diff --git a/authority/authority_test.go b/authority/authority_test.go
index e6a65453..058a4c25 100644
--- a/authority/authority_test.go
+++ b/authority/authority_test.go
@@ -137,7 +137,8 @@ func TestAuthorityNew(t *testing.T) {
 					assert.Equals(t, auth.rootX509Certs[0], root)
 
 					assert.True(t, auth.initOnce)
-					assert.NotNil(t, auth.intermediateIdentity)
+					assert.NotNil(t, auth.x509Signer)
+					assert.NotNil(t, auth.x509Issuer)
 					for _, p := range tc.config.AuthorityConfig.Provisioners {
 						var _p provisioner.Interface
 						_p, ok = auth.provisioners.Load(p.GetID())
diff --git a/authority/tls_test.go b/authority/tls_test.go
index f946022f..722338d3 100644
--- a/authority/tls_test.go
+++ b/authority/tls_test.go
@@ -2,6 +2,7 @@ package authority
 
 import (
 	"context"
+	"crypto"
 	"crypto/rand"
 	"crypto/sha1"
 	"crypto/x509"
@@ -156,7 +157,7 @@ func TestAuthority_Sign(t *testing.T) {
 		},
 		"fail create cert": func(t *testing.T) *signTest {
 			_a := testAuthority(t)
-			_a.intermediateIdentity.Key = nil
+			_a.x509Signer = nil
 			csr := getCSR(t, priv)
 			return &signTest{
 				auth:      _a,
@@ -303,7 +304,7 @@ ZYtQ9Ot36qc=
 					hash := sha1.Sum(pubBytes)
 					assert.Equals(t, leaf.SubjectKeyId, hash[:])
 
-					assert.Equals(t, leaf.AuthorityKeyId, a.intermediateIdentity.Crt.SubjectKeyId)
+					assert.Equals(t, leaf.AuthorityKeyId, a.x509Issuer.SubjectKeyId)
 
 					// Verify Provisioner OID
 					found := 0
@@ -322,7 +323,7 @@ ZYtQ9Ot36qc=
 					}
 					assert.Equals(t, found, 1)
 
-					realIntermediate, err := x509.ParseCertificate(a.intermediateIdentity.Crt.Raw)
+					realIntermediate, err := x509.ParseCertificate(a.x509Issuer.Raw)
 					assert.FatalError(t, err)
 					assert.Equals(t, intermediate, realIntermediate)
 				}
@@ -353,8 +354,7 @@ func TestAuthority_Renew(t *testing.T) {
 		NotAfter:  provisioner.NewTimeDuration(na1),
 	}
 
-	leaf, err := x509util.NewLeafProfile("renew", a.intermediateIdentity.Crt,
-		a.intermediateIdentity.Key,
+	leaf, err := x509util.NewLeafProfile("renew", a.x509Issuer, a.x509Signer,
 		x509util.WithNotBeforeAfterDuration(so.NotBefore.Time(), so.NotAfter.Time(), 0),
 		withDefaultASN1DN(a.config.AuthorityConfig.Template),
 		x509util.WithPublicKey(pub), x509util.WithHosts("test.smallstep.com,test"),
@@ -365,8 +365,7 @@ func TestAuthority_Renew(t *testing.T) {
 	cert, err := x509.ParseCertificate(certBytes)
 	assert.FatalError(t, err)
 
-	leafNoRenew, err := x509util.NewLeafProfile("norenew", a.intermediateIdentity.Crt,
-		a.intermediateIdentity.Key,
+	leafNoRenew, err := x509util.NewLeafProfile("norenew", a.x509Issuer, a.x509Signer,
 		x509util.WithNotBeforeAfterDuration(so.NotBefore.Time(), so.NotAfter.Time(), 0),
 		withDefaultASN1DN(a.config.AuthorityConfig.Template),
 		x509util.WithPublicKey(pub), x509util.WithHosts("test.smallstep.com,test"),
@@ -387,7 +386,7 @@ func TestAuthority_Renew(t *testing.T) {
 	tests := map[string]func() (*renewTest, error){
 		"fail-create-cert": func() (*renewTest, error) {
 			_a := testAuthority(t)
-			_a.intermediateIdentity.Key = nil
+			_a.x509Signer = nil
 			return &renewTest{
 				auth: _a,
 				cert: cert,
@@ -425,8 +424,8 @@ func TestAuthority_Renew(t *testing.T) {
 			assert.FatalError(t, err)
 
 			_a := testAuthority(t)
-			_a.intermediateIdentity.Key = newIntermediateProfile.SubjectPrivateKey()
-			_a.intermediateIdentity.Crt = newIntermediateCert
+			_a.x509Signer = newIntermediateProfile.SubjectPrivateKey().(crypto.Signer)
+			_a.x509Issuer = newIntermediateCert
 			return &renewTest{
 				auth: _a,
 				cert: cert,
@@ -494,8 +493,8 @@ func TestAuthority_Renew(t *testing.T) {
 					assert.Equals(t, leaf.SubjectKeyId, hash[:])
 
 					// We did not change the intermediate before renewing.
-					if a.intermediateIdentity.Crt.SerialNumber == tc.auth.intermediateIdentity.Crt.SerialNumber {
-						assert.Equals(t, leaf.AuthorityKeyId, a.intermediateIdentity.Crt.SubjectKeyId)
+					if a.x509Issuer.SerialNumber == tc.auth.x509Issuer.SerialNumber {
+						assert.Equals(t, leaf.AuthorityKeyId, a.x509Issuer.SubjectKeyId)
 						// Compare extensions: they can be in a different order
 						for _, ext1 := range tc.cert.Extensions {
 							found := false
@@ -511,7 +510,7 @@ func TestAuthority_Renew(t *testing.T) {
 						}
 					} else {
 						// We did change the intermediate before renewing.
-						assert.Equals(t, leaf.AuthorityKeyId, tc.auth.intermediateIdentity.Crt.SubjectKeyId)
+						assert.Equals(t, leaf.AuthorityKeyId, tc.auth.x509Issuer.SubjectKeyId)
 						// Compare extensions: they can be in a different order
 						for _, ext1 := range tc.cert.Extensions {
 							// The authority key id extension should be different b/c the intermediates are different.
@@ -535,7 +534,7 @@ func TestAuthority_Renew(t *testing.T) {
 						}
 					}
 
-					realIntermediate, err := x509.ParseCertificate(tc.auth.intermediateIdentity.Crt.Raw)
+					realIntermediate, err := x509.ParseCertificate(tc.auth.x509Issuer.Raw)
 					assert.FatalError(t, err)
 					assert.Equals(t, intermediate, realIntermediate)
 				}