diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 00000000..5b671c40
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,7 @@
+README.md
+.gitignore
+bin
+coverage.txt
+*.test
+*.out
+.travis-releases
diff --git a/README.md b/README.md
index 05574c7c..80b1798c 100644
--- a/README.md
+++ b/README.md
@@ -49,7 +49,7 @@ Setting up a *public key infrastructure* (PKI) is out of reach for many small te
 - Can operate as [an online intermediate CA](./docs/questions.md#i-already-have-pki-in-place-can-i-use-this-with-my-own-root-certificate) for an existing root CA
 - [Badger, BoltDB, and MySQL database backends](https://github.com/smallstep/certificates/blob/master/docs/database.md)
 
-### ⚙️ Many ways to automate 
+### ⚙️ Many ways to automate
 
 There are several ways to authorize a request with the CA and establish a chain of trust that suits your flow.
 
@@ -165,7 +165,7 @@ You can use [pacman](https://www.archlinux.org/pacman/) to install the packages.
 
 1. [Optional] Install `step`.
 
-    Download the Linux tarball from the 
+    Download the Linux tarball from the
     [latest `step` release](https://github.com/smallstep/cli/releases/latest):
 
     ```
@@ -184,7 +184,7 @@ You can use [pacman](https://www.archlinux.org/pacman/) to install the packages.
     Download the Linux package from the [latest `step-ca` release](https://github.com/smallstep/certificates/releases/latest):
 
     ```
-    $ wget -O step-ca.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz
+    $ wget -O step-ca.tar.gz https://github.com/smallstep/certificates/releases/download/vX.Y.Z/step-certificates_linux_X.Y.Z_amd64.tar.gz
     ```
 
     Install `step-ca` by unzipping and copying the executable over to `/usr/bin`:
diff --git a/docker/Dockerfile.step-ca b/docker/Dockerfile.step-ca
index 5d8fdacd..4a1908d6 100644
--- a/docker/Dockerfile.step-ca
+++ b/docker/Dockerfile.step-ca
@@ -1,24 +1,27 @@
 FROM golang:alpine AS builder
 
-RUN mkdir /src
-ADD . /src
+WORKDIR /src
+COPY . .
 
-RUN apk add --no-cache make git curl && \
-    cd /src && \
-    make V=1 bin/step-ca 
+RUN apk add --no-cache \
+   curl \
+   git \
+   make && \
+   make V=1 bin/step-ca
 
 FROM smallstep/step-cli:latest
 
 COPY --from=builder /src/bin/step-ca /usr/local/bin/step-ca
 
-ENV CONFIGPATH="/home/step/config/ca.json"
-ENV PWDPATH="/home/step/secrets/password"
-
 USER root
 RUN apk add --no-cache libcap && setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/step-ca
 USER step
 
+ENV CONFIGPATH="/home/step/config/ca.json"
+ENV PWDPATH="/home/step/secrets/password"
+
 VOLUME ["/home/step"]
 STOPSIGNAL SIGTERM
+HEALTHCHECK CMD step ca health 2>/dev/null | grep "^ok" >/dev/null
 
-CMD exec /bin/sh -c "/usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH"
+CMD exec /usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH
diff --git a/errs/error.go b/errs/error.go
index 2e49d8c5..ebcf0894 100644
--- a/errs/error.go
+++ b/errs/error.go
@@ -181,7 +181,7 @@ func StatusCodeError(code int, e error, opts ...Option) error {
 var (
 	seeLogs = "Please see the certificate authority logs for more info."
 	// BadRequestDefaultMsg 400 default msg
-	BadRequestDefaultMsg = "The request could not be completed; malformed or missing data" + seeLogs
+	BadRequestDefaultMsg = "The request could not be completed; malformed or missing data. " + seeLogs
 	// UnauthorizedDefaultMsg 401 default msg
 	UnauthorizedDefaultMsg = "The request lacked necessary authorization to be completed. " + seeLogs
 	// ForbiddenDefaultMsg 403 default msg
diff --git a/go.mod b/go.mod
index f489d6d7..b3352580 100644
--- a/go.mod
+++ b/go.mod
@@ -4,11 +4,10 @@ go 1.14
 
 require (
 	cloud.google.com/go v0.65.1-0.20200904011802-3c2db50b5678
-	
 	github.com/Masterminds/sprig/v3 v3.1.0
 	github.com/aws/aws-sdk-go v1.30.29
 	github.com/go-chi/chi v4.0.2+incompatible
-	github.com/go-piv/piv-go v1.5.0
+	github.com/go-piv/piv-go v1.6.0
 	github.com/google/uuid v1.1.2
 	github.com/googleapis/gax-go/v2 v2.0.5
 	github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a // indirect
@@ -29,8 +28,8 @@ require (
 	google.golang.org/grpc v1.32.0
 	google.golang.org/protobuf v1.25.0
 	gopkg.in/square/go-jose.v2 v2.5.1
-	// cloud.google.com/go/security/privateca/apiv1alpha1 v0.0.0
-	// google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1 v0.0.0
+// cloud.google.com/go/security/privateca/apiv1alpha1 v0.0.0
+// google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1 v0.0.0
 )
 
 // replace github.com/smallstep/cli => ../cli
diff --git a/go.sum b/go.sum
index 60b99c45..c1f05f2d 100644
--- a/go.sum
+++ b/go.sum
@@ -158,6 +158,8 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V
 github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8=
 github.com/go-piv/piv-go v1.5.0 h1:UtHPfrJsZKY+Z3UIjmJLh6DY+KtmNOl/9b/zt4N81pM=
 github.com/go-piv/piv-go v1.5.0/go.mod h1:ON2WvQncm7dIkCQ7kYJs+nc3V4jHGfrrJnSF8HKy7Gk=
+github.com/go-piv/piv-go v1.6.0 h1:F/z9VJw7SrLZvf5Ql7/vZ2m0xk/EoANfix3+J6HM05A=
+github.com/go-piv/piv-go v1.6.0/go.mod h1:ON2WvQncm7dIkCQ7kYJs+nc3V4jHGfrrJnSF8HKy7Gk=
 github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=
@@ -876,6 +878,7 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.6 h1:lMO5rYAqUxkmaj76jAkRUvt5JZgFymx/+Q5Mzfivuhc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@@ -913,7 +916,6 @@ google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20200831141814-d751682dd103/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d h1:92D1fum1bJLKSdr11OJ+54YeCMCGYIygTA7R/YZxH5M=
 google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200910191746-8ad3c7ee2cd1 h1:Oi/dETbxPPblvoi4hgkzJun62A4dwuBsTM0UcZYpN3U=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
diff --git a/kms/yubikey/yubikey.go b/kms/yubikey/yubikey.go
index 28c41f95..6f2a5c18 100644
--- a/kms/yubikey/yubikey.go
+++ b/kms/yubikey/yubikey.go
@@ -141,7 +141,8 @@ func (k *YubiKey) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, e
 	}
 
 	priv, err := k.yk.PrivateKey(slot, cert.PublicKey, piv.KeyAuth{
-		PIN: k.pin,
+		PIN:       k.pin,
+		PINPolicy: piv.PINPolicyAlways,
 	})
 	if err != nil {
 		return nil, errors.Wrap(err, "error retrieving private key")