diff --git a/Gopkg.lock b/Gopkg.lock
index 6293e4c3..e5d80fa4 100644
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -212,7 +212,7 @@
 
 [[projects]]
   branch = "sans"
-  digest = "1:84a773da390eabc9a292221bbc2c16653093f8eb805a1b16f738ef3cd88df701"
+  digest = "1:4c9e30abfe7c119eb4d40287f6c23f854f3ad71c69206d8dc6402e1fef14ac88"
   name = "github.com/smallstep/cli"
   packages = [
     "command",
@@ -231,7 +231,7 @@
     "utils",
   ]
   pruneopts = "UT"
-  revision = "49d4a4c26c802e83c5ed160abdd5babab1c9b5c6"
+  revision = "1379a62e0cf06b164d35e20a912d017ac8bad071"
 
 [[projects]]
   branch = "master"
diff --git a/authority/authorize.go b/authority/authorize.go
index 17cd37a5..5566b17f 100644
--- a/authority/authorize.go
+++ b/authority/authorize.go
@@ -3,12 +3,12 @@ package authority
 import (
 	"crypto/x509"
 	"encoding/asn1"
-	"net"
 	"net/http"
 	"net/url"
 	"time"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/crypto/x509util"
 	"gopkg.in/square/go-jose.v2/jwt"
 )
 
@@ -126,7 +126,7 @@ func (a *Authority) Authorize(ott string) ([]interface{}, error) {
 	if len(claims.SANs) == 0 {
 		claims.SANs = []string{claims.Subject}
 	}
-	dnsNames, ips := SplitSANs(claims.SANs)
+	dnsNames, ips := x509util.SplitSANs(claims.SANs)
 	if err != nil {
 		return nil, err
 	}
@@ -150,26 +150,6 @@ func (a *Authority) Authorize(ott string) ([]interface{}, error) {
 	return signOps, nil
 }
 
-// SplitSANs splits a slice of Subject Alternative Names into slices of
-// IP Addresses and DNS Names. If an element is not an IP address, then it
-// is bucketed as a DNS Name.
-func SplitSANs(sans []string) (dnsNames []string, ips []net.IP) {
-	dnsNames = []string{}
-	ips = []net.IP{}
-	if sans == nil {
-		return
-	}
-	for _, san := range sans {
-		if ip := net.ParseIP(san); ip != nil {
-			ips = append(ips, ip)
-		} else {
-			// If not IP then assume DNSName.
-			dnsNames = append(dnsNames, san)
-		}
-	}
-	return
-}
-
 // authorizeRenewal tries to locate the step provisioner extension, and checks
 // if for the configured provisioner, the renewal is enabled or not. If the
 // extra extension cannot be found, authorize the renewal by default.
diff --git a/ca/client.go b/ca/client.go
index 5f997dea..1ca682de 100644
--- a/ca/client.go
+++ b/ca/client.go
@@ -23,6 +23,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/api"
 	"github.com/smallstep/certificates/authority"
+	"github.com/smallstep/cli/crypto/x509util"
 	"gopkg.in/square/go-jose.v2/jwt"
 )
 
@@ -452,7 +453,7 @@ func CreateSignRequest(ott string) (*api.SignRequest, crypto.PrivateKey, error)
 		return nil, nil, errors.Wrap(err, "error generating key")
 	}
 
-	dnsNames, ips := authority.SplitSANs(claims.SANs)
+	dnsNames, ips := x509util.SplitSANs(claims.SANs)
 
 	template := &x509.CertificateRequest{
 		Subject: pkix.Name{