diff --git a/authority/provisioner/collection.go b/authority/provisioner/collection.go
index 8f3c1009..98b69f9f 100644
--- a/authority/provisioner/collection.go
+++ b/authority/provisioner/collection.go
@@ -80,7 +80,7 @@ func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims)
 	return c.Load(payload.Audience[0])
 }
 
-// LoadByCertificate lookds for the provisioner extension and extracts the
+// LoadByCertificate looks for the provisioner extension and extracts the
 // proper id to load the provisioner.
 func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool) {
 	for _, e := range cert.Extensions {
@@ -95,7 +95,10 @@ func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool)
 			return c.Load(string(provisioner.CredentialID))
 		}
 	}
-	return nil, false
+
+	// Default to noop provisioner if an extension is not found. This allows to
+	// accept a renewal of a cert without the provisioner extension.
+	return &noop{}, true
 }
 
 // LoadEncryptedKey returns a the encrypted key by KeyID. At this moment only
diff --git a/authority/provisioner/noop.go b/authority/provisioner/noop.go
new file mode 100644
index 00000000..c00ba61f
--- /dev/null
+++ b/authority/provisioner/noop.go
@@ -0,0 +1,37 @@
+package provisioner
+
+import "crypto/x509"
+
+// noop provisioners is a provisioner that accepts anything.
+type noop struct{}
+
+func (p *noop) GetID() string {
+	return "noop"
+}
+
+func (p *noop) GetName() string {
+	return "noop"
+}
+func (p *noop) GetType() Type {
+	return noopType
+}
+
+func (p *noop) GetEncryptedKey() (kid string, key string, ok bool) {
+	return "", "", false
+}
+
+func (p *noop) Init(config Config) error {
+	return nil
+}
+
+func (p *noop) Authorize(token string) ([]SignOption, error) {
+	return []SignOption{}, nil
+}
+
+func (p *noop) AuthorizeRenewal(cert *x509.Certificate) error {
+	return nil
+}
+
+func (p *noop) AuthorizeRevoke(token string) error {
+	return nil
+}