diff --git a/authority/authorize.go b/authority/authorize.go
index 95698b49..6162fc0e 100644
--- a/authority/authorize.go
+++ b/authority/authorize.go
@@ -284,7 +284,13 @@ func (a *Authority) authorizeRenew(cert *x509.Certificate) error {
 	}
 	p, err := a.LoadProvisionerByCertificate(cert)
 	if err != nil {
-		return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
+		var ok bool
+		// For backward compatibility this method will also succeed if the
+		// provisioner does not have an extension. LoadByCertificate returns the
+		// noop provisioner if this happens, and it allow certificate renewals.
+		if p, ok = a.provisioners.LoadByCertificate(cert); !ok {
+			return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
+		}
 	}
 	if err := p.AuthorizeRenew(context.Background(), cert); err != nil {
 		return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)