDI3NTdaFw0yNDA3MTMxNDI3NTdaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBX
-GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
+YXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6
-BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
+b24gV2ViIFNlcnZpY2VzIExMQzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-A4GNADCBiQKBgQCpohwYUVPH9I7Vbkb3WMe/JB0Y/bmfVj3VpcK445YBRO9K80al
+qaIcGFFTx/SO1W5G91jHvyQdGP25n1Y91aXCuOOWAUTvSvNGpXrI4AXNrQF+CmIO
-esjgBc2tAX4KYg4Lht4EBKccLHTzaNi51YEGX1aLNrSmxhz1+WtzNLNUsyY3zD9z
+C4beBASnHCx082jYudWBBl9Wiza0psYc9flrczSzVLMmN8w/c78F/95NfiQdnUQP
-vwX/3k1+JB2dRA+m+Cpwx4mjzZyAeQtHtegVaAytkmqtxQrSCexBxvqRqQIDAQAB
+pvgqcMeJo82cgHkLR7XoFWgMrZJqrcUK0gnsQcb6kakCAwEAAaOB1DCB0TALBgNV
-o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQU1ZXneBYnPvYXkHVlVjg7918V
+HQ8EBAMCB4AwHQYDVR0OBBYEFNWV53gWJz72F5B1ZVY4O/dfFYBPMIGOBgNVHSME
-gE8wgZkGA1UdIwSBkTCBjoAU1ZXneBYnPvYXkHVlVjg7918VgE+hYKReMFwxCzAJ
+gYYwgYOAFNWV53gWJz72F5B1ZVY4O/dfFYBPoWCkXjBcMQswCQYDVQQGEwJVUzEZ
-BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
+MBcGA1UECBMQV2FzaGluZ3RvbiBTdGF0ZTEQMA4GA1UEBxMHU2VhdHRsZTEgMB4G
-ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUe5wGF3jf
+A1UEChMXQW1hem9uIFdlYiBTZXJ2aWNlcyBMTEOCCQCHvR56vNju1DASBgNVHRMB
-b7lUHzvDxmM/ktGCLwwwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
+Af8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBCwUAA4GBACrKjWj460GUPZCGm3/z0dIz
-AAOBgQCbTdpx1Iob9SwUReY4exMnlwQlmkTLyA8tYGWzchCJOJJEPfsW0ryy1A0H
+M2BPuH769wcOsqfFZcMKEysSFK91tVtUb1soFwH4/Lb/T0PqNrvtEwD1Nva5k0h2
-YIuvyUty3rJdp9ib8h3GZR71BkZnNddHhy06kPs4p8ewF8+d8OWtOJQcI+ZnFfG4
+xZhNNRmDuhOhW1K9wCcnHGRBwY5t4lYL6hNV6hcrqYwGMjTjcAjBG2yMgznSNFle
-KyM4rUsBrljpG2aOCm12iACEyrvgJJrS8VZwUDZS6mZEnn/lhA==
+Rwi/S3BFXISixNx9cILu
 -----END CERTIFICATE-----
 # certificate for ca-west-1
@ -451,188 +261,4 @@ RZWaBDBJy9x8C2hW+w9lMQjFHkJ7Jy/PHCJ69EzebQIDAQABMA0GCSqGSIb3DQEB
 BQUAA4GBAGe9Snkz1A6rHBH6/5kDtYvtPYwhx2sXNxztbhkXErFk40Nw5l459NZx
 EeudxJBLoCkkSgYjhRcOZ/gvDVtWG7qyb6fAqgoisyAbk8K9LzxSim2S1nmT9vD8
 4B/t/VvwQBylc+ej8kRxMH7fquZLp7IXfmtBzyUqu6Dpbne+chG2
-----END CERTIFICATE-----
+-----END CERTIFICATE-----
 # certificate for ap-northeast-1
 -----BEGIN CERTIFICATE-----
 MIIDITCCAoqgAwIBAgIULgwDh7TiDrPPBJwscqDwiBHkEFQwDQYJKoZIhvcNAQEL
 BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
 BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
 MB4XDTI0MDQyOTEyMjMxMFoXDTI5MDQyODEyMjMxMFowXDELMAkGA1UEBhMCVVMx
 GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
 BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
 UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
 vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
 o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
 UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
 BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
 ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IULgwDh7Ti
 DrPPBJwscqDwiBHkEFQwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
 AAOBgQBtjAglBde1t4F9EHCZOj4qnY6Gigy07Ou54i+lR77MhbpzE8V28Li9l+YT
 QMIn6SzJqU3/fIycIro1OVY1lHmaKYgPGSEZxBenSBHfzwDLRmC9oRp4QMe0BjOC
 gepj1lUoiN7OA6PtA+ycNlsP0oJvdBjhvayLiuM3tUfLTrgHbw==
 -----END CERTIFICATE-----
 # certificate for ap-northeast-2
 -----BEGIN CERTIFICATE-----
 MIIDITCCAoqgAwIBAgIUbBSn2UIO6vYk4iNWV0RPxJJtHlgwDQYJKoZIhvcNAQEL
 BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
 BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
 MB4XDTI0MDQyOTEzMzg0NloXDTI5MDQyODEzMzg0NlowXDELMAkGA1UEBhMCVVMx
 GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
 BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
 UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
 vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
 o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
 UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
 BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
 ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUbBSn2UIO
 6vYk4iNWV0RPxJJtHlgwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
 AAOBgQAmjTjalG8MGLqWTC2uYqEM8nzI3px1eo0ArvFRsyqQ3fgmWcQpxExqUqRy
 l3+2134Kv8dFab04Gut5wlfRtc2OwPKKicmv/IXGN+9bKFnQFjTqif08NIzrDZch
 aFT/uvxrIiM+oN2YsHq66GUhO2+xVRXDXVxM/VObFgPERbJpyA==
 -----END CERTIFICATE-----
 # certificate for ap-northeast-3
 -----BEGIN CERTIFICATE-----
 MIICMzCCAZygAwIBAgIGAYPou9weMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
 AlVTMRkwFwYDVQQIDBBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHDAdTZWF0dGxl
 MSAwHgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0yMjEwMTgwMTM2
 MDlaGA8yMjAxMTAxODAxMzYwOVowXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgMEFdh
 c2hpbmd0b24gU3RhdGUxEDAOBgNVBAcMB1NlYXR0bGUxIDAeBgNVBAoMF0FtYXpv
 biBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK
 1kIcG5Q6adBXQM75GldfTSiXl7tn54p10TnspI0ErDdb2B6q2Ji/v4XBVH13ZCMg
 qlRHMqV8AWI5iO6gFn2A9sN3AZXTMqwtZeiDdebq3k6Wt7ieYvpXTg0qvgsjQIov
 RZWaBDBJy9x8C2hW+w9lMQjFHkJ7Jy/PHCJ69EzebQIDAQABMA0GCSqGSIb3DQEB
 BQUAA4GBAGe9Snkz1A6rHBH6/5kDtYvtPYwhx2sXNxztbhkXErFk40Nw5l459NZx
 EeudxJBLoCkkSgYjhRcOZ/gvDVtWG7qyb6fAqgoisyAbk8K9LzxSim2S1nmT9vD8
 4B/t/VvwQBylc+ej8kRxMH7fquZLp7IXfmtBzyUqu6Dpbne+chG2
 -----END CERTIFICATE-----
 # certificate for ca-central-1
 -----BEGIN CERTIFICATE-----
 MIIDITCCAoqgAwIBAgIUIrLgixJJB5C4G8z6pZ5rB0JU2aQwDQYJKoZIhvcNAQEL
 BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
 BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
 MB4XDTI0MDQyOTE1MzU0M1oXDTI5MDQyODE1MzU0M1owXDELMAkGA1UEBhMCVVMx
 GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
 BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
 UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
 vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
 o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
 UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
 BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
 ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUIrLgixJJ
 B5C4G8z6pZ5rB0JU2aQwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
 AAOBgQBHiQJmzyFAaSYs8SpiRijIDZW2RIo7qBKb/pI3rqK6yOWDlPuMr6yNI81D
 IrKGGftg4Z+2KETYU4x76HSf0s//vfH3QA57qFaAwddhKYy4BhteFQl/Wex3xTlX
 LiwI07kwJvJy3mS6UfQ4HcvZy219tY+0iyOWrz/jVxwq7TOkCw==
 -----END CERTIFICATE-----
 # certificate for eu-west-1
 -----BEGIN CERTIFICATE-----
 MIIDITCCAoqgAwIBAgIUakDaQ1Zqy87Hy9ESXA1pFC116HkwDQYJKoZIhvcNAQEL
 BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
 BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
 MB4XDTI0MDQyOTE2MTgxMFoXDTI5MDQyODE2MTgxMFowXDELMAkGA1UEBhMCVVMx
 GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
 BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
 UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
 vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
 o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
 UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
 BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
 ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUakDaQ1Zq
 y87Hy9ESXA1pFC116HkwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
 AAOBgQADIkn/MqaLGPuK5+prZZ5Ox4bBZLPtreO2C7r0pqU2kPM2lVPyYYydkvP0
 lgSmmsErGu/oL9JNztDe2oCA+kNy17ehcsf8cw0uP861czNFKCeU8b7FgBbL+sIm
 qi33rAq6owWGi/5uEcfCR+JP7W+oSYVir5r/yDmWzx+BVH5S/g==
 -----END CERTIFICATE-----
 # certificate for eu-west-2
 -----BEGIN CERTIFICATE-----
 MIIDITCCAoqgAwIBAgIUCgCV/DPxYNND/swDgEKGiC5I+EwwDQYJKoZIhvcNAQEL
 BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
 BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
 MB4XDTI0MDQyOTE2MjkxNFoXDTI5MDQyODE2MjkxNFowXDELMAkGA1UEBhMCVVMx
 GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
 BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
 UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
 vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
 o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
 UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
 BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
 ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUCgCV/DPx
 YNND/swDgEKGiC5I+EwwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
 AAOBgQATPu/sOE2esNa4+XPEGKlEJSgqzyBSQLQc+VWo6FAJhGG9fp7D97jhHeLC
 5vwfmtTAfnGBxadfAOT3ASkxnOZhXtnRna460LtnNHm7ArCVgXKJo7uBn6ViXtFh
 uEEw4y6p9YaLQna+VC8Xtgw6WKq2JXuKzuhuNKSFaGGw9vRcHg==
 -----END CERTIFICATE-----
 # certificate for eu-west-3
 -----BEGIN CERTIFICATE-----
 MIIDITCCAoqgAwIBAgIUaC9fX57UDr6u1vBvsCsECKBZQyIwDQYJKoZIhvcNAQEL
 BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
 BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
 MB4XDTI0MDQyOTE2MzczOFoXDTI5MDQyODE2MzczOFowXDELMAkGA1UEBhMCVVMx
 GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
 BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
 UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
 vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
 o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
 UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
 BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
 ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUaC9fX57U
 Dr6u1vBvsCsECKBZQyIwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
 AAOBgQCARv1bQEDaMEzYI0nPlu8GHcMXgmgA94HyrXhMMcaIlQwocGBs6VILGVhM
 TXP2r3JFaPEpmXSQNQHvGA13clKwAZbni8wtzv6qXb4L4muF34iQRHF0nYrEDoK7
 mMPR8+oXKKuPO/mv/XKo6XAV5DDERdSYHX5kkA2R9wtvyZjPnQ==
 -----END CERTIFICATE-----
 # certificate for eu-north-1
 -----BEGIN CERTIFICATE-----
 MIIDITCCAoqgAwIBAgIUN1c9U6U/xiVDFgJcYKZB4NkH1QEwDQYJKoZIhvcNAQEL
 BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
 BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
 MB4XDTI0MDQyOTE2MDYwM1oXDTI5MDQyODE2MDYwM1owXDELMAkGA1UEBhMCVVMx
 GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
 BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
 UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
 vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
 o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
 UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
 BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
 ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUN1c9U6U/
 xiVDFgJcYKZB4NkH1QEwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
 AAOBgQBTIQdoFSDRHkpqNPUbZ9WXR2O5v/9bpmHojMYZb3Hw46wsaRso7STiGGX/
 tRqjIkPUIXsdhZ3+7S/RmhFznmZc8e0bjU4n5vi9CJtQSt+1u4E17+V2bF+D3h/7
 wcfE0l3414Q8JaTDtfEf/aF3F0uyBvr4MDMd7mFvAMmDmBPSlA==
 -----END CERTIFICATE-----
 # certificate for sa-east-1
 -----BEGIN CERTIFICATE-----
 MIIDITCCAoqgAwIBAgIUX4Bh4MQ86Roh37VDRRX1MNOB3TcwDQYJKoZIhvcNAQEL
 BQAwXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAO
 BgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExD
 MB4XDTI0MDQyOTE2NDYwOVoXDTI5MDQyODE2NDYwOVowXDELMAkGA1UEBhMCVVMx
 GTAXBgNVBAgTEFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAe
 BgNVBAoTF0FtYXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUA
 A4GNADCBiQKBgQCHvRjf/0kStpJ248khtIaN8qkDN3tkw4VjvA9nvPl2anJO+eIB
 UqPfQG09kZlwpWpmyO8bGB2RWqWxCwuB/dcnIob6w420k9WY5C0IIGtDRNauN3ku
 vGXkw3HEnF0EjYr0pcyWUvByWY4KswZV42X7Y7XSS13hOIcL6NLA+H94/QIDAQAB
 o4HfMIHcMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUJdbMCBXKtvCcWdwUUizvtUF2
 UTgwgZkGA1UdIwSBkTCBjoAUJdbMCBXKtvCcWdwUUizvtUF2UTihYKReMFwxCzAJ
 BgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdT
 ZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQ4IUX4Bh4MQ8
 6Roh37VDRRX1MNOB3TcwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsF
 AAOBgQBnhocfH6ZIX6F5K9+Y9V4HFk8vSaaKL5ytw/P5td1h9ej94KF3xkZ5fyjN
 URvGQv3kNmNJBoNarcP9I7JIMjsNPmVzqWawyCEGCZImoARxSS3Fc5EAs2PyBfcD
 9nCtzMTaKO09Xyq0wqXVYn1xJsE5d5yBDsGrzaTHKjxo61+ezQ==
 -----END CERTIFICATE-----
--- a/authority/provisioner/aws_test.go
+++ b/authority/provisioner/aws_test.go
@ -896,5 +896,5 @@ func TestAWS_HardcodedCertificates(t *testing.T) {
 		assert.True(t, cert.NotAfter.After(time.Now()))
 		certs = append(certs, cert)
 	}
-	assert.Len(t, 33, certs, "expected 33 certificates in aws_certificates.pem, but got %d", len(certs))
+	assert.Len(t, 15, certs, "expected 15 certificates in aws_certificates.pem")
 }
--- a/authority/provisioner/claims.go
+++ b/authority/provisioner/claims.go
@ -234,24 +234,24 @@ func (c *Claimer) IsSSHCAEnabled() bool {
 // Validate validates and modifies the Claims with default values.
 func (c *Claimer) Validate() error {
 	var (
-		minDur = c.MinTLSCertDuration()
+		min = c.MinTLSCertDuration()
-		maxDur = c.MaxTLSCertDuration()
+		max = c.MaxTLSCertDuration()
-		defDur = c.DefaultTLSCertDuration()
+		def = c.DefaultTLSCertDuration()
 	)
 	switch {
-	case minDur <= 0:
+	case min <= 0:
 		return errors.Errorf("claims: MinTLSCertDuration must be greater than 0")
-	case maxDur <= 0:
+	case max <= 0:
 		return errors.Errorf("claims: MaxTLSCertDuration must be greater than 0")
-	case defDur <= 0:
+	case def <= 0:
 		return errors.Errorf("claims: DefaultTLSCertDuration must be greater than 0")
-	case maxDur < minDur:
+	case max < min:
 		return errors.Errorf("claims: MaxCertDuration cannot be less "+
-			"than MinCertDuration: MaxCertDuration - %v, MinCertDuration - %v", maxDur, minDur)
+			"than MinCertDuration: MaxCertDuration - %v, MinCertDuration - %v", max, min)
-	case defDur < minDur:
+	case def < min:
-		return errors.Errorf("claims: DefaultCertDuration cannot be less than MinCertDuration: DefaultCertDuration - %v, MinCertDuration - %v", defDur, minDur)
+		return errors.Errorf("claims: DefaultCertDuration cannot be less than MinCertDuration: DefaultCertDuration - %v, MinCertDuration - %v", def, min)
-	case maxDur < defDur:
+	case max < def:
-		return errors.Errorf("claims: MaxCertDuration cannot be less than DefaultCertDuration: MaxCertDuration - %v, DefaultCertDuration - %v", maxDur, defDur)
+		return errors.Errorf("claims: MaxCertDuration cannot be less than DefaultCertDuration: MaxCertDuration - %v, DefaultCertDuration - %v", max, def)
 	default:
 		return nil
 	}
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@ -93,8 +93,6 @@ type OIDC struct {
 	ListenAddress         string   `json:"listenAddress,omitempty"`
 	Claims                *Claims  `json:"claims,omitempty"`
 	Options               *Options `json:"options,omitempty"`
 	Scopes                []string `json:"scopes,omitempty"`
 	AuthParams            []string `json:"authParams,omitempty"`
 	configuration         openIDConfiguration
 	keyStore              *keyStore
 	ctl                   *Controller
--- a/authority/provisioner/provisioner.go
+++ b/authority/provisioner/provisioner.go
@ -10,7 +10,6 @@ import (
 	"strings"
 	"github.com/pkg/errors"
 	kmsapi "go.step.sm/crypto/kms/apiv1"
 	"golang.org/x/crypto/ssh"
 	"github.com/smallstep/certificates/errs"
@ -207,13 +206,6 @@ type SSHKeys struct {
 	HostKeys []ssh.PublicKey
 }
 // SCEPKeyManager is a KMS interface that combines a KeyManager with a
 // Decrypter.
 type SCEPKeyManager interface {
 	kmsapi.KeyManager
 	kmsapi.Decrypter
 }
 // Config defines the default parameters used in the initialization of
 // provisioners.
 type Config struct {
@ -234,8 +226,6 @@ type Config struct {
 	AuthorizeSSHRenewFunc AuthorizeSSHRenewFunc
 	// WebhookClient is an http client to use in webhook request
 	WebhookClient *http.Client
 	// SCEPKeyManager, if defined, is the interface used by SCEP provisioners.
 	SCEPKeyManager SCEPKeyManager
 }
 type provisioner struct {
@ -330,7 +320,7 @@ func (b *base) AuthorizeSSHSign(context.Context, string) ([]SignOption, error) {
 	return nil, errs.Unauthorized("provisioner.AuthorizeSSHSign not implemented")
 }
-// AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite
+// AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite
 // this method if they will support authorizing tokens for revoking SSH Certificates.
 func (b *base) AuthorizeSSHRevoke(context.Context, string) error {
 	return errs.Unauthorized("provisioner.AuthorizeSSHRevoke not implemented")
--- a/authority/provisioner/scep.go
+++ b/authority/provisioner/scep.go
@ -15,6 +15,7 @@ import (
 	"go.step.sm/crypto/kms"
 	kmsapi "go.step.sm/crypto/kms/apiv1"
 	"go.step.sm/crypto/kms/uri"
 	"go.step.sm/linkedca"
 	"github.com/smallstep/certificates/webhook"
@ -58,7 +59,7 @@ type SCEP struct {
 	encryptionAlgorithm           int
 	challengeValidationController *challengeValidationController
 	notificationController        *notificationController
-	keyManager                    SCEPKeyManager
+	keyManager                    kmsapi.KeyManager
 	decrypter                     crypto.Decrypter
 	decrypterCertificate          *x509.Certificate
 	signer                        crypto.Signer
@ -268,38 +269,34 @@ func (s *SCEP) Init(config Config) (err error) {
 	)
 	// parse the decrypter key PEM contents if available
-	if len(s.DecrypterKeyPEM) > 0 {
+	if decryptionKeyPEM := s.DecrypterKeyPEM; len(decryptionKeyPEM) > 0 {
 		// try reading the PEM for validation
-		block, rest := pem.Decode(s.DecrypterKeyPEM)
+		block, rest := pem.Decode(decryptionKeyPEM)
 		if len(rest) > 0 {
 			return errors.New("failed parsing decrypter key: trailing data")
 		}
 		if block == nil {
 			return errors.New("failed parsing decrypter key: no PEM block found")
 		}
 		opts := kms.Options{
 			Type: kmsapi.SoftKMS,
 		}
-		km, err := kms.New(context.Background(), opts)
+		if s.keyManager, err = kms.New(context.Background(), opts); err != nil {
 		if err != nil {
 			return fmt.Errorf("failed initializing kms: %w", err)
 		}
-		scepKeyManager, ok := km.(SCEPKeyManager)
+		kmsDecrypter, ok := s.keyManager.(kmsapi.Decrypter)
 		if !ok {
 			return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type)
 		}
-		s.keyManager = scepKeyManager
+		if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
-
+			DecryptionKeyPEM: decryptionKeyPEM,
 		if s.decrypter, err = s.keyManager.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
 			DecryptionKeyPEM: s.DecrypterKeyPEM,
 			Password:         []byte(s.DecrypterKeyPassword),
 			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
 			return fmt.Errorf("failed creating decrypter: %w", err)
 		}
 		if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
-			SigningKeyPEM:    s.DecrypterKeyPEM, // TODO(hs): support distinct signer key in the future?
+			SigningKeyPEM:    decryptionKeyPEM, // TODO(hs): support distinct signer key in the future?
 			Password:         []byte(s.DecrypterKeyPassword),
 			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
@ -307,44 +304,41 @@ func (s *SCEP) Init(config Config) (err error) {
 		}
 	}
-	if s.DecrypterKeyURI != "" {
+	if decryptionKeyURI := s.DecrypterKeyURI; decryptionKeyURI != "" {
-		kmsType, err := kmsapi.TypeOf(s.DecrypterKeyURI)
+		u, err := uri.Parse(s.DecrypterKeyURI)
 		if err != nil {
 			return fmt.Errorf("failed parsing decrypter key: %w", err)
 		}
-
+		var kmsType kmsapi.Type
-		if config.SCEPKeyManager != nil {
+		switch {
-			s.keyManager = config.SCEPKeyManager
+		case u.Scheme != "":
-		} else {
+			kmsType = kms.Type(u.Scheme)
-			if kmsType == kmsapi.DefaultKMS {
+		default:
-				kmsType = kmsapi.SoftKMS
+			kmsType = kmsapi.SoftKMS
-			}
+		}
-			opts := kms.Options{
+		opts := kms.Options{
-				Type: kmsType,
+			Type: kmsType,
-				URI:  s.DecrypterKeyURI,
+			URI:  s.DecrypterKeyURI,
-			}
+		}
-			km, err := kms.New(context.Background(), opts)
+		if s.keyManager, err = kms.New(context.Background(), opts); err != nil {
-			if err != nil {
+			return fmt.Errorf("failed initializing kms: %w", err)
-				return fmt.Errorf("failed initializing kms: %w", err)
+		}
-			}
+		kmsDecrypter, ok := s.keyManager.(kmsapi.Decrypter)
-			scepKeyManager, ok := km.(SCEPKeyManager)
+		if !ok {
-			if !ok {
+			return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type)
-				return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type)
+		}
-			}
+		if kmsType != "softkms" { // TODO(hs): this should likely become more transparent?
-			s.keyManager = scepKeyManager
+			decryptionKeyURI = u.Opaque
-		}
+		}
-
+		if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
-		// Create decrypter and signer with the same key:
+			DecryptionKey:    decryptionKeyURI,
 		// TODO(hs): support distinct signer key in the future?
 		if s.decrypter, err = s.keyManager.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
 			DecryptionKey:    s.DecrypterKeyURI,
 			Password:         []byte(s.DecrypterKeyPassword),
 			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
 			return fmt.Errorf("failed creating decrypter: %w", err)
 		}
 		if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
-			SigningKey:       s.DecrypterKeyURI,
+			SigningKey:       decryptionKeyURI, // TODO(hs): support distinct signer key in the future?
 			Password:         []byte(s.DecrypterKeyPassword),
 			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
--- a/authority/provisioner/scep_test.go
+++ b/authority/provisioner/scep_test.go
@ -2,27 +2,19 @@ package provisioner
 import (
 	"context"
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"path/filepath"
 	"testing"
 	"github.com/smallstep/certificates/webhook"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"go.step.sm/crypto/kms/softkms"
+
 	"go.step.sm/crypto/minica"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/linkedca"
 	"github.com/smallstep/certificates/webhook"
 )
 func Test_challengeValidationController_Validate(t *testing.T) {
@ -374,270 +366,3 @@ func TestSCEP_ValidateChallenge(t *testing.T) {
 		})
 	}
 }
 func TestSCEP_Init(t *testing.T) {
 	serialize := func(key crypto.PrivateKey, password string) []byte {
 		var opts []pemutil.Options
 		if password == "" {
 			opts = append(opts, pemutil.WithPasswordPrompt("no password", func(s string) ([]byte, error) {
 				return nil, nil
 			}))
 		} else {
 			opts = append(opts, pemutil.WithPassword([]byte("password")))
 		}
 		block, err := pemutil.Serialize(key, opts...)
 		require.NoError(t, err)
 		return pem.EncodeToMemory(block)
 	}
 	ca, err := minica.New()
 	require.NoError(t, err)
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	require.NoError(t, err)
 	badKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	require.NoError(t, err)
 	cert, err := ca.Sign(&x509.Certificate{
 		Subject:   pkix.Name{CommonName: "SCEP decryptor"},
 		PublicKey: key.Public(),
 	})
 	require.NoError(t, err)
 	certPEM := pem.EncodeToMemory(&pem.Block{
 		Type: "CERTIFICATE", Bytes: cert.Raw,
 	})
 	certPEMWithIntermediate := append(pem.EncodeToMemory(&pem.Block{
 		Type: "CERTIFICATE", Bytes: cert.Raw,
 	}), pem.EncodeToMemory(&pem.Block{
 		Type: "CERTIFICATE", Bytes: ca.Intermediate.Raw,
 	})...)
 	keyPEM := serialize(key, "password")
 	keyPEMNoPassword := serialize(key, "")
 	badKeyPEM := serialize(badKey, "password")
 	tmp := t.TempDir()
 	path := filepath.Join(tmp, "rsa.priv")
 	pathNoPassword := filepath.Join(tmp, "rsa.key")
 	require.NoError(t, os.WriteFile(path, keyPEM, 0600))
 	require.NoError(t, os.WriteFile(pathNoPassword, keyPEMNoPassword, 0600))
 	type args struct {
 		config Config
 	}
 	tests := []struct {
 		name    string
 		s       *SCEP
 		args    args
 		wantErr bool
 	}{
 		{"ok", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        0,
 			DecrypterCertificate:          certPEM,
 			DecrypterKeyPEM:               keyPEM,
 			DecrypterKeyPassword:          "password",
 			EncryptionAlgorithmIdentifier: 0,
 		}, args{Config{Claims: globalProvisionerClaims}}, false},
 		{"ok no password", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        0,
 			DecrypterCertificate:          certPEM,
 			DecrypterKeyPEM:               keyPEMNoPassword,
 			DecrypterKeyPassword:          "",
 			EncryptionAlgorithmIdentifier: 1,
 		}, args{Config{Claims: globalProvisionerClaims}}, false},
 		{"ok with uri", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        1024,
 			DecrypterCertificate:          certPEM,
 			DecrypterKeyURI:               "softkms:path=" + path,
 			DecrypterKeyPassword:          "password",
 			EncryptionAlgorithmIdentifier: 2,
 		}, args{Config{Claims: globalProvisionerClaims}}, false},
 		{"ok with uri no password", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        2048,
 			DecrypterCertificate:          certPEM,
 			DecrypterKeyURI:               "softkms:path=" + pathNoPassword,
 			DecrypterKeyPassword:          "",
 			EncryptionAlgorithmIdentifier: 3,
 		}, args{Config{Claims: globalProvisionerClaims}}, false},
 		{"ok with SCEPKeyManager", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        2048,
 			DecrypterCertificate:          certPEM,
 			DecrypterKeyURI:               "softkms:path=" + pathNoPassword,
 			DecrypterKeyPassword:          "",
 			EncryptionAlgorithmIdentifier: 4,
 		}, args{Config{Claims: globalProvisionerClaims, SCEPKeyManager: &softkms.SoftKMS{}}}, false},
 		{"ok intermediate", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        0,
 			DecrypterCertificate:          nil,
 			DecrypterKeyPEM:               nil,
 			DecrypterKeyPassword:          "",
 			EncryptionAlgorithmIdentifier: 0,
 		}, args{Config{Claims: globalProvisionerClaims}}, false},
 		{"fail type", &SCEP{
 			Type:                          "",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        0,
 			DecrypterCertificate:          certPEM,
 			DecrypterKeyPEM:               keyPEM,
 			DecrypterKeyPassword:          "password",
 			EncryptionAlgorithmIdentifier: 0,
 		}, args{Config{Claims: globalProvisionerClaims}}, true},
 		{"fail name", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        0,
 			DecrypterCertificate:          certPEM,
 			DecrypterKeyPEM:               keyPEM,
 			DecrypterKeyPassword:          "password",
 			EncryptionAlgorithmIdentifier: 0,
 		}, args{Config{Claims: globalProvisionerClaims}}, true},
 		{"fail minimumPublicKeyLength", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        2001,
 			DecrypterCertificate:          certPEM,
 			DecrypterKeyPEM:               keyPEM,
 			DecrypterKeyPassword:          "password",
 			EncryptionAlgorithmIdentifier: 0,
 		}, args{Config{Claims: globalProvisionerClaims}}, true},
 		{"fail encryptionAlgorithmIdentifier", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        0,
 			DecrypterCertificate:          certPEM,
 			DecrypterKeyPEM:               keyPEM,
 			DecrypterKeyPassword:          "password",
 			EncryptionAlgorithmIdentifier: 5,
 		}, args{Config{Claims: globalProvisionerClaims}}, true},
 		{"fail negative encryptionAlgorithmIdentifier", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        0,
 			DecrypterCertificate:          certPEM,
 			DecrypterKeyPEM:               keyPEM,
 			DecrypterKeyPassword:          "password",
 			EncryptionAlgorithmIdentifier: -1,
 		}, args{Config{Claims: globalProvisionerClaims}}, true},
 		{"fail key decode", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        0,
 			DecrypterCertificate:          certPEM,
 			DecrypterKeyPEM:               []byte("not a pem"),
 			DecrypterKeyPassword:          "password",
 			EncryptionAlgorithmIdentifier: 0,
 		}, args{Config{Claims: globalProvisionerClaims}}, true},
 		{"fail certificate decode", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        0,
 			DecrypterCertificate:          []byte("not a pem"),
 			DecrypterKeyPEM:               keyPEM,
 			DecrypterKeyPassword:          "password",
 			EncryptionAlgorithmIdentifier: 0,
 		}, args{Config{Claims: globalProvisionerClaims}}, true},
 		{"fail certificate with intermediate", &SCEP{
 			Type:                   "SCEP",
 			Name:                   "scep",
 			ChallengePassword:      "password123",
 			MinimumPublicKeyLength: 0,
 			DecrypterCertificate:   certPEMWithIntermediate,
 			DecrypterKeyPEM:        keyPEM,
 			DecrypterKeyPassword:   "password",
 		}, args{Config{Claims: globalProvisionerClaims}}, true},
 		{"fail decrypter password", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        0,
 			DecrypterCertificate:          certPEM,
 			DecrypterKeyPEM:               keyPEM,
 			DecrypterKeyPassword:          "badpassword",
 			EncryptionAlgorithmIdentifier: 0,
 		}, args{Config{Claims: globalProvisionerClaims}}, true},
 		{"fail uri", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        0,
 			DecrypterCertificate:          certPEM,
 			DecrypterKeyURI:               "softkms:path=missing.key",
 			DecrypterKeyPassword:          "password",
 			EncryptionAlgorithmIdentifier: 0,
 		}, args{Config{Claims: globalProvisionerClaims}}, true},
 		{"fail uri password", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        0,
 			DecrypterCertificate:          certPEM,
 			DecrypterKeyURI:               "softkms:path=" + path,
 			DecrypterKeyPassword:          "badpassword",
 			EncryptionAlgorithmIdentifier: 0,
 		}, args{Config{Claims: globalProvisionerClaims}}, true},
 		{"fail uri type", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        0,
 			DecrypterCertificate:          certPEM,
 			DecrypterKeyURI:               "foo:path=" + path,
 			DecrypterKeyPassword:          "password",
 			EncryptionAlgorithmIdentifier: 0,
 		}, args{Config{Claims: globalProvisionerClaims}}, true},
 		{"fail missing certificate", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        0,
 			DecrypterCertificate:          nil,
 			DecrypterKeyPEM:               keyPEM,
 			DecrypterKeyPassword:          "password",
 			EncryptionAlgorithmIdentifier: 0,
 		}, args{Config{Claims: globalProvisionerClaims}}, true},
 		{"fail key match", &SCEP{
 			Type:                          "SCEP",
 			Name:                          "scep",
 			ChallengePassword:             "password123",
 			MinimumPublicKeyLength:        0,
 			DecrypterCertificate:          certPEM,
 			DecrypterKeyPEM:               badKeyPEM,
 			DecrypterKeyPassword:          "password",
 			EncryptionAlgorithmIdentifier: 0,
 		}, args{Config{Claims: globalProvisionerClaims}}, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if err := tt.s.Init(tt.args.config); (err != nil) != tt.wantErr {
 				t.Errorf("SCEP.Init() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
 	}
 }
--- a/authority/provisioner/sign_options.go
+++ b/authority/provisioner/sign_options.go
@ -369,8 +369,8 @@ type validityValidator struct {
 }
 // newValidityValidator return a new validity validator.
-func newValidityValidator(minDur, maxDur time.Duration) *validityValidator {
+func newValidityValidator(min, max time.Duration) *validityValidator {
-	return &validityValidator{min: minDur, max: maxDur}
+	return &validityValidator{min: min, max: max}
 }
 // Valid validates the certificate validity settings (notBefore/notAfter) and
--- a/authority/provisioner/sign_ssh_options.go
+++ b/authority/provisioner/sign_ssh_options.go
@ -276,14 +276,14 @@ func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOpti
 		return errs.BadRequest("ssh certificate validBefore cannot be before validAfter")
 	}
-	var minDur, maxDur time.Duration
+	var min, max time.Duration
 	switch cert.CertType {
 	case ssh.UserCert:
-		minDur = v.MinUserSSHCertDuration()
+		min = v.MinUserSSHCertDuration()
-		maxDur = v.MaxUserSSHCertDuration()
+		max = v.MaxUserSSHCertDuration()
 	case ssh.HostCert:
-		minDur = v.MinHostSSHCertDuration()
+		min = v.MinHostSSHCertDuration()
-		maxDur = v.MaxHostSSHCertDuration()
+		max = v.MaxHostSSHCertDuration()
 	case 0:
 		return errs.BadRequest("ssh certificate type has not been set")
 	default:
@ -295,10 +295,10 @@ func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOpti
 	dur := time.Duration(cert.ValidBefore-cert.ValidAfter) * time.Second
 	switch {
-	case dur < minDur:
+	case dur < min:
-		return errs.Forbidden("requested duration of %s is less than minimum accepted duration for selected provisioner of %s", dur, minDur)
+		return errs.Forbidden("requested duration of %s is less than minimum accepted duration for selected provisioner of %s", dur, min)
-	case dur > maxDur+opts.Backdate:
+	case dur > max+opts.Backdate:
-		return errs.Forbidden("requested duration of %s is greater than maximum accepted duration for selected provisioner of %s", dur, maxDur+opts.Backdate)
+		return errs.Forbidden("requested duration of %s is greater than maximum accepted duration for selected provisioner of %s", dur, max+opts.Backdate)
 	default:
 		return nil
 	}
--- a/authority/provisioners.go
+++ b/authority/provisioners.go
@ -201,7 +201,6 @@ func (a *Authority) generateProvisionerConfig(ctx context.Context) (provisioner.
 		AuthorizeRenewFunc:    a.authorizeRenewFunc,
 		AuthorizeSSHRenewFunc: a.authorizeSSHRenewFunc,
 		WebhookClient:         a.webhookClient,
 		SCEPKeyManager:        a.scepKeyManager,
 	}, nil
 }
@ -426,25 +425,25 @@ func ValidateClaims(c *linkedca.Claims) error {
 // ValidateDurations validates the Durations type.
 func ValidateDurations(d *linkedca.Durations) error {
 	var (
-		err                 error
+		err           error
-		minDur, maxDur, def *provisioner.Duration
+		min, max, def *provisioner.Duration
 	)
 	if d.Min != "" {
-		minDur, err = provisioner.NewDuration(d.Min)
+		min, err = provisioner.NewDuration(d.Min)
 		if err != nil {
 			return admin.WrapError(admin.ErrorBadRequestType, err, "min duration '%s' is invalid", d.Min)
 		}
-		if minDur.Value() < 0 {
+		if min.Value() < 0 {
 			return admin.WrapError(admin.ErrorBadRequestType, err, "min duration '%s' cannot be less than 0", d.Min)
 		}
 	}
 	if d.Max != "" {
-		maxDur, err = provisioner.NewDuration(d.Max)
+		max, err = provisioner.NewDuration(d.Max)
 		if err != nil {
 			return admin.WrapError(admin.ErrorBadRequestType, err, "max duration '%s' is invalid", d.Max)
 		}
-		if maxDur.Value() < 0 {
+		if max.Value() < 0 {
 			return admin.WrapError(admin.ErrorBadRequestType, err, "max duration '%s' cannot be less than 0", d.Max)
 		}
 	}
@ -457,15 +456,15 @@ func ValidateDurations(d *linkedca.Durations) error {
 			return admin.WrapError(admin.ErrorBadRequestType, err, "default duration '%s' cannot be less than 0", d.Default)
 		}
 	}
-	if d.Min != "" && d.Max != "" && minDur.Value() > maxDur.Value() {
+	if d.Min != "" && d.Max != "" && min.Value() > max.Value() {
 		return admin.NewError(admin.ErrorBadRequestType,
 			"min duration '%s' cannot be greater than max duration '%s'", d.Min, d.Max)
 	}
-	if d.Min != "" && d.Default != "" && minDur.Value() > def.Value() {
+	if d.Min != "" && d.Default != "" && min.Value() > def.Value() {
 		return admin.NewError(admin.ErrorBadRequestType,
 			"min duration '%s' cannot be greater than default duration '%s'", d.Min, d.Default)
 	}
-	if d.Default != "" && d.Max != "" && minDur.Value() > def.Value() {
+	if d.Default != "" && d.Max != "" && min.Value() > def.Value() {
 		return admin.NewError(admin.ErrorBadRequestType,
 			"default duration '%s' cannot be greater than max duration '%s'", d.Default, d.Max)
 	}
@ -608,15 +607,15 @@ func provisionerWebhookToLinkedca(pwh *provisioner.Webhook) *linkedca.Webhook {
 	return lwh
 }
-func durationsToCertificates(d *linkedca.Durations) (minDur, maxDur, def *provisioner.Duration, err error) {
+func durationsToCertificates(d *linkedca.Durations) (min, max, def *provisioner.Duration, err error) {
 	if d.Min != "" {
-		minDur, err = provisioner.NewDuration(d.Min)
+		min, err = provisioner.NewDuration(d.Min)
 		if err != nil {
 			return nil, nil, nil, admin.WrapErrorISE(err, "error parsing minimum duration '%s'", d.Min)
 		}
 	}
 	if d.Max != "" {
-		maxDur, err = provisioner.NewDuration(d.Max)
+		max, err = provisioner.NewDuration(d.Max)
 		if err != nil {
 			return nil, nil, nil, admin.WrapErrorISE(err, "error parsing maximum duration '%s'", d.Max)
 		}
@ -918,8 +917,6 @@ func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface,
 			Domains:               cfg.Domains,
 			Groups:                cfg.Groups,
 			ListenAddress:         cfg.ListenAddress,
 			Scopes:                cfg.Scopes,
 			AuthParams:            cfg.AuthParams,
 			Claims:                claims,
 			Options:               options,
 		}, nil
@ -1068,8 +1065,6 @@ func ProvisionerToLinkedca(p provisioner.Interface) (*linkedca.Provisioner, erro
 						Groups:                p.Groups,
 						ListenAddress:         p.ListenAddress,
 						TenantId:              p.TenantID,
 						Scopes:                p.Scopes,
 						AuthParams:            p.AuthParams,
 					},
 				},
 			},
--- a/authority/root.go
+++ b/authority/root.go
@ -57,26 +57,3 @@ func (a *Authority) GetFederation() (federation []*x509.Certificate, err error)
 	})
 	return
 }
 // GetIntermediateCertificate return the intermediate certificate that issues
 // the leaf certificates in the CA.
 //
 // This method can return nil if the CA is configured with a Certificate
 // Authority Service (CAS) that does not implement the
 // CertificateAuthorityGetter interface.
 func (a *Authority) GetIntermediateCertificate() *x509.Certificate {
 	if len(a.intermediateX509Certs) > 0 {
 		return a.intermediateX509Certs[0]
 	}
 	return nil
 }
 // GetIntermediateCertificates returns a list of all intermediate certificates
 // configured. The first certificate in the list will be the issuer certificate.
 //
 // This method can return an empty list or nil if the CA is configured with a
 // Certificate Authority Service (CAS) that does not implement the
 // CertificateAuthorityGetter interface.
 func (a *Authority) GetIntermediateCertificates() []*x509.Certificate {
 	return a.intermediateX509Certs
 }
--- a/authority/root_test.go
+++ b/authority/root_test.go
@ -2,18 +2,15 @@ package authority
 import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"errors"
 	"net/http"
 	"reflect"
 	"testing"
 	"go.step.sm/crypto/pemutil"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/api/render"
 	"github.com/stretchr/testify/require"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/minica"
 	"go.step.sm/crypto/pemutil"
 )
 func TestRoot(t *testing.T) {
@ -155,63 +152,3 @@ func TestAuthority_GetFederation(t *testing.T) {
 		})
 	}
 }
 func TestAuthority_GetIntermediateCertificate(t *testing.T) {
 	ca, err := minica.New(minica.WithRootTemplate(`{
 		"subject": {{ toJson .Subject }},
 		"issuer": {{ toJson .Subject }},
 		"keyUsage": ["certSign", "crlSign"],
 		"basicConstraints": {
 			"isCA": true,
 			"maxPathLen": -1
 		}
 	}`), minica.WithIntermediateTemplate(`{
 		"subject": {{ toJson .Subject }},
 		"keyUsage": ["certSign", "crlSign"],
 		"basicConstraints": {
 			"isCA": true,
 			"maxPathLen": 1
 		}
 	}`))
 	require.NoError(t, err)
 	signer, err := keyutil.GenerateDefaultSigner()
 	require.NoError(t, err)
 	cert, err := ca.Sign(&x509.Certificate{
 		Subject:               pkix.Name{CommonName: "MiniCA Intermediate CA 0"},
 		PublicKey:             signer.Public(),
 		BasicConstraintsValid: true,
 		IsCA:                  true,
 		MaxPathLen:            0,
 	})
 	require.NoError(t, err)
 	type fields struct {
 		intermediateX509Certs []*x509.Certificate
 	}
 	tests := []struct {
 		name      string
 		fields    fields
 		want      *x509.Certificate
 		wantSlice []*x509.Certificate
 	}{
 		{"ok one", fields{[]*x509.Certificate{ca.Intermediate}}, ca.Intermediate, []*x509.Certificate{ca.Intermediate}},
 		{"ok multiple", fields{[]*x509.Certificate{cert, ca.Intermediate}}, cert, []*x509.Certificate{cert, ca.Intermediate}},
 		{"ok empty", fields{[]*x509.Certificate{}}, nil, []*x509.Certificate{}},
 		{"ok nil", fields{nil}, nil, nil},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			a := &Authority{
 				intermediateX509Certs: tt.fields.intermediateX509Certs,
 			}
 			if got := a.GetIntermediateCertificate(); !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("Authority.GetIntermediateCertificate() = %v, want %v", got, tt.want)
 			}
 			if got := a.GetIntermediateCertificates(); !reflect.DeepEqual(got, tt.wantSlice) {
 				t.Errorf("Authority.GetIntermediateCertificates() = %v, want %v", got, tt.wantSlice)
 			}
 		})
 	}
 }
--- a/authority/tls.go
+++ b/authority/tls.go
@ -91,21 +91,6 @@ func withDefaultASN1DN(def *config.ASN1DN) provisioner.CertificateModifierFunc {
 	}
 }
 // GetX509Signer returns a [crypto.Signer] implementation using the intermediate
 // key.
 //
 // This method can return a [NotImplementedError] if the CA is configured with a
 // Certificate Authority Service (CAS) that does not implement the
 // CertificateAuthoritySigner interface.
 //
 // [NotImplementedError]: https://pkg.go.dev/github.com/smallstep/certificates/cas/apiv1#NotImplementedError
 func (a *Authority) GetX509Signer() (crypto.Signer, error) {
 	if s, ok := a.x509CAService.(casapi.CertificateAuthoritySigner); ok {
 		return s.GetSigner()
 	}
 	return nil, casapi.NotImplementedError{}
 }
 // Sign creates a signed certificate from a certificate signing request. It
 // creates a new context.Context, and calls into SignWithContext.
 //
--- a/authority/tls_test.go
+++ b/authority/tls_test.go
@ -15,7 +15,6 @@ import (
 	"fmt"
 	"net/http"
 	"reflect"
 	"strings"
 	"testing"
 	"time"
@ -25,11 +24,11 @@ import (
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 	sassert "github.com/smallstep/assert"
 	"github.com/smallstep/certificates/api/render"
 	"github.com/smallstep/certificates/authority/config"
 	"github.com/smallstep/certificates/authority/policy"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/cas/apiv1"
 	"github.com/smallstep/certificates/cas/softcas"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
@ -224,15 +223,6 @@ func generateSubjectKeyID(pub crypto.PublicKey) ([]byte, error) {
 	return hash[:], nil
 }
 func assertHasPrefix(t *testing.T, s, p string) bool {
 	if strings.HasPrefix(s, p) {
 		return true
 	}
 	t.Helper()
 	t.Errorf("%q is not a prefix of %q", p, s)
 	return false
 }
 type basicConstraints struct {
 	IsCA       bool `asn1:"optional"`
 	MaxPathLen int  `asn1:"optional,default:-1"`
@ -428,7 +418,7 @@ ZYtQ9Ot36qc=
 			require.NoError(t, err)
 			testAuthority.db = &db.MockAuthDB{
 				MStoreCertificate: func(crt *x509.Certificate) error {
-					assert.Equal(t, "smallstep test", crt.Subject.CommonName)
+					sassert.Equals(t, crt.Subject.CommonName, "smallstep test")
 					return nil
 				},
 			}
@ -457,7 +447,7 @@ ZYtQ9Ot36qc=
 			require.NoError(t, err)
 			testAuthority.db = &db.MockAuthDB{
 				MStoreCertificate: func(crt *x509.Certificate) error {
-					assert.Equal(t, "smallstep test", crt.Subject.CommonName)
+					sassert.Equals(t, crt.Subject.CommonName, "smallstep test")
 					return nil
 				},
 			}
@ -486,7 +476,7 @@ ZYtQ9Ot36qc=
 			require.NoError(t, err)
 			testAuthority.db = &db.MockAuthDB{
 				MStoreCertificate: func(crt *x509.Certificate) error {
-					assert.Equal(t, "smallstep test", crt.Subject.CommonName)
+					sassert.Equals(t, crt.Subject.CommonName, "smallstep test")
 					return nil
 				},
 			}
@ -504,7 +494,7 @@ ZYtQ9Ot36qc=
 			aa := testAuthority(t)
 			aa.db = &db.MockAuthDB{
 				MStoreCertificate: func(crt *x509.Certificate) error {
-					assert.Equal(t, "smallstep test", crt.Subject.CommonName)
+					sassert.Equals(t, crt.Subject.CommonName, "smallstep test")
 					return nil
 				},
 			}
@ -529,7 +519,7 @@ ZYtQ9Ot36qc=
 			}))
 			aa.db = &db.MockAuthDB{
 				MStoreCertificate: func(crt *x509.Certificate) error {
-					assert.Equal(t, "smallstep test", crt.Subject.CommonName)
+					sassert.Equals(t, crt.Subject.CommonName, "smallstep test")
 					return nil
 				},
 			}
@ -549,7 +539,7 @@ ZYtQ9Ot36qc=
 			aa.db = &db.MockAuthDB{
 				MStoreCertificate: func(crt *x509.Certificate) error {
 					fmt.Println(crt.Subject)
-					assert.Equal(t, "smallstep test", crt.Subject.CommonName)
+					sassert.Equals(t, crt.Subject.CommonName, "smallstep test")
 					return nil
 				},
 			}
@ -610,7 +600,7 @@ ZYtQ9Ot36qc=
 			_a := testAuthority(t)
 			_a.db = &db.MockAuthDB{
 				MStoreCertificate: func(crt *x509.Certificate) error {
-					assert.Equal(t, "smallstep test", crt.Subject.CommonName)
+					sassert.Equals(t, crt.Subject.CommonName, "smallstep test")
 					return nil
 				},
 			}
@ -644,7 +634,7 @@ ZYtQ9Ot36qc=
 			_a := testAuthority(t)
 			_a.db = &db.MockAuthDB{
 				MStoreCertificate: func(crt *x509.Certificate) error {
-					assert.Equal(t, "smallstep test", crt.Subject.CommonName)
+					sassert.Equals(t, crt.Subject.CommonName, "smallstep test")
 					return nil
 				},
 			}
@ -678,7 +668,7 @@ ZYtQ9Ot36qc=
 			require.NoError(t, err)
 			testAuthority.db = &db.MockAuthDB{
 				MStoreCertificate: func(crt *x509.Certificate) error {
-					assert.Equal(t, "smallstep test", crt.Subject.CommonName)
+					sassert.Equals(t, crt.Subject.CommonName, "smallstep test")
 					return nil
 				},
 			}
@ -712,7 +702,7 @@ ZYtQ9Ot36qc=
 			require.NoError(t, err)
 			testAuthority.db = &db.MockAuthDB{
 				MStoreCertificate: func(crt *x509.Certificate) error {
-					assert.Equal(t, "smallstep test", crt.Subject.CommonName)
+					sassert.Equals(t, crt.Subject.CommonName, "smallstep test")
 					return nil
 				},
 			}
@ -749,7 +739,7 @@ ZYtQ9Ot36qc=
 			_a.config.AuthorityConfig.Template = &ASN1DN{}
 			_a.db = &db.MockAuthDB{
 				MStoreCertificate: func(crt *x509.Certificate) error {
-					assert.Equal(t, pkix.Name{}, crt.Subject)
+					sassert.Equals(t, crt.Subject, pkix.Name{})
 					return nil
 				},
 			}
@ -774,8 +764,8 @@ ZYtQ9Ot36qc=
 			aa.config.AuthorityConfig.Template = a.config.AuthorityConfig.Template
 			aa.db = &db.MockAuthDB{
 				MStoreCertificate: func(crt *x509.Certificate) error {
-					assert.Equal(t, "smallstep test", crt.Subject.CommonName)
+					sassert.Equals(t, crt.Subject.CommonName, "smallstep test")
-					assert.Equal(t, []string{"http://ca.example.org/leaf.crl"}, crt.CRLDistributionPoints)
+					sassert.Equals(t, crt.CRLDistributionPoints, []string{"http://ca.example.org/leaf.crl"})
 					return nil
 				},
 			}
@ -795,7 +785,7 @@ ZYtQ9Ot36qc=
 			aa.config.AuthorityConfig.Template = a.config.AuthorityConfig.Template
 			aa.db = &db.MockAuthDB{
 				MStoreCertificate: func(crt *x509.Certificate) error {
-					assert.Equal(t, crt.Subject.CommonName, "smallstep test")
+					sassert.Equals(t, crt.Subject.CommonName, "smallstep test")
 					return nil
 				},
 			}
@ -828,13 +818,13 @@ ZYtQ9Ot36qc=
 				MStoreCertificateChain: func(prov provisioner.Interface, certs ...*x509.Certificate) error {
 					p, ok := prov.(attProvisioner)
 					if assert.True(t, ok) {
-						assert.Equal(t, &provisioner.AttestationData{
+						sassert.Equals(t, &provisioner.AttestationData{
 							PermanentIdentifier: "1234567890",
 						}, p.AttestationData())
 					}
 					if assert.Len(t, certs, 2) {
-						assert.Equal(t, "smallstep test", certs[0].Subject.CommonName)
+						sassert.Equals(t, certs[0].Subject.CommonName, "smallstep test")
-						assert.Equal(t, "smallstep Intermediate CA", certs[1].Subject.CommonName)
+						sassert.Equals(t, certs[1].Subject.CommonName, "smallstep Intermediate CA")
 					}
 					return nil
 				},
@ -863,45 +853,46 @@ ZYtQ9Ot36qc=
 				if assert.NotNil(t, tc.err, fmt.Sprintf("unexpected error: %s", err)) {
 					assert.Nil(t, certChain)
 					var sc render.StatusCodedError
-					require.True(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
+					sassert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
-					assert.Equal(t, tc.code, sc.StatusCode())
+					sassert.Equals(t, sc.StatusCode(), tc.code)
-					assertHasPrefix(t, err.Error(), tc.err.Error())
+					sassert.HasPrefix(t, err.Error(), tc.err.Error())
 					var ctxErr *errs.Error
-					require.True(t, errors.As(err, &ctxErr), "error is not of type *errs.Error")
+					sassert.Fatal(t, errors.As(err, &ctxErr), "error is not of type *errs.Error")
-					assert.Equal(t, tc.csr, ctxErr.Details["csr"])
+					sassert.Equals(t, ctxErr.Details["csr"], tc.csr)
-					assert.Equal(t, tc.signOpts, ctxErr.Details["signOptions"])
+					sassert.Equals(t, ctxErr.Details["signOptions"], tc.signOpts)
 				}
 			} else {
 				leaf := certChain[0]
 				intermediate := certChain[1]
 				if assert.Nil(t, tc.err) {
-					assert.Equal(t, tc.notBefore, leaf.NotBefore)
+					sassert.Equals(t, leaf.NotBefore, tc.notBefore)
-					assert.Equal(t, tc.notAfter, leaf.NotAfter)
+					sassert.Equals(t, leaf.NotAfter, tc.notAfter)
 					tmplt := a.config.AuthorityConfig.Template
 					if tc.csr.Subject.CommonName == "" {
-						assert.Equal(t, pkix.Name{}, leaf.Subject)
+						sassert.Equals(t, leaf.Subject, pkix.Name{})
 					} else {
-						assert.Equal(t, pkix.Name{
+						sassert.Equals(t, leaf.Subject.String(),
-							Country:       []string{tmplt.Country},
+							pkix.Name{
-							Organization:  []string{tmplt.Organization},
+								Country:       []string{tmplt.Country},
-							Locality:      []string{tmplt.Locality},
+								Organization:  []string{tmplt.Organization},
-							StreetAddress: []string{tmplt.StreetAddress},
+								Locality:      []string{tmplt.Locality},
-							Province:      []string{tmplt.Province},
+								StreetAddress: []string{tmplt.StreetAddress},
-							CommonName:    "smallstep test",
+								Province:      []string{tmplt.Province},
-						}.String(), leaf.Subject.String())
+								CommonName:    "smallstep test",
-						assert.Equal(t, []string{"test.smallstep.com"}, leaf.DNSNames)
+							}.String())
 						sassert.Equals(t, leaf.DNSNames, []string{"test.smallstep.com"})
 					}
-					assert.Equal(t, intermediate.Subject, leaf.Issuer)
+					sassert.Equals(t, leaf.Issuer, intermediate.Subject)
-					assert.Equal(t, x509.ECDSAWithSHA256, leaf.SignatureAlgorithm)
+					sassert.Equals(t, leaf.SignatureAlgorithm, x509.ECDSAWithSHA256)
-					assert.Equal(t, x509.ECDSA, leaf.PublicKeyAlgorithm)
+					sassert.Equals(t, leaf.PublicKeyAlgorithm, x509.ECDSA)
-					assert.Equal(t, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, leaf.ExtKeyUsage)
+					sassert.Equals(t, leaf.ExtKeyUsage, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth})
 					issuer := getDefaultIssuer(a)
 					subjectKeyID, err := generateSubjectKeyID(pub)
 					require.NoError(t, err)
-					assert.Equal(t, subjectKeyID, leaf.SubjectKeyId)
+					sassert.Equals(t, leaf.SubjectKeyId, subjectKeyID)
-					assert.Equal(t, issuer.SubjectKeyId, leaf.AuthorityKeyId)
+					sassert.Equals(t, leaf.AuthorityKeyId, issuer.SubjectKeyId)
 					// Verify Provisioner OID
 					found := 0
@ -912,9 +903,9 @@ ZYtQ9Ot36qc=
 							val := stepProvisionerASN1{}
 							_, err := asn1.Unmarshal(ext.Value, &val)
 							require.NoError(t, err)
-							assert.Equal(t, provisionerTypeJWK, val.Type)
+							sassert.Equals(t, val.Type, provisionerTypeJWK)
-							assert.Equal(t, []byte(p.Name), val.Name)
+							sassert.Equals(t, val.Name, []byte(p.Name))
-							assert.Equal(t, []byte(p.Key.KeyID), val.CredentialID)
+							sassert.Equals(t, val.CredentialID, []byte(p.Key.KeyID))
 						// Basic Constraints
 						case ext.Id.Equal(asn1.ObjectIdentifier([]int{2, 5, 29, 19})):
@ -922,7 +913,7 @@ ZYtQ9Ot36qc=
 							_, err := asn1.Unmarshal(ext.Value, &val)
 							require.NoError(t, err)
 							assert.False(t, val.IsCA, false)
-							assert.Equal(t, val.MaxPathLen, 0)
+							sassert.Equals(t, val.MaxPathLen, 0)
 						// SAN extension
 						case ext.Id.Equal(asn1.ObjectIdentifier([]int{2, 5, 29, 17})):
@ -933,10 +924,10 @@ ZYtQ9Ot36qc=
 							}
 						}
 					}
-					assert.Equal(t, found, 1)
+					sassert.Equals(t, found, 1)
 					realIntermediate, err := x509.ParseCertificate(issuer.Raw)
 					require.NoError(t, err)
-					assert.Equal(t, realIntermediate, intermediate)
+					sassert.Equals(t, intermediate, realIntermediate)
 					assert.Len(t, leaf.Extensions, tc.extensionsCount)
 				}
 			}
@ -1079,19 +1070,19 @@ func TestAuthority_Renew(t *testing.T) {
 				if assert.NotNil(t, tc.err, fmt.Sprintf("unexpected error: %s", err)) {
 					assert.Nil(t, certChain)
 					var sc render.StatusCodedError
-					require.True(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
+					sassert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
-					assert.Equal(t, tc.code, sc.StatusCode())
+					sassert.Equals(t, sc.StatusCode(), tc.code)
-					assertHasPrefix(t, err.Error(), tc.err.Error())
+					sassert.HasPrefix(t, err.Error(), tc.err.Error())
 					var ctxErr *errs.Error
-					require.True(t, errors.As(err, &ctxErr), "error is not of type *errs.Error")
+					sassert.Fatal(t, errors.As(err, &ctxErr), "error is not of type *errs.Error")
-					assert.Equal(t, tc.cert.SerialNumber.String(), ctxErr.Details["serialNumber"])
+					sassert.Equals(t, ctxErr.Details["serialNumber"], tc.cert.SerialNumber.String())
 				}
 			} else {
 				leaf := certChain[0]
 				intermediate := certChain[1]
 				if assert.Nil(t, tc.err) {
-					assert.Equal(t, tc.cert.NotAfter.Sub(cert.NotBefore), leaf.NotAfter.Sub(leaf.NotBefore))
+					sassert.Equals(t, leaf.NotAfter.Sub(leaf.NotBefore), tc.cert.NotAfter.Sub(cert.NotBefore))
 					assert.True(t, leaf.NotBefore.After(now.Add(-2*time.Minute)))
 					assert.True(t, leaf.NotBefore.Before(now.Add(time.Minute)))
@ -1101,29 +1092,30 @@ func TestAuthority_Renew(t *testing.T) {
 					assert.True(t, leaf.NotAfter.Before(expiry.Add(time.Hour)))
 					tmplt := a.config.AuthorityConfig.Template
-					assert.Equal(t, tc.cert.RawSubject, leaf.RawSubject)
+					sassert.Equals(t, leaf.RawSubject, tc.cert.RawSubject)
-					assert.Equal(t, []string{tmplt.Country}, leaf.Subject.Country)
+					sassert.Equals(t, leaf.Subject.Country, []string{tmplt.Country})
-					assert.Equal(t, []string{tmplt.Organization}, leaf.Subject.Organization)
+					sassert.Equals(t, leaf.Subject.Organization, []string{tmplt.Organization})
-					assert.Equal(t, []string{tmplt.Locality}, leaf.Subject.Locality)
+					sassert.Equals(t, leaf.Subject.Locality, []string{tmplt.Locality})
-					assert.Equal(t, []string{tmplt.StreetAddress}, leaf.Subject.StreetAddress)
+					sassert.Equals(t, leaf.Subject.StreetAddress, []string{tmplt.StreetAddress})
-					assert.Equal(t, []string{tmplt.Province}, leaf.Subject.Province)
+					sassert.Equals(t, leaf.Subject.Province, []string{tmplt.Province})
-					assert.Equal(t, tmplt.CommonName, leaf.Subject.CommonName)
+					sassert.Equals(t, leaf.Subject.CommonName, tmplt.CommonName)
-
+
-					assert.Equal(t, intermediate.Subject, leaf.Issuer)
+					sassert.Equals(t, leaf.Issuer, intermediate.Subject)
-
+
-					assert.Equal(t, x509.ECDSAWithSHA256, leaf.SignatureAlgorithm)
+					sassert.Equals(t, leaf.SignatureAlgorithm, x509.ECDSAWithSHA256)
-					assert.Equal(t, x509.ECDSA, leaf.PublicKeyAlgorithm)
+					sassert.Equals(t, leaf.PublicKeyAlgorithm, x509.ECDSA)
-					assert.Equal(t, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, leaf.ExtKeyUsage)
+					sassert.Equals(t, leaf.ExtKeyUsage,
-					assert.Equal(t, []string{"test.smallstep.com", "test"}, leaf.DNSNames)
+						[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth})
 					sassert.Equals(t, leaf.DNSNames, []string{"test.smallstep.com", "test"})
 					subjectKeyID, err := generateSubjectKeyID(leaf.PublicKey)
 					require.NoError(t, err)
-					assert.Equal(t, subjectKeyID, leaf.SubjectKeyId)
+					sassert.Equals(t, leaf.SubjectKeyId, subjectKeyID)
 					// We did not change the intermediate before renewing.
 					authIssuer := getDefaultIssuer(tc.auth)
 					if issuer.SerialNumber == authIssuer.SerialNumber {
-						assert.Equal(t, issuer.SubjectKeyId, leaf.AuthorityKeyId)
+						sassert.Equals(t, leaf.AuthorityKeyId, issuer.SubjectKeyId)
 						// Compare extensions: they can be in a different order
 						for _, ext1 := range tc.cert.Extensions {
 							//skip SubjectKeyIdentifier
@ -1143,7 +1135,7 @@ func TestAuthority_Renew(t *testing.T) {
 						}
 					} else {
 						// We did change the intermediate before renewing.
-						assert.Equal(t, authIssuer.SubjectKeyId, leaf.AuthorityKeyId)
+						sassert.Equals(t, leaf.AuthorityKeyId, authIssuer.SubjectKeyId)
 						// Compare extensions: they can be in a different order
 						for _, ext1 := range tc.cert.Extensions {
 							//skip SubjectKeyIdentifier
@ -1172,7 +1164,7 @@ func TestAuthority_Renew(t *testing.T) {
 					realIntermediate, err := x509.ParseCertificate(authIssuer.Raw)
 					require.NoError(t, err)
-					assert.Equal(t, realIntermediate, intermediate)
+					sassert.Equals(t, intermediate, realIntermediate)
 				}
 			}
 		})
@ -1283,19 +1275,19 @@ func TestAuthority_Rekey(t *testing.T) {
 				if assert.NotNil(t, tc.err, fmt.Sprintf("unexpected error: %s", err)) {
 					assert.Nil(t, certChain)
 					var sc render.StatusCodedError
-					require.True(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
+					sassert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
-					assert.Equal(t, tc.code, sc.StatusCode())
+					sassert.Equals(t, sc.StatusCode(), tc.code)
-					assertHasPrefix(t, err.Error(), tc.err.Error())
+					sassert.HasPrefix(t, err.Error(), tc.err.Error())
 					var ctxErr *errs.Error
-					require.True(t, errors.As(err, &ctxErr), "error is not of type *errs.Error")
+					sassert.Fatal(t, errors.As(err, &ctxErr), "error is not of type *errs.Error")
-					assert.Equal(t, tc.cert.SerialNumber.String(), ctxErr.Details["serialNumber"])
+					sassert.Equals(t, ctxErr.Details["serialNumber"], tc.cert.SerialNumber.String())
 				}
 			} else {
 				leaf := certChain[0]
 				intermediate := certChain[1]
 				if assert.Nil(t, tc.err) {
-					assert.Equal(t, tc.cert.NotAfter.Sub(cert.NotBefore), leaf.NotAfter.Sub(leaf.NotBefore))
+					sassert.Equals(t, leaf.NotAfter.Sub(leaf.NotBefore), tc.cert.NotAfter.Sub(cert.NotBefore))
 					assert.True(t, leaf.NotBefore.After(now.Add(-2*time.Minute)))
 					assert.True(t, leaf.NotBefore.Before(now.Add(time.Minute)))
@ -1305,39 +1297,41 @@ func TestAuthority_Rekey(t *testing.T) {
 					assert.True(t, leaf.NotAfter.Before(expiry.Add(time.Hour)))
 					tmplt := a.config.AuthorityConfig.Template
-					assert.Equal(t, pkix.Name{
+					sassert.Equals(t, leaf.Subject.String(),
-						Country:       []string{tmplt.Country},
+						pkix.Name{
-						Organization:  []string{tmplt.Organization},
+							Country:       []string{tmplt.Country},
-						Locality:      []string{tmplt.Locality},
+							Organization:  []string{tmplt.Organization},
-						StreetAddress: []string{tmplt.StreetAddress},
+							Locality:      []string{tmplt.Locality},
-						Province:      []string{tmplt.Province},
+							StreetAddress: []string{tmplt.StreetAddress},
-						CommonName:    tmplt.CommonName,
+							Province:      []string{tmplt.Province},
-					}.String(), leaf.Subject.String())
+							CommonName:    tmplt.CommonName,
-					assert.Equal(t, intermediate.Subject, leaf.Issuer)
+						}.String())
-
+					sassert.Equals(t, leaf.Issuer, intermediate.Subject)
-					assert.Equal(t, x509.ECDSAWithSHA256, leaf.SignatureAlgorithm)
+
-					assert.Equal(t, x509.ECDSA, leaf.PublicKeyAlgorithm)
+					sassert.Equals(t, leaf.SignatureAlgorithm, x509.ECDSAWithSHA256)
-					assert.Equal(t, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, leaf.ExtKeyUsage)
+					sassert.Equals(t, leaf.PublicKeyAlgorithm, x509.ECDSA)
-					assert.Equal(t, []string{"test.smallstep.com", "test"}, leaf.DNSNames)
+					sassert.Equals(t, leaf.ExtKeyUsage,
 						[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth})
 					sassert.Equals(t, leaf.DNSNames, []string{"test.smallstep.com", "test"})
 					// Test Public Key and SubjectKeyId
 					expectedPK := tc.pk
 					if tc.pk == nil {
 						expectedPK = cert.PublicKey
 					}
-					assert.Equal(t, expectedPK, leaf.PublicKey)
+					sassert.Equals(t, leaf.PublicKey, expectedPK)
 					subjectKeyID, err := generateSubjectKeyID(expectedPK)
 					require.NoError(t, err)
-					assert.Equal(t, subjectKeyID, leaf.SubjectKeyId)
+					sassert.Equals(t, leaf.SubjectKeyId, subjectKeyID)
 					if tc.pk == nil {
-						assert.Equal(t, cert.SubjectKeyId, leaf.SubjectKeyId)
+						sassert.Equals(t, leaf.SubjectKeyId, cert.SubjectKeyId)
 					}
 					// We did not change the intermediate before renewing.
 					authIssuer := getDefaultIssuer(tc.auth)
 					if issuer.SerialNumber == authIssuer.SerialNumber {
-						assert.Equal(t, issuer.SubjectKeyId, leaf.AuthorityKeyId)
+						sassert.Equals(t, leaf.AuthorityKeyId, issuer.SubjectKeyId)
 						// Compare extensions: they can be in a different order
 						for _, ext1 := range tc.cert.Extensions {
 							//skip SubjectKeyIdentifier
@ -1357,7 +1351,7 @@ func TestAuthority_Rekey(t *testing.T) {
 						}
 					} else {
 						// We did change the intermediate before renewing.
-						assert.Equal(t, authIssuer.SubjectKeyId, leaf.AuthorityKeyId)
+						sassert.Equals(t, leaf.AuthorityKeyId, authIssuer.SubjectKeyId)
 						// Compare extensions: they can be in a different order
 						for _, ext1 := range tc.cert.Extensions {
 							//skip SubjectKeyIdentifier
@ -1386,7 +1380,7 @@ func TestAuthority_Rekey(t *testing.T) {
 					realIntermediate, err := x509.ParseCertificate(authIssuer.Raw)
 					require.NoError(t, err)
-					assert.Equal(t, realIntermediate, intermediate)
+					sassert.Equals(t, intermediate, realIntermediate)
 				}
 			}
 		})
@ -1424,7 +1418,7 @@ func TestAuthority_GetTLSOptions(t *testing.T) {
 			require.NoError(t, err)
 			opts := tc.auth.GetTLSOptions()
-			assert.Equal(t, tc.opts, opts)
+			sassert.Equals(t, opts, tc.opts)
 		})
 	}
 }
@ -1494,9 +1488,9 @@ func TestAuthority_Revoke(t *testing.T) {
 				err:  errors.New("authority.Revoke; no persistence layer configured"),
 				code: http.StatusNotImplemented,
 				checkErrDetails: func(err *errs.Error) {
-					assert.Equal(t, raw, err.Details["token"])
+					sassert.Equals(t, err.Details["token"], raw)
-					assert.Equal(t, "44", err.Details["tokenID"])
+					sassert.Equals(t, err.Details["tokenID"], "44")
-					assert.Equal(t, "step-cli:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc", err.Details["provisionerID"])
+					sassert.Equals(t, err.Details["provisionerID"], "step-cli:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc")
 				},
 			}
 		},
@ -1534,9 +1528,9 @@ func TestAuthority_Revoke(t *testing.T) {
 				err:  errors.New("authority.Revoke: force"),
 				code: http.StatusInternalServerError,
 				checkErrDetails: func(err *errs.Error) {
-					assert.Equal(t, raw, err.Details["token"])
+					sassert.Equals(t, err.Details["token"], raw)
-					assert.Equal(t, "44", err.Details["tokenID"])
+					sassert.Equals(t, err.Details["tokenID"], "44")
-					assert.Equal(t, "step-cli:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc", err.Details["provisionerID"])
+					sassert.Equals(t, err.Details["provisionerID"], "step-cli:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc")
 				},
 			}
 		},
@ -1574,9 +1568,9 @@ func TestAuthority_Revoke(t *testing.T) {
 				err:  errors.New("certificate with serial number 'sn' is already revoked"),
 				code: http.StatusBadRequest,
 				checkErrDetails: func(err *errs.Error) {
-					assert.Equal(t, raw, err.Details["token"])
+					sassert.Equals(t, err.Details["token"], raw)
-					assert.Equal(t, "44", err.Details["tokenID"])
+					sassert.Equals(t, err.Details["tokenID"], "44")
-					assert.Equal(t, "step-cli:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc", err.Details["provisionerID"])
+					sassert.Equals(t, err.Details["provisionerID"], "step-cli:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc")
 				},
 			}
 		},
@ -1710,17 +1704,17 @@ func TestAuthority_Revoke(t *testing.T) {
 			if err := tc.auth.Revoke(tc.ctx, tc.opts); err != nil {
 				if assert.NotNil(t, tc.err, fmt.Sprintf("unexpected error: %s", err)) {
 					var sc render.StatusCodedError
-					require.True(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
+					sassert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
-					assert.Equal(t, tc.code, sc.StatusCode())
+					sassert.Equals(t, sc.StatusCode(), tc.code)
-					assertHasPrefix(t, err.Error(), tc.err.Error())
+					sassert.HasPrefix(t, err.Error(), tc.err.Error())
 					var ctxErr *errs.Error
-					require.True(t, errors.As(err, &ctxErr), "error is not of type *errs.Error")
+					sassert.Fatal(t, errors.As(err, &ctxErr), "error is not of type *errs.Error")
-					assert.Equal(t, tc.opts.Serial, ctxErr.Details["serialNumber"])
+					sassert.Equals(t, ctxErr.Details["serialNumber"], tc.opts.Serial)
-					assert.Equal(t, tc.opts.ReasonCode, ctxErr.Details["reasonCode"])
+					sassert.Equals(t, ctxErr.Details["reasonCode"], tc.opts.ReasonCode)
-					assert.Equal(t, tc.opts.Reason, ctxErr.Details["reason"])
+					sassert.Equals(t, ctxErr.Details["reason"], tc.opts.Reason)
-					assert.Equal(t, tc.opts.MTLS, ctxErr.Details["MTLS"])
+					sassert.Equals(t, ctxErr.Details["MTLS"], tc.opts.MTLS)
-					assert.Equal(t, provisioner.RevokeMethod.String(), ctxErr.Details["context"])
+					sassert.Equals(t, ctxErr.Details["context"], provisioner.RevokeMethod.String())
 					if tc.checkErrDetails != nil {
 						tc.checkErrDetails(ctxErr)
@ -1958,39 +1952,3 @@ func TestAuthority_CRL(t *testing.T) {
 		})
 	}
 }
 type notImplementedCAS struct{}
 func (notImplementedCAS) CreateCertificate(req *apiv1.CreateCertificateRequest) (*apiv1.CreateCertificateResponse, error) {
 	return nil, apiv1.NotImplementedError{}
 }
 func (notImplementedCAS) RenewCertificate(req *apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) {
 	return nil, apiv1.NotImplementedError{}
 }
 func (notImplementedCAS) RevokeCertificate(req *apiv1.RevokeCertificateRequest) (*apiv1.RevokeCertificateResponse, error) {
 	return nil, apiv1.NotImplementedError{}
 }
 func TestAuthority_GetX509Signer(t *testing.T) {
 	auth := testAuthority(t)
 	require.IsType(t, &softcas.SoftCAS{}, auth.x509CAService)
 	signer := auth.x509CAService.(*softcas.SoftCAS).Signer
 	require.NotNil(t, signer)
 	tests := []struct {
 		name      string
 		authority *Authority
 		want      crypto.Signer
 		assertion assert.ErrorAssertionFunc
 	}{
 		{"ok", auth, signer, assert.NoError},
 		{"fail", testAuthority(t, WithX509CAService(notImplementedCAS{})), nil, assert.Error},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got, err := tt.authority.GetX509Signer()
 			tt.assertion(t, err)
 			assert.Equal(t, tt.want, got)
 		})
 	}
 }
--- a/ca/acmeClient_test.go
+++ b/ca/acmeClient_test.go
@ -108,19 +108,19 @@ func TestNewACMEClient(t *testing.T) {
 			tc := run(t)
 			i := 0
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				assert.Equals(t, "step-http-client/1.0", r.Header.Get("User-Agent")) // check default User-Agent header
+				assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
 				switch {
 				case i == 0:
-					render.JSONStatus(w, r, tc.r1, tc.rc1)
+					render.JSONStatus(w, tc.r1, tc.rc1)
 					i++
 				case i == 1:
 					w.Header().Set("Replay-Nonce", "abc123")
-					render.JSONStatus(w, r, []byte{}, 200)
+					render.JSONStatus(w, []byte{}, 200)
 					i++
 				default:
 					w.Header().Set("Location", accLocation)
-					render.JSONStatus(w, r, tc.r2, tc.rc2)
+					render.JSONStatus(w, tc.r2, tc.rc2)
 				}
 			})
@ -203,10 +203,10 @@ func TestACMEClient_GetNonce(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			tc := run(t)
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				assert.Equals(t, "step-http-client/1.0", r.Header.Get("User-Agent")) // check default User-Agent header
+				assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
 				w.Header().Set("Replay-Nonce", expectedNonce)
-				render.JSONStatus(w, r, tc.r1, tc.rc1)
+				render.JSONStatus(w, tc.r1, tc.rc1)
 			})
 			if nonce, err := ac.GetNonce(); err != nil {
@ -310,18 +310,18 @@ func TestACMEClient_post(t *testing.T) {
 			tc := run(t)
 			i := 0
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				assert.Equals(t, "step-http-client/1.0", r.Header.Get("User-Agent")) // check default User-Agent header
+				assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
 				w.Header().Set("Replay-Nonce", expectedNonce)
 				if i == 0 {
-					render.JSONStatus(w, r, tc.r1, tc.rc1)
+					render.JSONStatus(w, tc.r1, tc.rc1)
 					i++
 					return
 				}
 				// validate jws request protected headers and body
-				body, err := io.ReadAll(r.Body)
+				body, err := io.ReadAll(req.Body)
 				assert.FatalError(t, err)
 				jws, err := jose.ParseJWS(string(body))
 				assert.FatalError(t, err)
@ -338,7 +338,7 @@ func TestACMEClient_post(t *testing.T) {
 					assert.Equals(t, hdr.KeyID, ac.kid)
 				}
-				render.JSONStatus(w, r, tc.r2, tc.rc2)
+				render.JSONStatus(w, tc.r2, tc.rc2)
 			})
 			if resp, err := tc.client.post(tc.payload, url, tc.ops...); err != nil {
@ -450,18 +450,18 @@ func TestACMEClient_NewOrder(t *testing.T) {
 			tc := run(t)
 			i := 0
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				assert.Equals(t, "step-http-client/1.0", r.Header.Get("User-Agent")) // check default User-Agent header
+				assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
 				w.Header().Set("Replay-Nonce", expectedNonce)
 				if i == 0 {
-					render.JSONStatus(w, r, tc.r1, tc.rc1)
+					render.JSONStatus(w, tc.r1, tc.rc1)
 					i++
 					return
 				}
 				// validate jws request protected headers and body
-				body, err := io.ReadAll(r.Body)
+				body, err := io.ReadAll(req.Body)
 				assert.FatalError(t, err)
 				jws, err := jose.ParseJWS(string(body))
 				assert.FatalError(t, err)
@ -477,7 +477,7 @@ func TestACMEClient_NewOrder(t *testing.T) {
 				assert.FatalError(t, err)
 				assert.Equals(t, payload, norb)
-				render.JSONStatus(w, r, tc.r2, tc.rc2)
+				render.JSONStatus(w, tc.r2, tc.rc2)
 			})
 			if res, err := ac.NewOrder(norb); err != nil {
@ -572,18 +572,18 @@ func TestACMEClient_GetOrder(t *testing.T) {
 			tc := run(t)
 			i := 0
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				assert.Equals(t, "step-http-client/1.0", r.Header.Get("User-Agent")) // check default User-Agent header
+				assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
 				w.Header().Set("Replay-Nonce", expectedNonce)
 				if i == 0 {
-					render.JSONStatus(w, r, tc.r1, tc.rc1)
+					render.JSONStatus(w, tc.r1, tc.rc1)
 					i++
 					return
 				}
 				// validate jws request protected headers and body
-				body, err := io.ReadAll(r.Body)
+				body, err := io.ReadAll(req.Body)
 				assert.FatalError(t, err)
 				jws, err := jose.ParseJWS(string(body))
 				assert.FatalError(t, err)
@ -599,7 +599,7 @@ func TestACMEClient_GetOrder(t *testing.T) {
 				assert.FatalError(t, err)
 				assert.Equals(t, len(payload), 0)
-				render.JSONStatus(w, r, tc.r2, tc.rc2)
+				render.JSONStatus(w, tc.r2, tc.rc2)
 			})
 			if res, err := ac.GetOrder(url); err != nil {
@ -694,18 +694,18 @@ func TestACMEClient_GetAuthz(t *testing.T) {
 			tc := run(t)
 			i := 0
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				assert.Equals(t, "step-http-client/1.0", r.Header.Get("User-Agent")) // check default User-Agent header
+				assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
 				w.Header().Set("Replay-Nonce", expectedNonce)
 				if i == 0 {
-					render.JSONStatus(w, r, tc.r1, tc.rc1)
+					render.JSONStatus(w, tc.r1, tc.rc1)
 					i++
 					return
 				}
 				// validate jws request protected headers and body
-				body, err := io.ReadAll(r.Body)
+				body, err := io.ReadAll(req.Body)
 				assert.FatalError(t, err)
 				jws, err := jose.ParseJWS(string(body))
 				assert.FatalError(t, err)
@ -721,7 +721,7 @@ func TestACMEClient_GetAuthz(t *testing.T) {
 				assert.FatalError(t, err)
 				assert.Equals(t, len(payload), 0)
-				render.JSONStatus(w, r, tc.r2, tc.rc2)
+				render.JSONStatus(w, tc.r2, tc.rc2)
 			})
 			if res, err := ac.GetAuthz(url); err != nil {
@ -816,18 +816,18 @@ func TestACMEClient_GetChallenge(t *testing.T) {
 			tc := run(t)
 			i := 0
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				assert.Equals(t, "step-http-client/1.0", r.Header.Get("User-Agent")) // check default User-Agent header
+				assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
 				w.Header().Set("Replay-Nonce", expectedNonce)
 				if i == 0 {
-					render.JSONStatus(w, r, tc.r1, tc.rc1)
+					render.JSONStatus(w, tc.r1, tc.rc1)
 					i++
 					return
 				}
 				// validate jws request protected headers and body
-				body, err := io.ReadAll(r.Body)
+				body, err := io.ReadAll(req.Body)
 				assert.FatalError(t, err)
 				jws, err := jose.ParseJWS(string(body))
 				assert.FatalError(t, err)
@ -844,7 +844,7 @@ func TestACMEClient_GetChallenge(t *testing.T) {
 				assert.Equals(t, len(payload), 0)
-				render.JSONStatus(w, r, tc.r2, tc.rc2)
+				render.JSONStatus(w, tc.r2, tc.rc2)
 			})
 			if res, err := ac.GetChallenge(url); err != nil {
@ -939,18 +939,18 @@ func TestACMEClient_ValidateChallenge(t *testing.T) {
 			tc := run(t)
 			i := 0
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				assert.Equals(t, "step-http-client/1.0", r.Header.Get("User-Agent")) // check default User-Agent header
+				assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
 				w.Header().Set("Replay-Nonce", expectedNonce)
 				if i == 0 {
-					render.JSONStatus(w, r, tc.r1, tc.rc1)
+					render.JSONStatus(w, tc.r1, tc.rc1)
 					i++
 					return
 				}
 				// validate jws request protected headers and body
-				body, err := io.ReadAll(r.Body)
+				body, err := io.ReadAll(req.Body)
 				assert.FatalError(t, err)
 				jws, err := jose.ParseJWS(string(body))
 				assert.FatalError(t, err)
@ -967,7 +967,7 @@ func TestACMEClient_ValidateChallenge(t *testing.T) {
 				assert.Equals(t, payload, []byte("{}"))
-				render.JSONStatus(w, r, tc.r2, tc.rc2)
+				render.JSONStatus(w, tc.r2, tc.rc2)
 			})
 			if err := ac.ValidateChallenge(url); err != nil {
@ -983,22 +983,22 @@ func TestACMEClient_ValidateWithPayload(t *testing.T) {
 	key, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 	assert.FatalError(t, err)
-	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		assert.Equals(t, "step-http-client/1.0", r.Header.Get("User-Agent")) // check default User-Agent header
+		assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
-		t.Log(r.RequestURI)
+		t.Log(req.RequestURI)
 		w.Header().Set("Replay-Nonce", "nonce")
-		switch r.RequestURI {
+		switch req.RequestURI {
 		case "/nonce":
-			render.JSONStatus(w, r, []byte{}, 200)
+			render.JSONStatus(w, []byte{}, 200)
 			return
 		case "/fail-nonce":
-			render.JSONStatus(w, r, acme.NewError(acme.ErrorMalformedType, "malformed request"), 400)
+			render.JSONStatus(w, acme.NewError(acme.ErrorMalformedType, "malformed request"), 400)
 			return
 		}
 		// validate jws request protected headers and body
-		body, err := io.ReadAll(r.Body)
+		body, err := io.ReadAll(req.Body)
 		assert.FatalError(t, err)
 		jws, err := jose.ParseJWS(string(body))
@ -1015,15 +1015,15 @@ func TestACMEClient_ValidateWithPayload(t *testing.T) {
 		assert.FatalError(t, err)
 		assert.Equals(t, payload, []byte("the-payload"))
-		switch r.RequestURI {
+		switch req.RequestURI {
 		case "/ok":
-			render.JSONStatus(w, r, acme.Challenge{
+			render.JSONStatus(w, acme.Challenge{
 				Type:   "device-attestation-01",
 				Status: "valid",
 				Token:  "foo",
 			}, 200)
 		case "/fail":
-			render.JSONStatus(w, r, acme.NewError(acme.ErrorMalformedType, "malformed request"), 400)
+			render.JSONStatus(w, acme.NewError(acme.ErrorMalformedType, "malformed request"), 400)
 		}
 	}))
 	defer srv.Close()
@ -1160,18 +1160,18 @@ func TestACMEClient_FinalizeOrder(t *testing.T) {
 			tc := run(t)
 			i := 0
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				assert.Equals(t, "step-http-client/1.0", r.Header.Get("User-Agent")) // check default User-Agent header
+				assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
 				w.Header().Set("Replay-Nonce", expectedNonce)
 				if i == 0 {
-					render.JSONStatus(w, r, tc.r1, tc.rc1)
+					render.JSONStatus(w, tc.r1, tc.rc1)
 					i++
 					return
 				}
 				// validate jws request protected headers and body
-				body, err := io.ReadAll(r.Body)
+				body, err := io.ReadAll(req.Body)
 				assert.FatalError(t, err)
 				jws, err := jose.ParseJWS(string(body))
 				assert.FatalError(t, err)
@ -1187,7 +1187,7 @@ func TestACMEClient_FinalizeOrder(t *testing.T) {
 				assert.FatalError(t, err)
 				assert.Equals(t, payload, frb)
-				render.JSONStatus(w, r, tc.r2, tc.rc2)
+				render.JSONStatus(w, tc.r2, tc.rc2)
 			})
 			if err := ac.FinalizeOrder(url, csr); err != nil {
@ -1289,18 +1289,18 @@ func TestACMEClient_GetAccountOrders(t *testing.T) {
 			tc := run(t)
 			i := 0
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				assert.Equals(t, "step-http-client/1.0", r.Header.Get("User-Agent")) // check default User-Agent header
+				assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
 				w.Header().Set("Replay-Nonce", expectedNonce)
 				if i == 0 {
-					render.JSONStatus(w, r, tc.r1, tc.rc1)
+					render.JSONStatus(w, tc.r1, tc.rc1)
 					i++
 					return
 				}
 				// validate jws request protected headers and body
-				body, err := io.ReadAll(r.Body)
+				body, err := io.ReadAll(req.Body)
 				assert.FatalError(t, err)
 				jws, err := jose.ParseJWS(string(body))
 				assert.FatalError(t, err)
@ -1316,7 +1316,7 @@ func TestACMEClient_GetAccountOrders(t *testing.T) {
 				assert.FatalError(t, err)
 				assert.Equals(t, len(payload), 0)
-				render.JSONStatus(w, r, tc.r2, tc.rc2)
+				render.JSONStatus(w, tc.r2, tc.rc2)
 			})
 			if res, err := tc.client.GetAccountOrders(); err != nil {
@ -1420,18 +1420,18 @@ func TestACMEClient_GetCertificate(t *testing.T) {
 			tc := run(t)
 			i := 0
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				assert.Equals(t, "step-http-client/1.0", r.Header.Get("User-Agent")) // check default User-Agent header
+				assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
 				w.Header().Set("Replay-Nonce", expectedNonce)
 				if i == 0 {
-					render.JSONStatus(w, r, tc.r1, tc.rc1)
+					render.JSONStatus(w, tc.r1, tc.rc1)
 					i++
 					return
 				}
 				// validate jws request protected headers and body
-				body, err := io.ReadAll(r.Body)
+				body, err := io.ReadAll(req.Body)
 				assert.FatalError(t, err)
 				jws, err := jose.ParseJWS(string(body))
 				assert.FatalError(t, err)
@ -1450,7 +1450,7 @@ func TestACMEClient_GetCertificate(t *testing.T) {
 				if tc.certBytes != nil {
 					w.Write(tc.certBytes)
 				} else {
-					render.JSONStatus(w, r, tc.r2, tc.rc2)
+					render.JSONStatus(w, tc.r2, tc.rc2)
 				}
 			})
--- a/ca/bootstrap_test.go
+++ b/ca/bootstrap_test.go
@ -87,7 +87,7 @@ func startCAServer(configFile string) (*CA, string, error) {
 func mTLSMiddleware(next http.Handler, nonAuthenticatedPaths ...string) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path == "/version" {
-			render.JSON(w, r, api.VersionResponse{
+			render.JSON(w, api.VersionResponse{
 				Version:                     "test",
 				RequireClientAuthentication: true,
 			})
@ -102,7 +102,7 @@ func mTLSMiddleware(next http.Handler, nonAuthenticatedPaths ...string) http.Han
 		}
 		isMTLS := r.TLS != nil && len(r.TLS.PeerCertificates) > 0
 		if !isMTLS {
-			render.Error(w, r, errs.Unauthorized("missing peer certificate"))
+			render.Error(w, errs.Unauthorized("missing peer certificate"))
 		} else {
 			next.ServeHTTP(w, r)
 		}
@ -412,7 +412,7 @@ func TestBootstrapClientServerRotation(t *testing.T) {
 	//nolint:gosec // insecure test server
 	server, err := BootstrapServer(context.Background(), token, &http.Server{
 		Addr: ":0",
-		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 			w.Write([]byte("ok"))
 		}),
 	}, RequireAndVerifyClientCert())
@ -531,7 +531,7 @@ func TestBootstrapClientServerFederation(t *testing.T) {
 	//nolint:gosec // insecure test server
 	server, err := BootstrapServer(context.Background(), token, &http.Server{
 		Addr: ":0",
-		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 			w.Write([]byte("ok"))
 		}),
 	}, RequireAndVerifyClientCert(), AddFederationToClientCAs())
--- a/ca/client_test.go
+++ b/ca/client_test.go
@ -177,8 +177,8 @@ func TestClient_Version(t *testing.T) {
 			c, err := NewClient(srv.URL, WithTransport(http.DefaultTransport))
 			require.NoError(t, err)
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				render.JSONStatus(w, r, tt.response, tt.responseCode)
+				render.JSONStatus(w, tt.response, tt.responseCode)
 			})
 			got, err := c.Version()
@ -218,8 +218,8 @@ func TestClient_Health(t *testing.T) {
 			c, err := NewClient(srv.URL, WithTransport(http.DefaultTransport))
 			require.NoError(t, err)
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				render.JSONStatus(w, r, tt.response, tt.responseCode)
+				render.JSONStatus(w, tt.response, tt.responseCode)
 			})
 			got, err := c.Health()
@ -262,12 +262,12 @@ func TestClient_Root(t *testing.T) {
 			c, err := NewClient(srv.URL, WithTransport(http.DefaultTransport))
 			require.NoError(t, err)
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 				expected := "/root/" + tt.shasum
-				if r.RequestURI != expected {
+				if req.RequestURI != expected {
-					t.Errorf("RequestURI = %s, want %s", r.RequestURI, expected)
+					t.Errorf("RequestURI = %s, want %s", req.RequestURI, expected)
 				}
-				render.JSONStatus(w, r, tt.response, tt.responseCode)
+				render.JSONStatus(w, tt.response, tt.responseCode)
 			})
 			got, err := c.Root(tt.shasum)
@ -323,12 +323,12 @@ func TestClient_Sign(t *testing.T) {
 			c, err := NewClient(srv.URL, WithTransport(http.DefaultTransport))
 			require.NoError(t, err)
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 				body := new(api.SignRequest)
-				if err := read.JSON(r.Body, body); err != nil {
+				if err := read.JSON(req.Body, body); err != nil {
 					e, ok := tt.response.(error)
 					require.True(t, ok, "response expected to be error type")
-					render.Error(w, r, e)
+					render.Error(w, e)
 					return
 				} else if !equalJSON(t, body, tt.request) {
 					if tt.request == nil {
@ -339,7 +339,7 @@ func TestClient_Sign(t *testing.T) {
 						t.Errorf("Client.Sign() request = %v, wants %v", body, tt.request)
 					}
 				}
-				render.JSONStatus(w, r, tt.response, tt.responseCode)
+				render.JSONStatus(w, tt.response, tt.responseCode)
 			})
 			got, err := c.Sign(tt.request)
@ -385,12 +385,12 @@ func TestClient_Revoke(t *testing.T) {
 			c, err := NewClient(srv.URL, WithTransport(http.DefaultTransport))
 			require.NoError(t, err)
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 				body := new(api.RevokeRequest)
-				if err := read.JSON(r.Body, body); err != nil {
+				if err := read.JSON(req.Body, body); err != nil {
 					e, ok := tt.response.(error)
 					require.True(t, ok, "response expected to be error type")
-					render.Error(w, r, e)
+					render.Error(w, e)
 					return
 				} else if !equalJSON(t, body, tt.request) {
 					if tt.request == nil {
@ -401,7 +401,7 @@ func TestClient_Revoke(t *testing.T) {
 						t.Errorf("Client.Revoke() request = %v, wants %v", body, tt.request)
 					}
 				}
-				render.JSONStatus(w, r, tt.response, tt.responseCode)
+				render.JSONStatus(w, tt.response, tt.responseCode)
 			})
 			got, err := c.Revoke(tt.request, nil)
@ -450,8 +450,8 @@ func TestClient_Renew(t *testing.T) {
 			c, err := NewClient(srv.URL, WithTransport(http.DefaultTransport))
 			require.NoError(t, err)
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				render.JSONStatus(w, r, tt.response, tt.responseCode)
+				render.JSONStatus(w, tt.response, tt.responseCode)
 			})
 			got, err := c.Renew(nil)
@ -504,11 +504,11 @@ func TestClient_RenewWithToken(t *testing.T) {
 			c, err := NewClient(srv.URL, WithTransport(http.DefaultTransport))
 			require.NoError(t, err)
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				if r.Header.Get("Authorization") != "Bearer token" {
+				if req.Header.Get("Authorization") != "Bearer token" {
-					render.JSONStatus(w, r, errs.InternalServer("force"), 500)
+					render.JSONStatus(w, errs.InternalServer("force"), 500)
 				} else {
-					render.JSONStatus(w, r, tt.response, tt.responseCode)
+					render.JSONStatus(w, tt.response, tt.responseCode)
 				}
 			})
@ -567,8 +567,8 @@ func TestClient_Rekey(t *testing.T) {
 			c, err := NewClient(srv.URL, WithTransport(http.DefaultTransport))
 			require.NoError(t, err)
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				render.JSONStatus(w, r, tt.response, tt.responseCode)
+				render.JSONStatus(w, tt.response, tt.responseCode)
 			})
 			got, err := c.Rekey(tt.request, nil)
@ -619,11 +619,11 @@ func TestClient_Provisioners(t *testing.T) {
 			c, err := NewClient(srv.URL, WithTransport(http.DefaultTransport))
 			require.NoError(t, err)
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				if r.RequestURI != tt.expectedURI {
+				if req.RequestURI != tt.expectedURI {
-					t.Errorf("RequestURI = %s, want %s", r.RequestURI, tt.expectedURI)
+					t.Errorf("RequestURI = %s, want %s", req.RequestURI, tt.expectedURI)
 				}
-				render.JSONStatus(w, r, tt.response, tt.responseCode)
+				render.JSONStatus(w, tt.response, tt.responseCode)
 			})
 			got, err := c.Provisioners(tt.args...)
@ -666,12 +666,12 @@ func TestClient_ProvisionerKey(t *testing.T) {
 			c, err := NewClient(srv.URL, WithTransport(http.DefaultTransport))
 			require.NoError(t, err)
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 				expected := "/provisioners/" + tt.kid + "/encrypted-key"
-				if r.RequestURI != expected {
+				if req.RequestURI != expected {
-					t.Errorf("RequestURI = %s, want %s", r.RequestURI, expected)
+					t.Errorf("RequestURI = %s, want %s", req.RequestURI, expected)
 				}
-				render.JSONStatus(w, r, tt.response, tt.responseCode)
+				render.JSONStatus(w, tt.response, tt.responseCode)
 			})
 			got, err := c.ProvisionerKey(tt.kid)
@ -720,8 +720,8 @@ func TestClient_Roots(t *testing.T) {
 			c, err := NewClient(srv.URL, WithTransport(http.DefaultTransport))
 			require.NoError(t, err)
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				render.JSONStatus(w, r, tt.response, tt.responseCode)
+				render.JSONStatus(w, tt.response, tt.responseCode)
 			})
 			got, err := c.Roots()
@ -769,8 +769,8 @@ func TestClient_Federation(t *testing.T) {
 			c, err := NewClient(srv.URL, WithTransport(http.DefaultTransport))
 			require.NoError(t, err)
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				render.JSONStatus(w, r, tt.response, tt.responseCode)
+				render.JSONStatus(w, tt.response, tt.responseCode)
 			})
 			got, err := c.Federation()
@ -820,8 +820,8 @@ func TestClient_SSHRoots(t *testing.T) {
 			c, err := NewClient(srv.URL, WithTransport(http.DefaultTransport))
 			require.NoError(t, err)
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				render.JSONStatus(w, r, tt.response, tt.responseCode)
+				render.JSONStatus(w, tt.response, tt.responseCode)
 			})
 			got, err := c.SSHRoots()
@ -912,8 +912,8 @@ func TestClient_RootFingerprint(t *testing.T) {
 			c, err := NewClient(tt.server.URL, WithTransport(tr))
 			require.NoError(t, err)
-			tt.server.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			tt.server.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				render.JSONStatus(w, r, tt.response, tt.responseCode)
+				render.JSONStatus(w, tt.response, tt.responseCode)
 			})
 			got, err := c.RootFingerprint()
@ -970,8 +970,8 @@ func TestClient_SSHBastion(t *testing.T) {
 			c, err := NewClient(srv.URL, WithTransport(http.DefaultTransport))
 			require.NoError(t, err)
-			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				render.JSONStatus(w, r, tt.response, tt.responseCode)
+				render.JSONStatus(w, tt.response, tt.responseCode)
 			})
 			got, err := c.SSHBastion(tt.request)
--- a/cas/apiv1/requests.go
+++ b/cas/apiv1/requests.go
@ -116,8 +116,7 @@ type GetCertificateAuthorityRequest struct {
 // GetCertificateAuthorityResponse is the response that contains
 // the root certificate.
 type GetCertificateAuthorityResponse struct {
-	RootCertificate          *x509.Certificate
+	RootCertificate *x509.Certificate
 	IntermediateCertificates []*x509.Certificate
 }
 // CreateKeyRequest is the request used to generate a new key using a KMS.
--- a/cas/apiv1/services.go
+++ b/cas/apiv1/services.go
@ -1,7 +1,6 @@
 package apiv1
 import (
 	"crypto"
 	"crypto/x509"
 	"net/http"
 	"strings"
@ -27,20 +26,13 @@ type CertificateAuthorityGetter interface {
 	GetCertificateAuthority(req *GetCertificateAuthorityRequest) (*GetCertificateAuthorityResponse, error)
 }
-// CertificateAuthorityCreator is an interface implemented by a
+// CertificateAuthorityCreator is an interface implamented by a
 // CertificateAuthorityService that has a method to create a new certificate
 // authority.
 type CertificateAuthorityCreator interface {
 	CreateCertificateAuthority(req *CreateCertificateAuthorityRequest) (*CreateCertificateAuthorityResponse, error)
 }
 // CertificateAuthoritySigner is an optional interface implemented by a
 // CertificateAuthorityService that has a method that returns a [crypto.Signer]
 // using the same key used to issue certificates.
 type CertificateAuthoritySigner interface {
 	GetSigner() (crypto.Signer, error)
 }
 // SignatureAlgorithmGetter is an optional implementation in a crypto.Signer
 // that returns the SignatureAlgorithm to use.
 type SignatureAlgorithmGetter interface {
--- a/cas/cloudcas/cloudcas_test.go
+++ b/cas/cloudcas/cloudcas_test.go
@ -248,7 +248,6 @@ func mustParseECKey(t *testing.T, pemKey string) *ecdsa.PrivateKey {
 	block, _ := pem.Decode([]byte(pemKey))
 	if block == nil {
 		t.Fatal("failed to parse key")
 		return nil
 	}
 	key, err := x509.ParseECPrivateKey(block.Bytes)
 	if err != nil {
@ -883,7 +882,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
 	defer srv.Stop()
 	// Create fake privateca client
-	conn, err := grpc.NewClient("localhost", grpc.WithTransportCredentials(insecure.NewCredentials()),
+	conn, err := grpc.DialContext(context.Background(), "", grpc.WithTransportCredentials(insecure.NewCredentials()),
 		grpc.WithContextDialer(func(context.Context, string) (net.Conn, error) {
 			return lis.Dial()
 		}))
--- a/cas/softcas/softcas.go
+++ b/cas/softcas/softcas.go
@ -58,13 +58,6 @@ func (c *SoftCAS) Type() apiv1.Type {
 	return apiv1.SoftCAS
 }
 // GetSigner implements [apiv1.CertificateAuthoritySigner] and returns a
 // [crypto.Signer] with the intermediate key.
 func (c *SoftCAS) GetSigner() (crypto.Signer, error) {
 	_, signer, err := c.getCertSigner()
 	return signer, err
 }
 // CreateCertificate signs a new certificate using Golang or KMS crypto.
 func (c *SoftCAS) CreateCertificate(req *apiv1.CreateCertificateRequest) (*apiv1.CreateCertificateResponse, error) {
 	switch {
--- a/cas/softcas/softcas_test.go
+++ b/cas/softcas/softcas_test.go
@ -19,11 +19,8 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/cas/apiv1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.step.sm/crypto/kms"
 	kmsapi "go.step.sm/crypto/kms/apiv1"
 	"go.step.sm/crypto/minica"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 )
@ -272,45 +269,6 @@ func TestSoftCAS_Type(t *testing.T) {
 	}
 }
 func TestSoftCAS_GetSigner(t *testing.T) {
 	ca, err := minica.New()
 	require.NoError(t, err)
 	type fields struct {
 		CertificateChain  []*x509.Certificate
 		Signer            crypto.Signer
 		CertificateSigner func() ([]*x509.Certificate, crypto.Signer, error)
 		KeyManager        kms.KeyManager
 	}
 	tests := []struct {
 		name      string
 		fields    fields
 		want      crypto.Signer
 		assertion assert.ErrorAssertionFunc
 	}{
 		{"ok signer", fields{[]*x509.Certificate{ca.Intermediate}, ca.Signer, nil, nil}, ca.Signer, assert.NoError},
 		{"ok certificateSigner", fields{[]*x509.Certificate{ca.Intermediate}, nil, func() ([]*x509.Certificate, crypto.Signer, error) {
 			return []*x509.Certificate{ca.Intermediate}, ca.Signer, nil
 		}, nil}, ca.Signer, assert.NoError},
 		{"fail certificateSigner", fields{[]*x509.Certificate{ca.Intermediate}, nil, func() ([]*x509.Certificate, crypto.Signer, error) {
 			return nil, nil, apiv1.NotImplementedError{}
 		}, nil}, nil, assert.Error},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &SoftCAS{
 				CertificateChain:  tt.fields.CertificateChain,
 				Signer:            tt.fields.Signer,
 				CertificateSigner: tt.fields.CertificateSigner,
 				KeyManager:        tt.fields.KeyManager,
 			}
 			got, err := c.GetSigner()
 			tt.assertion(t, err)
 			assert.Equal(t, tt.want, got)
 		})
 	}
 }
 func TestSoftCAS_CreateCertificate(t *testing.T) {
 	mockNow(t)
 	// Set rand.Reader to EOF
--- a/cas/vaultcas/vaultcas.go
+++ b/cas/vaultcas/vaultcas.go
@ -165,8 +165,7 @@ func (v *VaultCAS) GetCertificateAuthority(*apiv1.GetCertificateAuthorityRequest
 	}
 	return &apiv1.GetCertificateAuthorityResponse{
-		RootCertificate:          cert.root,
+		RootCertificate: cert.root,
 		IntermediateCertificates: cert.intermediates,
 	}, nil
 }
--- a/go.mod
+++ b/go.mod
@ -1,10 +1,10 @@
 module github.com/smallstep/certificates
-go 1.21
+go 1.20
 require (
-	cloud.google.com/go/longrunning v0.5.7
+	cloud.google.com/go/longrunning v0.5.6
-	cloud.google.com/go/security v1.17.0
+	cloud.google.com/go/security v1.15.6
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/dgraph-io/badger v1.6.2
 	github.com/dgraph-io/badger/v2 v2.2007.4
@ -15,78 +15,76 @@ require (
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-tpm v0.9.0
 	github.com/google/uuid v1.6.0
-	github.com/googleapis/gax-go/v2 v2.12.4
+	github.com/googleapis/gax-go/v2 v2.12.2
-	github.com/hashicorp/vault/api v1.14.0
+	github.com/hashicorp/vault/api v1.12.1
-	github.com/hashicorp/vault/api/auth/approle v0.7.0
+	github.com/hashicorp/vault/api/auth/approle v0.6.0
-	github.com/hashicorp/vault/api/auth/kubernetes v0.7.0
+	github.com/hashicorp/vault/api/auth/kubernetes v0.6.0
-	github.com/newrelic/go-agent/v3 v3.33.0
+	github.com/newrelic/go-agent/v3 v3.30.0
 	github.com/pkg/errors v0.9.1
-	github.com/prometheus/client_golang v1.19.1
+	github.com/prometheus/client_golang v1.19.0
 	github.com/rs/xid v1.5.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/slackhq/nebula v1.6.1
 	github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262
 	github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935
-	github.com/smallstep/nosql v0.6.1
+	github.com/smallstep/nosql v0.6.0
 	github.com/smallstep/pkcs7 v0.0.0-20231024181729-3b98ecc1ca81
 	github.com/smallstep/scep v0.0.0-20231024192529-aee96d7ad34d
 	github.com/stretchr/testify v1.9.0
-	github.com/urfave/cli v1.22.15
+	github.com/urfave/cli v1.22.14
 	go.step.sm/cli-utils v0.9.0
-	go.step.sm/crypto v0.47.1
+	go.step.sm/crypto v0.43.1
-	go.step.sm/linkedca v0.21.1
+	go.step.sm/linkedca v0.20.1
-	golang.org/x/crypto v0.24.0
+	golang.org/x/crypto v0.21.0
-	golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81
+	golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0
-	golang.org/x/net v0.26.0
+	golang.org/x/net v0.22.0
-	google.golang.org/api v0.184.0
+	google.golang.org/api v0.169.0
-	google.golang.org/grpc v1.64.0
+	google.golang.org/grpc v1.62.1
-	google.golang.org/protobuf v1.34.2
+	google.golang.org/protobuf v1.33.0
 )
 require (
-	cloud.google.com/go v0.114.0 // indirect
+	cloud.google.com/go v0.112.1 // indirect
-	cloud.google.com/go/auth v0.5.1 // indirect
+	cloud.google.com/go/compute v1.24.0 // indirect
-	cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/compute/metadata v0.3.0 // indirect
+	cloud.google.com/go/iam v1.1.6 // indirect
-	cloud.google.com/go/iam v1.1.8 // indirect
+	cloud.google.com/go/kms v1.15.7 // indirect
 	cloud.google.com/go/kms v1.17.1 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.2.0 // indirect
 	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.27.1 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.24.1 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.27.17 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.26.6 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.17 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.16.16 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.4 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.8 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.8 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kms v1.32.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.27.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.20.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect
-	github.com/aws/smithy-go v1.20.2 // indirect
+	github.com/aws/smithy-go v1.19.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
 	github.com/cespare/xxhash v1.1.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgraph-io/ristretto v0.1.0 // indirect
 	github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
 	github.com/go-kit/kit v0.13.0 // indirect
 	github.com/go-kit/log v0.2.1 // indirect
 	github.com/go-logfmt/logfmt v0.6.0 // indirect
@ -94,21 +92,21 @@ require (
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-piv/piv-go v1.11.0 // indirect
 	github.com/go-sql-driver/mysql v1.7.1 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
 	github.com/golang/glog v1.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/certificate-transparency-go v1.1.6 // indirect
-	github.com/google/go-tpm-tools v0.4.4 // indirect
+	github.com/google/go-tpm-tools v0.4.2 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.6 // indirect
+	github.com/hashicorp/go-retryablehttp v0.6.6 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
 	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
@ -149,20 +147,21 @@ require (
 	github.com/spf13/cast v1.4.1 // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.etcd.io/bbolt v1.3.9 // indirect
+	go.etcd.io/bbolt v1.3.7 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
 	go.opentelemetry.io/otel v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/oauth2 v0.17.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sync v0.6.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	google.golang.org/genproto v0.0.0-20240604185151-ef581f913117 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 // indirect
+	google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240311132316-a219d84964c2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,36 +1,34 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.114.0 h1:OIPFAdfrFDFO2ve2U7r/H5SwSbBzEdrBdE7xkgwc+kY=
+cloud.google.com/go v0.112.1 h1:uJSeirPke5UNZHIb4SxfZklVSiWWVqW4oXlETwZziwM=
-cloud.google.com/go v0.114.0/go.mod h1:ZV9La5YYxctro1HTPug5lXH/GefROyW8PPD4T8n9J8E=
+cloud.google.com/go v0.112.1/go.mod h1:+Vbu+Y1UU+I1rjmzeMOb/8RfkKJK2Gyxi1X6jJCZLo4=
-cloud.google.com/go/auth v0.5.1 h1:0QNO7VThG54LUzKiQxv8C6x1YX7lUrzlAa1nVLF8CIw=
+cloud.google.com/go/compute v1.24.0 h1:phWcR2eWzRJaL/kOiJwfFsPs4BaKq1j6vnpZrc1YlVg=
-cloud.google.com/go/auth v0.5.1/go.mod h1:vbZT8GjzDf3AVqCcQmqeeM32U9HBFc32vVVAbwDsa6s=
+cloud.google.com/go/compute v1.24.0/go.mod h1:kw1/T+h/+tK2LJK0wiPPx1intgdAM3j/g3hFDlscY40=
-cloud.google.com/go/auth/oauth2adapt v0.2.2 h1:+TTV8aXpjeChS9M+aTtN/TjdQnzJvmzKFt//oWu7HX4=
+cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
-cloud.google.com/go/auth/oauth2adapt v0.2.2/go.mod h1:wcYjgpZI9+Yu7LyYBg4pqSiaRkfEK3GQcpb7C/uyF1Q=
+cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
-cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
+cloud.google.com/go/iam v1.1.6 h1:bEa06k05IO4f4uJonbB5iAgKTPpABy1ayxaIZV/GHVc=
-cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
+cloud.google.com/go/iam v1.1.6/go.mod h1:O0zxdPeGBoFdWW3HWmBxJsk0pfvNM/p/qa82rWOGTwI=
-cloud.google.com/go/iam v1.1.8 h1:r7umDwhj+BQyz0ScZMp4QrGXjSTI3ZINnpgU2nlB/K0=
+cloud.google.com/go/kms v1.15.7 h1:7caV9K3yIxvlQPAcaFffhlT7d1qpxjB1wHBtjWa13SM=
-cloud.google.com/go/iam v1.1.8/go.mod h1:GvE6lyMmfxXauzNq8NbgJbeVQNspG+tcdL/W8QO1+zE=
+cloud.google.com/go/kms v1.15.7/go.mod h1:ub54lbsa6tDkUwnu4W7Yt1aAIFLnspgh0kPGToDukeI=
-cloud.google.com/go/kms v1.17.1 h1:5k0wXqkxL+YcXd4viQzTqCgzzVKKxzgrK+rCZJytEQs=
+cloud.google.com/go/longrunning v0.5.6 h1:xAe8+0YaWoCKr9t1+aWe+OeQgN/iJK1fEgZSXmjuEaE=
-cloud.google.com/go/kms v1.17.1/go.mod h1:DCMnCF/apA6fZk5Cj4XsD979OyHAqFasPuA5Sd0kGlQ=
+cloud.google.com/go/longrunning v0.5.6/go.mod h1:vUaDrWYOMKRuhiv6JBnn49YxCPz2Ayn9GqyjaBT8/mA=
-cloud.google.com/go/longrunning v0.5.7 h1:WLbHekDbjK1fVFD3ibpFFVoyizlLRl73I7YKuAKilhU=
+cloud.google.com/go/security v1.15.6 h1:LYMj7ISEEjVQ0ub6E6ygGhjVbNQTH5CawKZz0bbPMVE=
-cloud.google.com/go/longrunning v0.5.7/go.mod h1:8GClkudohy1Fxm3owmBGid8W0pSgodEMwEAztp38Xng=
+cloud.google.com/go/security v1.15.6/go.mod h1:UMEAGVBMqE6xZvkCR1FvUIeBEmGOCRIDwtwT357xmok=
 cloud.google.com/go/security v1.17.0 h1:u4RCnEQPvlrrnFRFinU0T3WsjtrsQErkWBfqTM5oUQI=
 cloud.google.com/go/security v1.17.0/go.mod h1:eSuFs0SlBv1gWg7gHIoF0hYOvcSwJCek/GFXtgO6aA0=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 h1:cTp8I5+VIoKjsnZuH8vjyaysT/ses3EvZeaV/1UkF2M=
 github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96/go.mod h1:bOvUY6CB00SOBii9/FifXqc0awNKxLFCL/+pkDPuyl8=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0 h1:1nGuui+4POelzDwI7RG56yfQJHCnKvwfMoU7VsEp+Zg=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2 h1:c4k2FIYIh4xtwqrQwV0Ct1v5+ehlNXj5NI/MWVsiTkQ=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0/go.mod h1:99EvauvlcJ1U06amZiksfYz/3aFGyIhWGHVyiZXtBAI=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2/go.mod h1:5FDJtLEO/GxwNgUxbwrY3LP0pEoThTQJtk2oysdXHxM=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6ZyqF3UOWJZ12zIm8zECAFfg=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 h1:sO0/P7g68FrryJzljemN+6GTssUXdANk6aJ7T1ZxnsQ=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1/go.mod h1:h8hyGFDsU5HMivxiS2iYFZsgDbU9OnnJ163x5UGVKYo=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 h1:H+U3Gk9zY56G3u872L82bk4thcsy2Gghb9ExT4Zvm1o=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 h1:LqbJ/WzJUwBf8UiaSzgX7aMclParm9/5Vgp+TY51uBQ=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0/go.mod h1:mgrmMSgaLp9hmax62XQTd0N4aAqSE5E0DulSpVYK7vc=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2/go.mod h1:yInRyqWXAuaPrgI7p70+lDDgh3mlBohis29jGMISnmc=
 github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 h1:m/sWOGCREuSBqg2htVQTBY8nOZpyajYztF0vUvSZTuM=
 github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0/go.mod h1:Pu5Zksi2KrU7LPbZbNINx6fuVrUp/ffvpxdDj+i8LeE=
 github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 h1:FbH3BbSb4bvGluTesZZ+ttN/MDsnMmQP36OSnDuSXqw=
 github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1/go.mod h1:9V2j0jn9jDEkCkv8w/bKTNppX/d0FVA1ud77xCIP4KA=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 h1:DzHpqpoJVaCgOUdVHxE8QB52S6NiVdDQvGlny1qvPqA=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
@ -46,34 +44,34 @@ github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY
 github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/aws/aws-sdk-go-v2 v1.27.1 h1:xypCL2owhog46iFxBKKpBcw+bPTX/RJzwNj8uSilENw=
+github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU=
-github.com/aws/aws-sdk-go-v2 v1.27.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
+github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4=
-github.com/aws/aws-sdk-go-v2/config v1.27.17 h1:L0JZN7Gh7pT6u5CJReKsLhGKparqNKui+mcpxMXjDZc=
+github.com/aws/aws-sdk-go-v2/config v1.26.6 h1:Z/7w9bUqlRI0FFQpetVuFYEsjzE3h7fpU6HuGmfPL/o=
-github.com/aws/aws-sdk-go-v2/config v1.27.17/go.mod h1:MzM3balLZeaafYcPz8IihAmam/aCz6niPQI0FdprxW0=
+github.com/aws/aws-sdk-go-v2/config v1.26.6/go.mod h1:uKU6cnDmYCvJ+pxO9S4cWDb2yWWIH5hra+32hVh1MI4=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.17 h1:b3Dk9uxQByS9sc6r0sc2jmxsJKO75eOcb9nNEiaUBLM=
+github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5gbadPbWdV1WcAddK8=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.17/go.mod h1:e4khg9iY08LnFK/HXQDWMf9GDaiMari7jWPnXvKAuBU=
+github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.4 h1:0cSfTYYL9qiRcdi4Dvz+8s3JUgNR2qvbgZkXcwPEEEk=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.4/go.mod h1:Wjn5O9eS7uSi7vlPKt/v0MLTncANn9EMmoDvnzJli6o=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.8 h1:RnLB7p6aaFMRfyQkD6ckxR7myCC9SABIqSz4czYUUbU=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.8/go.mod h1:XH7dQJd+56wEbP1I4e4Duo+QhSMxNArE8VP7NuUOTeM=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.8 h1:jzApk2f58L9yW9q1GEab3BMMFWUkkiZhyrRUtbwUbKU=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.8/go.mod h1:WqO+FftfO3tGePUtQxPXM6iODVfqMwsVMgTbG/ZXIdQ=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 h1:n3GDfwqF2tzEkXlv5cuy4iy7LpKDtqDMcNLfZDu9rls=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.10 h1:7kZqP7akv0enu6ykJhb9OYlw16oOrSy+Epus8o/VqMY=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.10/go.mod h1:gYVF3nM1ApfTRDj9pvdhootBb8WbiIejuqn4w8ruMes=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino=
-github.com/aws/aws-sdk-go-v2/service/kms v1.32.2 h1:WuwRxTSPc+E4dwDRmxh4TILJsnYoqm41KTb11pRkzBA=
+github.com/aws/aws-sdk-go-v2/service/kms v1.27.9 h1:W9PbZAZAEcelhhjb7KuwUtf+Lbc+i7ByYJRuWLlnxyQ=
-github.com/aws/aws-sdk-go-v2/service/kms v1.32.2/go.mod h1:qEy625xFxrw6hA+eOAD030wmLERPa7LNCArh+gAC+8o=
+github.com/aws/aws-sdk-go-v2/service/kms v1.27.9/go.mod h1:2tFmR7fQnOdQlM2ZCEPpFnBIQD1U8wmXmduBgZbOag0=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.10 h1:ItKVmFwbyb/ZnCWf+nu3XBVmUirpO9eGEQd7urnBA0s=
+github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 h1:eajuO3nykDPdYicLlP3AGgOyVN3MOlFmZv7WGTuJPow=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.10/go.mod h1:5XKooCTi9VB/xZmJDvh7uZ+v3uQ7QdX6diOyhvPA+/w=
+github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.4 h1:QMSCYDg3Iyls0KZc/dk3JtS2c1lFfqbmYO10qBPPkJk=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w1NmfkfiSK8mS4zOx3BA=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.4/go.mod h1:MZ/PVYU/mRbmSF6WK3ybCYHjA2mig8utVokDEVLDgE0=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.11 h1:HYS0csS7UJxdYRoG+bGgUYrSwVnV3/ece/wHm90TApM=
+github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.11/go.mod h1:QXnthRM35zI92048MMwfFChjFmoufTdhtHmouwNfhhU=
+github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U=
-github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
+github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM=
-github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
+github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
@ -104,8 +102,8 @@ github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
-github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
+github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
-github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@ -121,6 +119,7 @@ github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu
 github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
 github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 h1:fAjc9m62+UWV/WAFKLNi6ZS0675eEUC9y3AlwSbQu1Y=
 github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
 github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
@ -130,7 +129,6 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
@ -138,10 +136,9 @@ github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1t
 github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/go-chi/chi/v5 v5.0.12 h1:9euLV5sTrTNTRUU9POmDUvfxyj6LAABLUcEWO+JJb4s=
 github.com/go-chi/chi/v5 v5.0.12/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
 github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
 github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
 github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/go-kit/kit v0.4.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.13.0 h1:OoneCcHKHQ03LfBpoQCUfCluwd2Vt3ohz+kvbJneZAU=
 github.com/go-kit/kit v0.13.0/go.mod h1:phqEHMMUbyrCFCTgH48JueqrM3md2HcAZ8N3XE4FKDg=
@ -167,8 +164,8 @@ github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw=
 github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw=
 github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
-github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v1.2.0 h1:uCdmnmatrKCgMBlM4rMuJZWOkPDqdbZPnrMXDY4gI68=
 github.com/golang/glog v1.2.0/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
@ -188,6 +185,8 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
@ -205,23 +204,20 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-configfs-tsm v0.2.2 h1:YnJ9rXIOj5BYD7/0DNnzs8AOp7UcvjfTvt215EWcs98=
 github.com/google/go-configfs-tsm v0.2.2/go.mod h1:EL1GTDFMb5PZQWDviGfZV9n87WeGTR/JUg13RfwkgRo=
 github.com/google/go-sev-guest v0.9.3 h1:GOJ+EipURdeWFl/YYdgcCxyPeMgQUWlI056iFkBD8UU=
-github.com/google/go-sev-guest v0.9.3/go.mod h1:hc1R4R6f8+NcJwITs0L90fYWTsBpd1Ix+Gur15sqHDs=
+github.com/google/go-tdx-guest v0.2.3-0.20231011100059-4cf02bed9d33 h1:lRlUusuieEuqljjihCXb+Mr73VNitOYPJYWXzJKtBWs=
 github.com/google/go-tdx-guest v0.3.1 h1:gl0KvjdsD4RrJzyLefDOvFOUH3NAJri/3qvaL5m83Iw=
 github.com/google/go-tdx-guest v0.3.1/go.mod h1:/rc3d7rnPykOPuY8U9saMyEps0PZDThLk/RygXm04nE=
 github.com/google/go-tpm v0.9.0 h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk=
 github.com/google/go-tpm v0.9.0/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU=
-github.com/google/go-tpm-tools v0.4.4 h1:oiQfAIkc6xTy9Fl5NKTeTJkBTlXdHsxAofmQyxBKY98=
+github.com/google/go-tpm-tools v0.4.2 h1:iyaCPKt2N5Rd0yz0G8ANa022SgCNZkMpp+db6QELtvI=
-github.com/google/go-tpm-tools v0.4.4/go.mod h1:T8jXkp2s+eltnCDIsXR84/MTcVU9Ja7bh3Mit0pa4AY=
+github.com/google/go-tpm-tools v0.4.2/go.mod h1:fGUDZu4tw3V4hUVuFHmiYgRd0c58/IXivn9v3Ea/ck4=
 github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus=
 github.com/google/go-tspi v0.3.0/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI=
 github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ=
 github.com/google/logger v1.1.1/go.mod h1:BkeJZ+1FhQ+/d087r4dzojEg1u2ZX+ZqG1jTUrLM+zQ=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
 github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
@ -231,20 +227,22 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
-github.com/googleapis/gax-go/v2 v2.12.4 h1:9gWcmF85Wvq4ryPFvGFaOgPIs1AQX0d0bcbGw4Z96qg=
+github.com/googleapis/gax-go/v2 v2.12.2 h1:mhN09QQW1jEWeMF74zGR81R30z4VJzjZsfkUhuHF+DA=
-github.com/googleapis/gax-go/v2 v2.12.4/go.mod h1:KYEYLorsnIGDi/rPC8b5TdlB9kbKoFubselGIoBMCwI=
+github.com/googleapis/gax-go/v2 v2.12.2/go.mod h1:61M8vcyyXR2kqKFxKrfA22jaA8JGF7Dc8App1U3H6jc=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-hclog v1.2.2 h1:ihRI7YFwcZdiSD7SIenIhHfQH3OuDvWerAUBZbeQS3M=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-retryablehttp v0.7.6 h1:TwRYfx2z2C4cLbXmT8I5PgP/xmuqASDyiVuGYfs9GZM=
+github.com/hashicorp/go-retryablehttp v0.6.6 h1:HJunrbHTDDbBb/ay4kxa1n+dLmttUlnP3V9oNE4hmsM=
-github.com/hashicorp/go-retryablehttp v0.7.6/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
+github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
 github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ=
@ -256,12 +254,13 @@ github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0S
 github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/vault/api v1.14.0 h1:Ah3CFLixD5jmjusOgm8grfN9M0d+Y8fVR2SW0K6pJLU=
+github.com/hashicorp/vault/api v1.12.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
-github.com/hashicorp/vault/api v1.14.0/go.mod h1:pV9YLxBGSz+cItFDd8Ii4G17waWOQ32zVjMWHe/cOqk=
+github.com/hashicorp/vault/api v1.12.1 h1:WzGN4X5jrJdNO39g6Sa55djNio3I9DxEBOTmCZE7tm0=
-github.com/hashicorp/vault/api/auth/approle v0.7.0 h1:R5IRVuFA5JSdG3UdGVcGysi0StrL1lPmyJnrawiV0Ss=
+github.com/hashicorp/vault/api v1.12.1/go.mod h1:1pqP/sErScodde+ybJCyP+ONC4jzEg7Dmawg/QLWo1k=
-github.com/hashicorp/vault/api/auth/approle v0.7.0/go.mod h1:B+WaC6VR+aSXiUxykpaPUoFiiZAhic53tDLbGjWZmRA=
+github.com/hashicorp/vault/api/auth/approle v0.6.0 h1:ELfFFQlTM/e97WJKu1HvNFa7lQ3tlTwwzrR1NJE1V7Y=
-github.com/hashicorp/vault/api/auth/kubernetes v0.7.0 h1:pHCbeeyD6E5KmMMCc9vwwZZ5OVlM6yFayxFHWodiOUU=
+github.com/hashicorp/vault/api/auth/approle v0.6.0/go.mod h1:CCoIl1xBC3lAWpd1HV+0ovk76Z8b8Mdepyk21h3pGk0=
-github.com/hashicorp/vault/api/auth/kubernetes v0.7.0/go.mod h1:Eey0x0X2g+b2LYWgBrQFyf5W0fp+Y1HGrEckP8Q0wns=
+github.com/hashicorp/vault/api/auth/kubernetes v0.6.0 h1:K8sKGhtTAqGKfzaaYvUSIOAqTOIn3Gk1EsCEAMzZHtM=
 github.com/hashicorp/vault/api/auth/kubernetes v0.6.0/go.mod h1:Htwcjez5J9PwAHaZ1EYMBlgGq3/in5ajUV4+WCPihPE=
 github.com/huandu/xstrings v1.3.3 h1:/Gcsuc1x8JVbJ9/rlye4xZnVAbEkGauT8lbebqcQws4=
 github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
@ -324,12 +323,10 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxv
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
@ -337,18 +334,20 @@ github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/manifoldco/promptui v0.9.0 h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYthEiA=
 github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
@ -372,10 +371,9 @@ github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/newrelic/go-agent/v3 v3.33.0 h1:0Phrvp6KWOcJPsIxskL9ZrVddhrZDl1xokNtTjN4GpQ=
+github.com/newrelic/go-agent/v3 v3.30.0 h1:ZXHCT/Cot4iIPwcegCZURuRQOsfmGA6wilW+S3bfBjY=
-github.com/newrelic/go-agent/v3 v3.33.0/go.mod h1:SMdqPzE/ghkWdY0rYGSD7Clw2daK/XH6pUnVd4albg4=
+github.com/newrelic/go-agent/v3 v3.30.0/go.mod h1:9utrgxlSryNqRrTvII2XBL+0lpofXbqXApvVWPpbzUg=
 github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
 github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv/v3 v3.0.1 h1:x06SQA46+PKIUftmEujdwSEpIx8kR+M9eLYsUxeYveU=
 github.com/peterbourgon/diskv/v3 v3.0.1/go.mod h1:kJ5Ny7vLdARGU3WUuy6uzO6T0nb/2gWcT1JiBvRmb5o=
@ -387,8 +385,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
-github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
+github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU=
-github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
+github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
 github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
@ -397,8 +395,7 @@ github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5E
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
 github.com/rs/xid v1.5.0 h1:mKX4bl4iPYJtEIxp6CYiUuLQ/8DYMoz0PUdtGgMFRVc=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
@ -428,8 +425,8 @@ github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1
 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc=
 github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935 h1:kjYvkvS/Wdy0PVRDUAA0gGJIVSEZYhiAJtfwYgOYoGA=
 github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935/go.mod h1:vNAduivU014fubg6ewygkAvQC0IQVXqdc8vaGl/0er4=
-github.com/smallstep/nosql v0.6.1 h1:X8IBZFTRIp1gmuf23ne/jlD/BWKJtDQbtatxEn7Et1Y=
+github.com/smallstep/nosql v0.6.0 h1:ur7ysI8s9st0cMXnTvB8tA3+x5Eifmkb6hl4uqNV5jc=
-github.com/smallstep/nosql v0.6.1/go.mod h1:vrN+CftYYNnDM+DQqd863ATynvYFm/6FuY9D4TeAm2Y=
+github.com/smallstep/nosql v0.6.0/go.mod h1:jOXwLtockXORUPPZ2MCUcIkGR6w0cN1QGZniY9DITQA=
 github.com/smallstep/pkcs7 v0.0.0-20231024181729-3b98ecc1ca81 h1:B6cED3iLJTgxpdh4tuqByDjRRKan2EvtnOfHr2zHJVg=
 github.com/smallstep/pkcs7 v0.0.0-20231024181729-3b98ecc1ca81/go.mod h1:SoUAr/4M46rZ3WaLstHxGhLEgoYIDRqxQEXLOmOEB0Y=
 github.com/smallstep/scep v0.0.0-20231024192529-aee96d7ad34d h1:06LUHn4Ia2X6syjIaCMNaXXDNdU+1N/oOHynJbWgpXw=
@ -451,11 +448,11 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
@ -466,16 +463,16 @@ github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8
 github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg=
 github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
-github.com/urfave/cli v1.22.15 h1:nuqt+pdC/KqswQKhETJjo7pvn/k4xMUxgW6liI7XpnM=
+github.com/urfave/cli v1.22.14 h1:ebbhrRiGK2i4naQJr+1Xj92HXZCrK7MsyTS/ob3HnAk=
-github.com/urfave/cli v1.22.15/go.mod h1:wSan1hmo5zeyLGBjRJbzRTNk8gwoYa2B9n4q9dmRIc0=
+github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
-go.etcd.io/bbolt v1.3.9 h1:8x7aARPEXiXbHmtUwAIv7eV2fQFHrLLavdiJ3uzJXoI=
+go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
-go.etcd.io/bbolt v1.3.9/go.mod h1:zaO32+Ti0PK1ivdPtgMESzuzL2VPoIG1PCQNvOdo/dE=
+go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg=
@ -486,16 +483,15 @@ go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo=
 go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo=
 go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=
 go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco=
-go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw=
+go.opentelemetry.io/otel/sdk v1.22.0 h1:6coWHw9xw7EfClIC/+O31R8IY3/+EiRFHevmHafB2Gw=
 go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg=
 go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.step.sm/cli-utils v0.9.0 h1:55jYcsQbnArNqepZyAwcato6Zy2MoZDRkWW+jF+aPfQ=
 go.step.sm/cli-utils v0.9.0/go.mod h1:Y/CRoWl1FVR9j+7PnAewufAwKmBOTzR6l9+7EYGAnp8=
-go.step.sm/crypto v0.47.1 h1:XvqgWLA1OTJXkmkmD6QSDZrmGKP4flv3PEoau60htcU=
+go.step.sm/crypto v0.43.1 h1:18Z/M49SnFDPXvFbfoN/ugE1i0J7phLWARhSQs/XSDI=
-go.step.sm/crypto v0.47.1/go.mod h1:0fz8+Am8oIwfOJgr9HHf7MwTa7Gffliv35VxDrQqU0Y=
+go.step.sm/crypto v0.43.1/go.mod h1:9n90D/SWjH1hTyQn1hgviUGyK8YRv743S8UZHYbt4BU=
-go.step.sm/linkedca v0.21.1 h1:2pM0qk48Rd8mre5V/Zch3AsaXUpyZAxsICKYB/gV2kc=
+go.step.sm/linkedca v0.20.1 h1:bHDn1+UG1NgRrERkWbbCiAIvv4lD5NOFaswPDTyO5vU=
-go.step.sm/linkedca v0.21.1/go.mod h1:dOKdF4HSn73YUEkfS5/FECngZmBtj2Il5DTKWXY4S6Y=
+go.step.sm/linkedca v0.20.1/go.mod h1:Vaq4+Umtjh7DLFI1KuIxeo598vfBzgSYZUjgVJ7Syxw=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
@ -503,8 +499,6 @@ go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
 go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
 go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
@ -514,6 +508,7 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
@ -521,12 +516,14 @@ golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81 h1:6R2FC06FonbXQ8pK11/PDFY6N6LWlf9KlzibaCapmqc=
+golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0 h1:LGJsf5LRplCck6jUCH3dBL2dmycNruWNF5xugkSlfXw=
-golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81/go.mod h1:CQ1k9gNrJ50XIzaKCRR2hssIjF07kZFEiieALBM/ARQ=
+golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
@ -550,19 +547,20 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
 golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
+golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ=
-golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -575,6 +573,7 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -593,30 +592,35 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
+golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
 golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -640,26 +644,28 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.184.0 h1:dmEdk6ZkJNXy1JcDhn/ou0ZUq7n9zropG2/tR4z+RDg=
+google.golang.org/api v0.169.0 h1:QwWPy71FgMWqJN/l6jVlFHUa29a7dcUy02I8o799nPY=
-google.golang.org/api v0.184.0/go.mod h1:CeDTtUEiYENAf8PPG5VZW2yNp2VM3VWbCeTioAZBTBA=
+google.golang.org/api v0.169.0/go.mod h1:gpNOiMA2tZ4mf5R9Iwf4rK/Dcz0fbdIgWYWVoxmsyLg=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
 google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20240604185151-ef581f913117 h1:HCZ6DlkKtCDAtD8ForECsY3tKuaR+p4R3grlK80uCCc=
+google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 h1:9+tzLLstTlPTRyJTh+ah5wIMsBW5c4tQwGTN3thOW9Y=
-google.golang.org/genproto v0.0.0-20240604185151-ef581f913117/go.mod h1:lesfX/+9iA+3OdqeCpoDddJaNxVB1AB6tD7EfqMmprc=
+google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9/go.mod h1:mqHbVIp48Muh7Ywss/AD6I5kNVKZMmAa/QEW58Gxp2s=
-google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 h1:7whR9kGa5LUwFtpLm2ArCEejtnxlGeLbAyjFY8sGNFw=
+google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2 h1:rIo7ocm2roD9DcFIX67Ym8icoGCKSARAiPljFhh5suQ=
-google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157/go.mod h1:99sLkeliLXfdj2J75X3Ho+rrVCaJze0uwN7zDDkjPVU=
+google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2/go.mod h1:O1cOfN1Cy6QEYr7VxtjOyP5AdAuR0aJ/MYZaaof623Y=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 h1:1GBuWVLM/KMVUv1t1En5Gs+gFZCNd360GGb4sSxtrhU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240311132316-a219d84964c2 h1:9IZDv+/GcI6u+a4jRFRLxQs0RUCfavGfoOgEW6jpkI0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240311132316-a219d84964c2/go.mod h1:UCOku4NytXMJuLQE5VuqA5lX3PcHCBo8pxNyvkf4xBs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY=
+google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk=
-google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg=
+google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@ -669,13 +675,14 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
--- a/internal/metrix/meter.go
+++ b/internal/metrix/meter.go
@ -91,12 +91,12 @@ func (m *Meter) SSHSigned(p provisioner.Interface, err error) {
 	incrProvisionerCounter(m.ssh.signed, p, err)
 }
-// SSHWebhookAuthorized implements [authority.Meter] for [Meter].
+// SSHAuthorized implements [authority.Meter] for [Meter].
 func (m *Meter) SSHWebhookAuthorized(p provisioner.Interface, err error) {
 	incrProvisionerCounter(m.ssh.webhookAuthorized, p, err)
 }
-// SSHWebhookEnriched implements [authority.Meter] for [Meter].
+// SSHEnriched implements [authority.Meter] for [Meter].
 func (m *Meter) SSHWebhookEnriched(p provisioner.Interface, err error) {
 	incrProvisionerCounter(m.ssh.webhookEnriched, p, err)
 }
@ -116,12 +116,12 @@ func (m *Meter) X509Signed(p provisioner.Interface, err error) {
 	incrProvisionerCounter(m.x509.signed, p, err)
 }
-// X509WebhookAuthorized implements [authority.Meter] for [Meter].
+// X509Authorized implements [authority.Meter] for [Meter].
 func (m *Meter) X509WebhookAuthorized(p provisioner.Interface, err error) {
 	incrProvisionerCounter(m.x509.webhookAuthorized, p, err)
 }
-// X509WebhookEnriched implements [authority.Meter] for [Meter].
+// X509Enriched implements [authority.Meter] for [Meter].
 func (m *Meter) X509WebhookEnriched(p provisioner.Interface, err error) {
 	incrProvisionerCounter(m.x509.webhookEnriched, p, err)
 }
--- a/policy/engine.go
+++ b/policy/engine.go
@ -270,7 +270,7 @@ func (e *NamePolicyEngine) IsSSHCertificateAllowed(cert *ssh.Certificate) error
 	return e.validateNames(dnsNames, ips, emails, []*url.URL{}, principals)
 }
-// splitSSHPrincipals splits SSH certificate principals into DNS names, emails and usernames.
+// splitPrincipals splits SSH certificate principals into DNS names, emails and usernames.
 func splitSSHPrincipals(cert *ssh.Certificate) (dnsNames []string, ips []net.IP, emails, principals []string, err error) {
 	dnsNames = []string{}
 	ips = []net.IP{}
--- a/scep/api/api.go
+++ b/scep/api/api.go
@ -97,7 +97,7 @@ func route(r api.Router, middleware func(next http.HandlerFunc) http.HandlerFunc
 func Get(w http.ResponseWriter, r *http.Request) {
 	req, err := decodeRequest(r)
 	if err != nil {
-		fail(w, r, fmt.Errorf("invalid scep get request: %w", err))
+		fail(w, fmt.Errorf("invalid scep get request: %w", err))
 		return
 	}
@ -116,18 +116,18 @@ func Get(w http.ResponseWriter, r *http.Request) {
 	}
 	if err != nil {
-		fail(w, r, fmt.Errorf("scep get request failed: %w", err))
+		fail(w, fmt.Errorf("scep get request failed: %w", err))
 		return
 	}
-	writeResponse(w, r, res)
+	writeResponse(w, res)
 }
 // Post handles all SCEP POST requests
 func Post(w http.ResponseWriter, r *http.Request) {
 	req, err := decodeRequest(r)
 	if err != nil {
-		fail(w, r, fmt.Errorf("invalid scep post request: %w", err))
+		fail(w, fmt.Errorf("invalid scep post request: %w", err))
 		return
 	}
@ -140,11 +140,11 @@ func Post(w http.ResponseWriter, r *http.Request) {
 	}
 	if err != nil {
-		fail(w, r, fmt.Errorf("scep post request failed: %w", err))
+		fail(w, fmt.Errorf("scep post request failed: %w", err))
 		return
 	}
-	writeResponse(w, r, res)
+	writeResponse(w, res)
 }
 func decodeRequest(r *http.Request) (request, error) {
@ -274,7 +274,7 @@ func lookupProvisioner(next http.HandlerFunc) http.HandlerFunc {
 		name := chi.URLParam(r, "provisionerName")
 		provisionerName, err := url.PathUnescape(name)
 		if err != nil {
-			fail(w, r, fmt.Errorf("error url unescaping provisioner name '%s'", name))
+			fail(w, fmt.Errorf("error url unescaping provisioner name '%s'", name))
 			return
 		}
@ -282,13 +282,13 @@ func lookupProvisioner(next http.HandlerFunc) http.HandlerFunc {
 		auth := authority.MustFromContext(ctx)
 		p, err := auth.LoadProvisionerByName(provisionerName)
 		if err != nil {
-			fail(w, r, err)
+			fail(w, err)
 			return
 		}
 		prov, ok := p.(*provisioner.SCEP)
 		if !ok {
-			fail(w, r, errors.New("provisioner must be of type SCEP"))
+			fail(w, errors.New("provisioner must be of type SCEP"))
 			return
 		}
@ -387,10 +387,9 @@ func PKIOperation(ctx context.Context, req request) (Response, error) {
 	if msg.MessageType == smallscep.PKCSReq || msg.MessageType == smallscep.RenewalReq {
 		if err := auth.ValidateChallenge(ctx, csr, challengePassword, transactionID); err != nil {
 			if errors.Is(err, provisioner.ErrSCEPChallengeInvalid) {
-				return createFailureResponse(ctx, csr, msg, smallscep.BadRequest, err.Error(), err)
+				return createFailureResponse(ctx, csr, msg, smallscep.BadRequest, err)
 			}
-			scepErr := errors.New("failed validating challenge password")
+			return createFailureResponse(ctx, csr, msg, smallscep.BadRequest, errors.New("failed validating challenge password"))
 			return createFailureResponse(ctx, csr, msg, smallscep.BadRequest, scepErr.Error(), scepErr)
 		}
 	}
@ -408,7 +407,7 @@ func PKIOperation(ctx context.Context, req request) (Response, error) {
 			// TODO(hs): ignore this error case? It's not critical if the notification fails; but logging it might be good
 			_ = notifyErr
 		}
-		return createFailureResponse(ctx, csr, msg, smallscep.BadRequest, "internal server error; please see the certificate authority logs for more info", fmt.Errorf("error when signing new certificate: %w", err))
+		return createFailureResponse(ctx, csr, msg, smallscep.BadRequest, fmt.Errorf("error when signing new certificate: %w", err))
 	}
 	if notifyErr := auth.NotifySuccess(ctx, csr, certRep.Certificate, transactionID); notifyErr != nil {
@ -430,9 +429,9 @@ func formatCapabilities(caps []string) []byte {
 }
 // writeResponse writes a SCEP response back to the SCEP client.
-func writeResponse(w http.ResponseWriter, r *http.Request, res Response) {
+func writeResponse(w http.ResponseWriter, res Response) {
 	if res.Error != nil {
-		log.Error(w, r, res.Error)
+		log.Error(w, res.Error)
 	}
 	if res.Certificate != nil {
@ -443,15 +442,15 @@ func writeResponse(w http.ResponseWriter, r *http.Request, res Response) {
 	_, _ = w.Write(res.Data)
 }
-func fail(w http.ResponseWriter, r *http.Request, err error) {
+func fail(w http.ResponseWriter, err error) {
-	log.Error(w, r, err)
+	log.Error(w, err)
 	http.Error(w, err.Error(), http.StatusInternalServerError)
 }
-func createFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *scep.PKIMessage, info smallscep.FailInfo, infoText string, failError error) (Response, error) {
+func createFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *scep.PKIMessage, info smallscep.FailInfo, failError error) (Response, error) {
 	auth := scep.MustFromContext(ctx)
-	certRepMsg, err := auth.CreateFailureResponse(ctx, csr, msg, scep.FailInfoName(info), infoText)
+	certRepMsg, err := auth.CreateFailureResponse(ctx, csr, msg, scep.FailInfoName(info), failError.Error())
 	if err != nil {
 		return Response{}, err
 	}
--- a/scep/authority.go
+++ b/scep/authority.go
@ -308,7 +308,7 @@ func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, m
 	certChain, err := a.signAuth.SignWithContext(ctx, csr, opts, signOps...)
 	if err != nil {
-		return nil, fmt.Errorf("error generating certificate: %w", err)
+		return nil, fmt.Errorf("error generating certificate for order: %w", err)
 	}
 	// take the issued certificate (only); https://tools.ietf.org/html/rfc8894#section-3.3.2
--- a/scep/options.go
+++ b/scep/options.go
@ -37,21 +37,19 @@ func (o *Options) Validate() error {
 	switch {
 	case len(o.Intermediates) == 0:
 		return errors.New("no intermediate certificate available for SCEP authority")
 	case o.Signer == nil:
 		return errors.New("no signer available for SCEP authority")
 	case o.SignerCert == nil:
 		return errors.New("no signer certificate available for SCEP authority")
 	}
-	// the signer is optional, but if it's set, its public key must match the signer
+	// check if the signer (intermediate CA) certificate has the same public key as
-	// certificate public key.
+	// the signer. According to the RFC it seems valid to have different keys for
-	if o.Signer != nil {
+	// the intermediate and the CA signing new certificates, so this might change
-		// check if the signer (intermediate CA) certificate has the same public key as
+	// in the future.
-		// the signer. According to the RFC it seems valid to have different keys for
+	signerPublicKey := o.Signer.Public().(comparablePublicKey)
-		// the intermediate and the CA signing new certificates, so this might change
+	if !signerPublicKey.Equal(o.SignerCert.PublicKey) {
-		// in the future.
+		return errors.New("mismatch between signer certificate and public key")
 		signerPublicKey := o.Signer.Public().(comparablePublicKey)
 		if !signerPublicKey.Equal(o.SignerCert.PublicKey) {
 			return errors.New("mismatch between signer certificate and public key")
 		}
 	}
 	// decrypter can be nil in case a signing only key is used; validation complete.
--- a/scep/scep.go
+++ b/scep/scep.go
@ -29,7 +29,7 @@ var (
 	oidSCEPsenderNonce    = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 5}
 	oidSCEPrecipientNonce = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 6}
 	oidSCEPtransactionID  = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 7}
-	oidSCEPfailInfoText   = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 24, 1}
+	oidSCEPfailInfoText   = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 24}
 	//oidChallengePassword  = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 7}
 )
--- a/test/integration/scep/common_test.go
+++ b/test/integration/scep/common_test.go
@ -1,273 +0,0 @@
 package sceptest
 import (
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
 	"math/big"
 	"net"
 	"net/http"
 	"net/url"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/smallstep/pkcs7"
 	"github.com/smallstep/scep"
 	"go.step.sm/crypto/minica"
 	"go.step.sm/crypto/x509util"
 	"github.com/smallstep/certificates/ca"
 	"github.com/smallstep/certificates/cas/apiv1"
 )
 func newCAClient(t *testing.T, caURL, rootFilepath string) *ca.Client {
 	caClient, err := ca.NewClient(
 		caURL,
 		ca.WithRootFile(rootFilepath),
 	)
 	require.NoError(t, err)
 	return caClient
 }
 func requireHealthyCA(t *testing.T, caClient *ca.Client) {
 	ctx := context.Background()
 	healthResponse, err := caClient.HealthWithContext(ctx)
 	require.NoError(t, err)
 	if assert.NotNil(t, healthResponse) {
 		require.Equal(t, "ok", healthResponse.Status)
 	}
 }
 // reservePort "reserves" a TCP port by opening a listener on a random
 // port and immediately closing it. The port can then be assumed to be
 // available for running a server on.
 func reservePort(t *testing.T) (host, port string) {
 	t.Helper()
 	l, err := net.Listen("tcp", ":0")
 	require.NoError(t, err)
 	address := l.Addr().String()
 	err = l.Close()
 	require.NoError(t, err)
 	host, port, err = net.SplitHostPort(address)
 	require.NoError(t, err)
 	return
 }
 type client struct {
 	caURL      string
 	caCert     *x509.Certificate
 	httpClient *http.Client
 }
 func createSCEPClient(t *testing.T, caURL string, root *x509.Certificate) *client {
 	t.Helper()
 	trustedRoots := x509.NewCertPool()
 	trustedRoots.AddCert(root)
 	transport := http.DefaultTransport.(*http.Transport).Clone()
 	transport.TLSClientConfig = &tls.Config{
 		RootCAs: trustedRoots,
 	}
 	httpClient := &http.Client{
 		Transport: transport,
 	}
 	return &client{
 		caURL:      caURL,
 		httpClient: httpClient,
 	}
 }
 func (c *client) getCACert(t *testing.T) error {
 	// return early if CA certificate already available
 	if c.caCert != nil {
 		return nil
 	}
 	resp, err := c.httpClient.Get(fmt.Sprintf("%s?operation=GetCACert&message=test", c.caURL))
 	if err != nil {
 		return fmt.Errorf("failed get request: %w", err)
 	}
 	defer resp.Body.Close()
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return fmt.Errorf("failed reading response body: %w", err)
 	}
 	t.Log(string(body))
 	// SCEP CA/RA certificate selection. If there's only a single certificate, it will
 	// be used as the CA certificate at all times. If there's multiple, the first certificate
 	// is assumed to be the certificate of the recipient to encrypt messages to.
 	switch ct := resp.Header.Get("Content-Type"); ct {
 	case "application/x-x509-ca-cert":
 		cert, err := x509.ParseCertificate(body)
 		if err != nil {
 			return fmt.Errorf("failed parsing response body: %w", err)
 		}
 		if _, ok := cert.PublicKey.(*rsa.PublicKey); !ok {
 			return fmt.Errorf("certificate has unexpected public key type %T", cert.PublicKey)
 		}
 		c.caCert = cert
 	case "application/x-x509-ca-ra-cert":
 		certs, err := scep.CACerts(body)
 		if err != nil {
 			return fmt.Errorf("failed parsing response body: %w", err)
 		}
 		cert := certs[0]
 		if _, ok := cert.PublicKey.(*rsa.PublicKey); !ok {
 			return fmt.Errorf("certificate has unexpected public key type %T", cert.PublicKey)
 		}
 		c.caCert = cert
 	default:
 		return fmt.Errorf("unexpected content-type value %q", ct)
 	}
 	return nil
 }
 func (c *client) requestCertificate(t *testing.T, commonName string, sans []string) (*x509.Certificate, error) {
 	if err := c.getCACert(t); err != nil {
 		return nil, fmt.Errorf("failed getting CA certificate: %w", err)
 	}
 	signer, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return nil, fmt.Errorf("failed creating SCEP private key: %w", err)
 	}
 	csr, err := x509util.CreateCertificateRequest(commonName, sans, signer)
 	if err != nil {
 		return nil, fmt.Errorf("failed creating CSR: %w", err)
 	}
 	tmpl := &x509.Certificate{
 		Subject:        csr.Subject,
 		PublicKey:      signer.Public(),
 		SerialNumber:   big.NewInt(1),
 		NotBefore:      time.Now().Add(-1 * time.Hour),
 		NotAfter:       time.Now().Add(1 * time.Hour),
 		DNSNames:       csr.DNSNames,
 		IPAddresses:    csr.IPAddresses,
 		EmailAddresses: csr.EmailAddresses,
 		URIs:           csr.URIs,
 	}
 	selfSigned, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, signer.Public(), signer)
 	if err != nil {
 		return nil, fmt.Errorf("failed creating self signed certificate: %w", err)
 	}
 	selfSignedCertificate, err := x509.ParseCertificate(selfSigned)
 	if err != nil {
 		return nil, fmt.Errorf("failed parsing self signed certificate: %w", err)
 	}
 	msgTmpl := &scep.PKIMessage{
 		TransactionID: "test-1",
 		MessageType:   scep.PKCSReq,
 		SenderNonce:   []byte("test-nonce-1"),
 		Recipients:    []*x509.Certificate{c.caCert},
 		SignerCert:    selfSignedCertificate,
 		SignerKey:     signer,
 	}
 	msg, err := scep.NewCSRRequest(csr, msgTmpl)
 	if err != nil {
 		return nil, fmt.Errorf("failed creating SCEP PKCSReq message: %w", err)
 	}
 	t.Log(string(msg.Raw))
 	u, err := url.Parse(c.caURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed parsing CA URL: %w", err)
 	}
 	opURL := u.ResolveReference(&url.URL{RawQuery: fmt.Sprintf("operation=PKIOperation&message=%s", url.QueryEscape(base64.StdEncoding.EncodeToString(msg.Raw)))})
 	resp, err := c.httpClient.Get(opURL.String())
 	if err != nil {
 		return nil, fmt.Errorf("failed get request: %w", err)
 	}
 	defer resp.Body.Close()
 	if ct := resp.Header.Get("Content-Type"); ct != "application/x-pki-message" {
 		return nil, fmt.Errorf("received unexpected content type %q", ct)
 	}
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, fmt.Errorf("failed reading response body: %w", err)
 	}
 	t.Log(string(body))
 	signedData, err := pkcs7.Parse(body)
 	if err != nil {
 		return nil, fmt.Errorf("failed parsing response body: %w", err)
 	}
 	// TODO: verify the signature?
 	p7, err := pkcs7.Parse(signedData.Content)
 	if err != nil {
 		return nil, fmt.Errorf("failed decrypting inner p7: %w", err)
 	}
 	content, err := p7.Decrypt(selfSignedCertificate, signer)
 	if err != nil {
 		return nil, fmt.Errorf("failed decrypting response: %w", err)
 	}
 	p7, err = pkcs7.Parse(content)
 	if err != nil {
 		return nil, fmt.Errorf("failed parsing p7 content: %w", err)
 	}
 	cert := p7.Certificates[0]
 	return cert, nil
 }
 type testCAS struct {
 	ca *minica.CA
 }
 func (c *testCAS) CreateCertificate(req *apiv1.CreateCertificateRequest) (*apiv1.CreateCertificateResponse, error) {
 	cert, err := c.ca.SignCSR(req.CSR)
 	if err != nil {
 		return nil, fmt.Errorf("failed signing CSR: %w", err)
 	}
 	return &apiv1.CreateCertificateResponse{
 		Certificate:      cert,
 		CertificateChain: []*x509.Certificate{cert, c.ca.Intermediate},
 	}, nil
 }
 func (c *testCAS) RenewCertificate(req *apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) {
 	return nil, errors.New("not implemented")
 }
 func (c *testCAS) RevokeCertificate(req *apiv1.RevokeCertificateRequest) (*apiv1.RevokeCertificateResponse, error) {
 	return nil, errors.New("not implemented")
 }
 func (c *testCAS) GetCertificateAuthority(req *apiv1.GetCertificateAuthorityRequest) (*apiv1.GetCertificateAuthorityResponse, error) {
 	return &apiv1.GetCertificateAuthorityResponse{
 		RootCertificate:          c.ca.Root,
 		IntermediateCertificates: []*x509.Certificate{c.ca.Intermediate},
 	}, nil
 }
 var _ apiv1.CertificateAuthorityService = (*testCAS)(nil)
 var _ apiv1.CertificateAuthorityGetter = (*testCAS)(nil)
--- a/test/integration/scep/decrypter_cas_test.go
+++ b/test/integration/scep/decrypter_cas_test.go
@ -1,149 +0,0 @@
 package sceptest
 import (
 	"context"
 	"crypto"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"math/big"
 	"net"
 	"net/http"
 	"path/filepath"
 	"sync"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/minica"
 	"go.step.sm/crypto/pemutil"
 	"github.com/smallstep/certificates/authority/config"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/ca"
 	"github.com/smallstep/certificates/cas/apiv1"
 )
 func TestIssuesCertificateUsingSCEPWithDecrypterAndUpstreamCAS(t *testing.T) {
 	signer, err := keyutil.GenerateSigner("EC", "P-256", 0)
 	require.NoError(t, err)
 	dir := t.TempDir()
 	m, err := minica.New(minica.WithName("Step E2E | SCEP Decrypter w/ Upstream CAS"), minica.WithGetSignerFunc(func() (crypto.Signer, error) {
 		return signer, nil
 	}))
 	require.NoError(t, err)
 	rootFilepath := filepath.Join(dir, "root.crt")
 	_, err = pemutil.Serialize(m.Root, pemutil.WithFilename(rootFilepath))
 	require.NoError(t, err)
 	intermediateCertFilepath := filepath.Join(dir, "intermediate.crt")
 	_, err = pemutil.Serialize(m.Intermediate, pemutil.WithFilename(intermediateCertFilepath))
 	require.NoError(t, err)
 	intermediateKeyFilepath := filepath.Join(dir, "intermediate.key")
 	_, err = pemutil.Serialize(m.Signer, pemutil.WithFilename(intermediateKeyFilepath))
 	require.NoError(t, err)
 	decrypterKey, err := keyutil.GenerateKey("RSA", "", 2048)
 	require.NoError(t, err)
 	decrypter, ok := decrypterKey.(crypto.Decrypter)
 	require.True(t, ok)
 	decrypterCertifiate, err := m.Sign(&x509.Certificate{
 		Subject:      pkix.Name{CommonName: "decrypter"},
 		PublicKey:    decrypter.Public(),
 		SerialNumber: big.NewInt(1),
 		NotBefore:    time.Now().Add(-1 * time.Hour),
 		NotAfter:     time.Now().Add(1 * time.Hour),
 		DNSNames:     []string{"decrypter"},
 	})
 	require.NoError(t, err)
 	b, err := pemutil.Serialize(decrypterCertifiate)
 	require.NoError(t, err)
 	decrypterCertificatePEMBytes := pem.EncodeToMemory(b)
 	b, err = pemutil.Serialize(decrypter, pemutil.WithPassword([]byte("1234")))
 	require.NoError(t, err)
 	decrypterKeyPEMBytes := pem.EncodeToMemory(b)
 	// get a random address to listen on and connect to; currently no nicer way to get one before starting the server
 	// TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it?
 	host, port := reservePort(t)
 	prov := &provisioner.SCEP{
 		ID:                            "scep",
 		Name:                          "scep",
 		Type:                          "SCEP",
 		ForceCN:                       false,
 		ChallengePassword:             "",
 		EncryptionAlgorithmIdentifier: 2,
 		MinimumPublicKeyLength:        2048,
 		Claims:                        &config.GlobalProvisionerClaims,
 		DecrypterCertificate:          decrypterCertificatePEMBytes,
 		DecrypterKeyPEM:               decrypterKeyPEMBytes,
 		DecrypterKeyPassword:          "1234",
 	}
 	err = prov.Init(provisioner.Config{})
 	require.NoError(t, err)
 	apiv1.Register("test-scep-cas", func(_ context.Context, opts apiv1.Options) (apiv1.CertificateAuthorityService, error) {
 		return &testCAS{
 			ca: m,
 		}, nil
 	})
 	cfg := &config.Config{
 		Address:  net.JoinHostPort(host, port), // reuse the address that was just "reserved"
 		DNSNames: []string{"127.0.0.1", "[::1]", "localhost"},
 		AuthorityConfig: &config.AuthConfig{
 			Options: &apiv1.Options{
 				AuthorityID:          "stepca-test-scep",
 				Type:                 "test-scep-cas",
 				CertificateAuthority: "test-cas",
 			},
 			AuthorityID:    "stepca-test-scep",
 			DeploymentType: "standalone-test",
 			Provisioners:   provisioner.List{prov},
 		},
 		Logger: json.RawMessage(`{"format": "text"}`),
 	}
 	c, err := ca.New(cfg)
 	require.NoError(t, err)
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
 		err = c.Run()
 		require.ErrorIs(t, err, http.ErrServerClosed)
 	}()
 	// instantiate a client for the CA running at the random address
 	caClient := newCAClient(t, fmt.Sprintf("https://localhost:%s", port), rootFilepath)
 	requireHealthyCA(t, caClient)
 	scepClient := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
 	cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})
 	assert.NoError(t, err)
 	require.NotNil(t, cert)
 	assert.Equal(t, "test.localhost", cert.Subject.CommonName)
 	assert.Equal(t, "Step E2E | SCEP Decrypter w/ Upstream CAS Intermediate CA", cert.Issuer.CommonName)
 	// done testing; stop and wait for the server to quit
 	err = c.Stop()
 	require.NoError(t, err)
 	wg.Wait()
 }
--- a/test/integration/scep/decrypter_test.go
+++ b/test/integration/scep/decrypter_test.go
@ -1,139 +0,0 @@
 package sceptest
 import (
 	"crypto"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"math/big"
 	"net"
 	"net/http"
 	"path/filepath"
 	"sync"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/minica"
 	"go.step.sm/crypto/pemutil"
 	"github.com/smallstep/certificates/authority/config"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/ca"
 )
 func TestIssuesCertificateUsingSCEPWithDecrypter(t *testing.T) {
 	signer, err := keyutil.GenerateSigner("EC", "P-256", 0)
 	require.NoError(t, err)
 	dir := t.TempDir()
 	m, err := minica.New(minica.WithName("Step E2E | SCEP Decrypter"), minica.WithGetSignerFunc(func() (crypto.Signer, error) {
 		return signer, nil
 	}))
 	require.NoError(t, err)
 	rootFilepath := filepath.Join(dir, "root.crt")
 	_, err = pemutil.Serialize(m.Root, pemutil.WithFilename(rootFilepath))
 	require.NoError(t, err)
 	intermediateCertFilepath := filepath.Join(dir, "intermediate.crt")
 	_, err = pemutil.Serialize(m.Intermediate, pemutil.WithFilename(intermediateCertFilepath))
 	require.NoError(t, err)
 	intermediateKeyFilepath := filepath.Join(dir, "intermediate.key")
 	_, err = pemutil.Serialize(m.Signer, pemutil.WithFilename(intermediateKeyFilepath))
 	require.NoError(t, err)
 	decrypterKey, err := keyutil.GenerateKey("RSA", "", 2048)
 	require.NoError(t, err)
 	decrypter, ok := decrypterKey.(crypto.Decrypter)
 	require.True(t, ok)
 	decrypterCertifiate, err := m.Sign(&x509.Certificate{
 		Subject:      pkix.Name{CommonName: "decrypter"},
 		PublicKey:    decrypter.Public(),
 		SerialNumber: big.NewInt(1),
 		NotBefore:    time.Now().Add(-1 * time.Hour),
 		NotAfter:     time.Now().Add(1 * time.Hour),
 		DNSNames:     []string{"decrypter"},
 	})
 	require.NoError(t, err)
 	b, err := pemutil.Serialize(decrypterCertifiate)
 	require.NoError(t, err)
 	decrypterCertificatePEMBytes := pem.EncodeToMemory(b)
 	b, err = pemutil.Serialize(decrypter, pemutil.WithPassword([]byte("1234")))
 	require.NoError(t, err)
 	decrypterKeyPEMBytes := pem.EncodeToMemory(b)
 	// get a random address to listen on and connect to; currently no nicer way to get one before starting the server
 	// TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it?
 	host, port := reservePort(t)
 	prov := &provisioner.SCEP{
 		ID:                            "scep",
 		Name:                          "scep",
 		Type:                          "SCEP",
 		ForceCN:                       false,
 		ChallengePassword:             "",
 		EncryptionAlgorithmIdentifier: 2,
 		MinimumPublicKeyLength:        2048,
 		Claims:                        &config.GlobalProvisionerClaims,
 		DecrypterCertificate:          decrypterCertificatePEMBytes,
 		DecrypterKeyPEM:               decrypterKeyPEMBytes,
 		DecrypterKeyPassword:          "1234",
 	}
 	err = prov.Init(provisioner.Config{})
 	require.NoError(t, err)
 	cfg := &config.Config{
 		Root:             []string{rootFilepath},
 		IntermediateCert: intermediateCertFilepath,
 		IntermediateKey:  intermediateKeyFilepath,
 		Address:          net.JoinHostPort(host, port), // reuse the address that was just "reserved"
 		DNSNames:         []string{"127.0.0.1", "[::1]", "localhost"},
 		AuthorityConfig: &config.AuthConfig{
 			AuthorityID:    "stepca-test-scep",
 			DeploymentType: "standalone-test",
 			Provisioners:   provisioner.List{prov},
 		},
 		Logger: json.RawMessage(`{"format": "text"}`),
 	}
 	c, err := ca.New(cfg)
 	require.NoError(t, err)
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
 		err = c.Run()
 		require.ErrorIs(t, err, http.ErrServerClosed)
 	}()
 	// instantiate a client for the CA running at the random address
 	caClient := newCAClient(t, fmt.Sprintf("https://localhost:%s", port), rootFilepath)
 	requireHealthyCA(t, caClient)
 	scepClient := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
 	cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})
 	assert.NoError(t, err)
 	require.NotNil(t, cert)
 	assert.Equal(t, "test.localhost", cert.Subject.CommonName)
 	assert.Equal(t, "Step E2E | SCEP Decrypter Intermediate CA", cert.Issuer.CommonName)
 	// done testing; stop and wait for the server to quit
 	err = c.Stop()
 	require.NoError(t, err)
 	wg.Wait()
 }
--- a/test/integration/scep/regular_cas_test.go
+++ b/test/integration/scep/regular_cas_test.go
@ -1,116 +0,0 @@
 package sceptest
 import (
 	"context"
 	"crypto"
 	"encoding/json"
 	"fmt"
 	"net"
 	"net/http"
 	"path/filepath"
 	"sync"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/minica"
 	"go.step.sm/crypto/pemutil"
 	"github.com/smallstep/certificates/authority/config"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/ca"
 	"github.com/smallstep/certificates/cas/apiv1"
 )
 func TestFailsIssuingCertificateUsingRegularSCEPWithUpstreamCAS(t *testing.T) {
 	signer, err := keyutil.GenerateSigner("RSA", "", 2048)
 	require.NoError(t, err)
 	dir := t.TempDir()
 	m, err := minica.New(minica.WithName("Step E2E | SCEP Regular w/ Upstream CAS"), minica.WithGetSignerFunc(func() (crypto.Signer, error) {
 		return signer, nil
 	}))
 	require.NoError(t, err)
 	rootFilepath := filepath.Join(dir, "root.crt")
 	_, err = pemutil.Serialize(m.Root, pemutil.WithFilename(rootFilepath))
 	require.NoError(t, err)
 	intermediateCertFilepath := filepath.Join(dir, "intermediate.crt")
 	_, err = pemutil.Serialize(m.Intermediate, pemutil.WithFilename(intermediateCertFilepath))
 	require.NoError(t, err)
 	intermediateKeyFilepath := filepath.Join(dir, "intermediate.key")
 	_, err = pemutil.Serialize(m.Signer, pemutil.WithFilename(intermediateKeyFilepath))
 	require.NoError(t, err)
 	// get a random address to listen on and connect to; currently no nicer way to get one before starting the server
 	// TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it?
 	host, port := reservePort(t)
 	prov := &provisioner.SCEP{
 		ID:                            "scep",
 		Name:                          "scep",
 		Type:                          "SCEP",
 		ForceCN:                       false,
 		ChallengePassword:             "",
 		EncryptionAlgorithmIdentifier: 2,
 		MinimumPublicKeyLength:        2048,
 		Claims:                        &config.GlobalProvisionerClaims,
 	}
 	err = prov.Init(provisioner.Config{})
 	require.NoError(t, err)
 	apiv1.Register("test-scep-cas", func(_ context.Context, opts apiv1.Options) (apiv1.CertificateAuthorityService, error) {
 		return &testCAS{
 			ca: m,
 		}, nil
 	})
 	cfg := &config.Config{
 		Address:  net.JoinHostPort(host, port), // reuse the address that was just "reserved"
 		DNSNames: []string{"127.0.0.1", "[::1]", "localhost"},
 		AuthorityConfig: &config.AuthConfig{
 			Options: &apiv1.Options{
 				AuthorityID:          "stepca-test-scep",
 				Type:                 "test-scep-cas",
 				CertificateAuthority: "test-cas",
 			},
 			AuthorityID:    "stepca-test-scep",
 			DeploymentType: "standalone-test",
 			Provisioners:   provisioner.List{prov},
 		},
 		Logger: json.RawMessage(`{"format": "text"}`),
 	}
 	c, err := ca.New(cfg)
 	require.NoError(t, err)
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
 		err = c.Run()
 		require.ErrorIs(t, err, http.ErrServerClosed)
 	}()
 	// instantiate a client for the CA running at the random address
 	caClient := newCAClient(t, fmt.Sprintf("https://localhost:%s", port), rootFilepath)
 	requireHealthyCA(t, caClient)
 	// issuance is expected to fail when an upstream CAS is configured, as the current
 	// CAS interfaces do not support providing a decrypter.
 	scepClient := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
 	cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})
 	assert.Error(t, err)
 	assert.Nil(t, cert)
 	// done testing; stop and wait for the server to quit
 	err = c.Stop()
 	require.NoError(t, err)
 	wg.Wait()
 }
--- a/test/integration/scep/regular_test.go
+++ b/test/integration/scep/regular_test.go
@ -1,107 +0,0 @@
 package sceptest
 import (
 	"crypto"
 	"encoding/json"
 	"fmt"
 	"net"
 	"net/http"
 	"path/filepath"
 	"sync"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/minica"
 	"go.step.sm/crypto/pemutil"
 	"github.com/smallstep/certificates/authority/config"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/ca"
 )
 func TestIssuesCertificateUsingRegularSCEPConfiguration(t *testing.T) {
 	signer, err := keyutil.GenerateSigner("RSA", "", 2048)
 	require.NoError(t, err)
 	dir := t.TempDir()
 	m, err := minica.New(minica.WithName("Step E2E | SCEP Regular"), minica.WithGetSignerFunc(func() (crypto.Signer, error) {
 		return signer, nil
 	}))
 	require.NoError(t, err)
 	rootFilepath := filepath.Join(dir, "root.crt")
 	_, err = pemutil.Serialize(m.Root, pemutil.WithFilename(rootFilepath))
 	require.NoError(t, err)
 	intermediateCertFilepath := filepath.Join(dir, "intermediate.crt")
 	_, err = pemutil.Serialize(m.Intermediate, pemutil.WithFilename(intermediateCertFilepath))
 	require.NoError(t, err)
 	intermediateKeyFilepath := filepath.Join(dir, "intermediate.key")
 	_, err = pemutil.Serialize(m.Signer, pemutil.WithFilename(intermediateKeyFilepath))
 	require.NoError(t, err)
 	// get a random address to listen on and connect to; currently no nicer way to get one before starting the server
 	// TODO(hs): find/implement a nicer way to expose the CA URL, similar to how e.g. httptest.Server exposes it?
 	host, port := reservePort(t)
 	prov := &provisioner.SCEP{
 		ID:                            "scep",
 		Name:                          "scep",
 		Type:                          "SCEP",
 		ForceCN:                       false,
 		ChallengePassword:             "",
 		EncryptionAlgorithmIdentifier: 2,
 		MinimumPublicKeyLength:        2048,
 		Claims:                        &config.GlobalProvisionerClaims,
 	}
 	err = prov.Init(provisioner.Config{})
 	require.NoError(t, err)
 	cfg := &config.Config{
 		Root:             []string{rootFilepath},
 		IntermediateCert: intermediateCertFilepath,
 		IntermediateKey:  intermediateKeyFilepath,
 		Address:          net.JoinHostPort(host, port), // reuse the address that was just "reserved"
 		DNSNames:         []string{"127.0.0.1", "[::1]", "localhost"},
 		AuthorityConfig: &config.AuthConfig{
 			AuthorityID:    "stepca-test-scep",
 			DeploymentType: "standalone-test",
 			Provisioners:   provisioner.List{prov},
 		},
 		Logger: json.RawMessage(`{"format": "text"}`),
 	}
 	c, err := ca.New(cfg)
 	require.NoError(t, err)
 	var wg sync.WaitGroup
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
 		err = c.Run()
 		require.ErrorIs(t, err, http.ErrServerClosed)
 	}()
 	// instantiate a client for the CA running at the random address
 	caClient := newCAClient(t, fmt.Sprintf("https://localhost:%s", port), rootFilepath)
 	requireHealthyCA(t, caClient)
 	scepClient := createSCEPClient(t, fmt.Sprintf("https://localhost:%s/scep/scep", port), m.Root)
 	cert, err := scepClient.requestCertificate(t, "test.localhost", []string{"test.localhost"})
 	assert.NoError(t, err)
 	require.NotNil(t, cert)
 	assert.Equal(t, "test.localhost", cert.Subject.CommonName)
 	assert.Equal(t, "Step E2E | SCEP Regular Intermediate CA", cert.Issuer.CommonName)
 	// done testing; stop and wait for the server to quit
 	err = c.Stop()
 	require.NoError(t, err)
 	wg.Wait()
 }