Simplify SCEP provisioner context handling

Refactor the SCEP authority initialization
Instead of relying on an intermediate `scep.Service` struct, initialize the `scep.Authority` directly. This removes one redundant layer of indirection.
2023-06-01 16:22:00 +02:00 · 2023-06-01 15:50:51 +02:00 · 2023-06-01 14:43:32 +02:00 · 2023-06-01 12:12:12 +02:00 · 2023-06-01 12:10:54 +02:00 · 2023-05-26 23:52:49 +02:00
49 changed files with 637 additions and 1351 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -20,8 +20,8 @@ jobs:
  ci:
    uses: smallstep/workflows/.github/workflows/goCI.yml@main
    with:
-      only-latest-golang: false
-      os-dependencies: 'libpcsclite-dev'
+      os-dependencies: "libpcsclite-dev"
+      run-gitleaks: true
      run-codeql: true
-      test-command: 'V=1 make test'
+      make-test: true # run `make test` instead of the default test workflow
    secrets: inherit
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -55,12 +55,38 @@ jobs:
          prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}

  goreleaser:
+    name: Upload Assets To Github w/ goreleaser
+    runs-on: ubuntu-latest
    needs: create_release
    permissions:
      id-token: write
      contents: write
-    uses: smallstep/workflows/.github/workflows/goreleaser.yml@main
-    secrets: inherit
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+          check-latest: true
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v2
+        with:
+          cosign-release: 'v1.13.1'
+      - name: Get Release Date
+        id: release_date
+        run: |
+          RELEASE_DATE=$(date +"%y-%m-%d")
+          echo "RELEASE_DATE=${RELEASE_DATE}" >> ${GITHUB_ENV}
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v3
+        with:
+          version: 'latest'
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
+          RELEASE_DATE: ${{ env.RELEASE_DATE }}
+          COSIGN_EXPERIMENTAL: 1

  build_upload_docker:
    name: Build & Upload Docker Images
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -31,7 +31,7 @@ builds:
      - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}

 archives:
-  - &ARCHIVE
+  -
    # Can be used to change the archive formats for specific GOOSs.
    # Most common use case is to archive as zip on Windows.
    # Default is empty.
@ -45,11 +45,6 @@ archives:
      - README.md
      - LICENSE
    allow_different_binary_count: true
-  -
-    << : *ARCHIVE
-    id: unversioned
-    name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
-

 nfpms:
  # Configure nFPM for .deb and .rpm releases
@ -61,7 +56,7 @@ nfpms:
  # List file contents: dpkg -c dist/step_...deb
  # Package metadata: dpkg --info dist/step_....deb
  #
-  - &NFPM
+  -
    builds:
      - step-ca
    package_name: step-ca
@ -81,10 +76,6 @@ nfpms:
    contents:
      - src: debian/copyright
        dst: /usr/share/doc/step-ca/copyright
-  -
-    << : *NFPM
-    id: unversioned
-    file_name_template: "{{ .PackageName }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"

 source:
  enabled: true
@ -199,40 +190,39 @@ release:
  #  - glob: ./glob/**/to/**/file/**/*
  #  - glob: ./glob/foo/to/bar/file/foobar/override_from_previous

-scoops:
-  -
-    ids: [ default ]
-    # Template for the url which is determined by the given Token (github or gitlab)
-    # Default for github is "https://github.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
-    # Default for gitlab is "https://gitlab.com/<repo_owner>/<repo_name>/uploads/{{ .ArtifactUploadHash }}/{{ .ArtifactName }}"
-    # Default for gitea is "https://gitea.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
-    url_template: "http://github.com/smallstep/certificates/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
-    # Repository to push the app manifest to.
-    bucket:
-      owner: smallstep
-      name: scoop-bucket
+scoop:
+  # Template for the url which is determined by the given Token (github or gitlab)
+  # Default for github is "https://github.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
+  # Default for gitlab is "https://gitlab.com/<repo_owner>/<repo_name>/uploads/{{ .ArtifactUploadHash }}/{{ .ArtifactName }}"
+  # Default for gitea is "https://gitea.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
+  url_template: "http://github.com/smallstep/certificates/releases/download/{{ .Tag }}/{{ .ArtifactName }}"

-    # Git author used to commit to the repository.
-    # Defaults are shown.
-    commit_author:
-      name: goreleaserbot
-      email: goreleaser@smallstep.com
+  # Repository to push the app manifest to.
+  bucket:
+    owner: smallstep
+    name: scoop-bucket

-    # The project name and current git tag are used in the format string.
-    commit_msg_template: "Scoop update for {{ .ProjectName }} version {{ .Tag }}"
+  # Git author used to commit to the repository.
+  # Defaults are shown.
+  commit_author:
+    name: goreleaserbot
+    email: goreleaser@smallstep.com

-    # Your app's homepage.
-    # Default is empty.
-    homepage: "https://smallstep.com/docs/step-ca"
+  # The project name and current git tag are used in the format string.
+  commit_msg_template: "Scoop update for {{ .ProjectName }} version {{ .Tag }}"

-    # Skip uploads for prerelease.
-    skip_upload: auto
+  # Your app's homepage.
+  # Default is empty.
+  homepage: "https://smallstep.com/docs/step-ca"

-    # Your app's description.
-    # Default is empty.
-    description: "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH."
+  # Skip uploads for prerelease.
+  skip_upload: auto

-    # Your app's license
-    # Default is empty.
-    license: "Apache-2.0"
+  # Your app's description.
+  # Default is empty.
+  description: "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH."
+
+  # Your app's license
+  # Default is empty.
+  license: "Apache-2.0"

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -27,12 +27,6 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.

 ## [Unreleased]

-### Fixed
-
- Improved authentication for ACME requests using kid and provisioner name
-  (smallstep/certificates#1386).
-
-
 ## [v0.24.2] - 2023-05-11

 ### Added
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -74,7 +74,7 @@ sudo yum install pcsc-lite-devel
 To build `step-ca`, clone this repository and run the following:

 ```shell
-make bootstrap && make build GO_ENVS="CGO_ENABLED=1"
+make bootstrap && make build GOFLAGS=""
 ```

 When the build is complete, you will find binaries in `bin/`.
--- a/26
+++ b/26
@ -61,23 +61,7 @@ endif

 DATE    := $(shell date -u '+%Y-%m-%d %H:%M UTC')
 LDFLAGS := -ldflags='-w -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"'
-
-# Always explicitly enable or disable cgo,
-# so that go doesn't silently fall back on
-# non-cgo when gcc is not found.
-ifeq (,$(findstring CGO_ENABLED,$(GO_ENVS)))
-	ifneq ($(origin GOFLAGS),undefined)
-		# This section is for backward compatibility with 
-		# 
-		# $ make build GOFLAGS=""
-		#
-		# which is how we recommended building step-ca with cgo support
-		# until June 2023.
-		GO_ENVS := $(GO_ENVS) CGO_ENABLED=1
-	else
-		GO_ENVS := $(GO_ENVS) CGO_ENABLED=0
-	endif
-endif
+GOFLAGS := CGO_ENABLED=0

 download:
 	$Q go mod download
@ -87,7 +71,7 @@ build: $(PREFIX)bin/$(BINNAME)

 $(PREFIX)bin/$(BINNAME): download $(call rwildcard,*.go)
 	$Q mkdir -p $(@D)
-	$Q $(GOOS_OVERRIDE) GOFLAGS="$(GOFLAGS)" $(GO_ENVS) go build -v -o $(PREFIX)bin/$(BINNAME) $(LDFLAGS) $(PKG)
+	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(BINNAME) $(LDFLAGS) $(PKG)

 # Target to force a build of step-ca without running tests
 simple: build
@ -109,10 +93,10 @@ generate:
 test: testdefault testtpmsimulator combinecoverage

 testdefault:
-	$Q $(GO_ENVS) gotestsum -- -coverprofile=defaultcoverage.out -short -covermode=atomic ./...
+	$Q $(GOFLAGS) gotestsum -- -coverprofile=defaultcoverage.out -short -covermode=atomic ./...

 testtpmsimulator:
-	$Q CGO_ENABLED=1 gotestsum -- -coverprofile=tpmsimulatorcoverage.out -short -covermode=atomic -tags tpmsimulator ./acme 
+	$Q CGO_ENALBED=1 gotestsum -- -coverprofile=tpmsimulatorcoverage.out -short -covermode=atomic -tags tpmsimulator ./acme 

 testcgo:
 	$Q gotestsum -- -coverprofile=coverage.out -short -covermode=atomic ./...
@ -125,7 +109,7 @@ combinecoverage:
 integrate: integration

 integration: bin/$(BINNAME)
-	$Q $(GO_ENVS) gotestsum -- -tags=integration ./integration/...
+	$Q $(GOFLAGS) gotestsum -- -tags=integration ./integration/...

 .PHONY: integrate integration

--- a/README.md
+++ b/README.md
@ -119,12 +119,18 @@ See our installation docs [here](https://smallstep.com/docs/step-ca/installation

 ## Documentation

-* [Official documentation](https://smallstep.com/docs/step-ca) is on smallstep.com
-* The `step` command reference is available via `step help`,
-[on smallstep.com](https://smallstep.com/docs/step-cli/reference/),
-or by running `step help --http=:8080` from the command line
+Documentation can be found in a handful of different places:
+
+1. On the web at https://smallstep.com/docs/step-ca.
+
+2. On the command line with `step help ca xxx` where `xxx` is the subcommand
+you are interested in. Ex: `step help ca provisioner list`.
+
+3. In your browser, by running `step help --http=:8080 ca` from the command line
 and visiting http://localhost:8080.

+4. The [docs](./docs/README.md) folder is being deprecated, but it still has some documentation and tutorials.
+
 ## Feedback?

 * Tell us what you like and don't like about managing your PKI - we're eager to help solve problems in this space.
--- a/acme/account.go
+++ b/acme/account.go
@ -20,16 +20,6 @@ type Account struct {
 	Status                 Status           `json:"status"`
 	OrdersURL              string           `json:"orders"`
 	ExternalAccountBinding interface{}      `json:"externalAccountBinding,omitempty"`
-	LocationPrefix         string           `json:"-"`
-	ProvisionerName        string           `json:"-"`
-}
-
-// GetLocation returns the URL location of the given account.
-func (a *Account) GetLocation() string {
-	if a.LocationPrefix == "" {
-		return ""
-	}
-	return a.LocationPrefix + a.ID
 }

 // ToLog enables response logging.
@ -82,7 +72,6 @@ func (p *Policy) GetAllowedNameOptions() *policy.X509NameOptions {
 		IPRanges:   p.X509.Allowed.IPRanges,
 	}
 }
-
 func (p *Policy) GetDeniedNameOptions() *policy.X509NameOptions {
 	if p == nil {
 		return nil
--- a/acme/account_test.go
+++ b/acme/account_test.go
@ -66,23 +66,6 @@ func TestKeyToID(t *testing.T) {
 	}
 }

-func TestAccount_GetLocation(t *testing.T) {
-	locationPrefix := "https://test.ca.smallstep.com/acme/foo/account/"
-	type test struct {
-		acc *Account
-		exp string
-	}
-	tests := map[string]test{
-		"empty":     {acc: &Account{LocationPrefix: ""}, exp: ""},
-		"not-empty": {acc: &Account{ID: "bar", LocationPrefix: locationPrefix}, exp: locationPrefix + "bar"},
-	}
-	for name, tc := range tests {
-		t.Run(name, func(t *testing.T) {
-			assert.Equals(t, tc.acc.GetLocation(), tc.exp)
-		})
-	}
-}
-
 func TestAccount_IsValid(t *testing.T) {
 	type test struct {
 		acc *Account
--- a/acme/api/account.go
+++ b/acme/api/account.go
@ -1,7 +1,6 @@
 package api

 import (
-	"context"
 	"encoding/json"
 	"errors"
 	"net/http"
@ -68,12 +67,6 @@ func (u *UpdateAccountRequest) Validate() error {
 	}
 }

-// getAccountLocationPath returns the current account URL location.
-// Returned location will be of the form: https://<ca-url>/acme/<provisioner>/account/<accID>
-func getAccountLocationPath(ctx context.Context, linker acme.Linker, accID string) string {
-	return linker.GetLink(ctx, acme.AccountLinkType, accID)
-}
-
 // NewAccount is the handler resource for creating new ACME accounts.
 func NewAccount(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
@ -132,11 +125,9 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {
 		}

 		acc = &acme.Account{
-			Key:             jwk,
-			Contact:         nar.Contact,
-			Status:          acme.StatusValid,
-			LocationPrefix:  getAccountLocationPath(ctx, linker, ""),
-			ProvisionerName: prov.GetName(),
+			Key:     jwk,
+			Contact: nar.Contact,
+			Status:  acme.StatusValid,
 		}
 		if err := db.CreateAccount(ctx, acc); err != nil {
 			render.Error(w, acme.WrapErrorISE(err, "error creating account"))
@ -161,7 +152,7 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {

 	linker.LinkAccount(ctx, acc)

-	w.Header().Set("Location", getAccountLocationPath(ctx, linker, acc.ID))
+	w.Header().Set("Location", linker.GetLink(r.Context(), acme.AccountLinkType, acc.ID))
 	render.JSONStatus(w, acc, httpStatus)
 }

--- a/acme/api/middleware.go
+++ b/acme/api/middleware.go
@ -7,7 +7,6 @@ import (
 	"io"
 	"net/http"
 	"net/url"
-	"path"
 	"strings"

 	"go.step.sm/crypto/jose"
@ -17,6 +16,7 @@ import (
 	"github.com/smallstep/certificates/api/render"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/logging"
+	"github.com/smallstep/nosql"
 )

 type nextHTTP = func(http.ResponseWriter, *http.Request)
@ -293,6 +293,7 @@ func lookupJWK(next nextHTTP) nextHTTP {
 	return func(w http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
 		db := acme.MustDatabaseFromContext(ctx)
+		linker := acme.MustLinkerFromContext(ctx)

 		jws, err := jwsFromContext(ctx)
 		if err != nil {
@ -300,16 +301,19 @@ func lookupJWK(next nextHTTP) nextHTTP {
 			return
 		}

+		kidPrefix := linker.GetLink(ctx, acme.AccountLinkType, "")
 		kid := jws.Signatures[0].Protected.KeyID
-		if kid == "" {
-			render.Error(w, acme.NewError(acme.ErrorMalformedType, "signature missing 'kid'"))
+		if !strings.HasPrefix(kid, kidPrefix) {
+			render.Error(w, acme.NewError(acme.ErrorMalformedType,
+				"kid does not have required prefix; expected %s, but got %s",
+				kidPrefix, kid))
 			return
 		}

-		accID := path.Base(kid)
+		accID := strings.TrimPrefix(kid, kidPrefix)
 		acc, err := db.GetAccount(ctx, accID)
 		switch {
-		case acme.IsErrNotFound(err):
+		case nosql.IsErrNotFound(err):
 			render.Error(w, acme.NewError(acme.ErrorAccountDoesNotExistType, "account with ID '%s' not found", accID))
 			return
 		case err != nil:
@ -320,45 +324,6 @@ func lookupJWK(next nextHTTP) nextHTTP {
 				render.Error(w, acme.NewError(acme.ErrorUnauthorizedType, "account is not active"))
 				return
 			}
-
-			if storedLocation := acc.GetLocation(); storedLocation != "" {
-				if kid != storedLocation {
-					// ACME accounts should have a stored location equivalent to the
-					// kid in the ACME request.
-					render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
-						"kid does not match stored account location; expected %s, but got %s",
-						storedLocation, kid))
-					return
-				}
-
-				// Verify that the provisioner with which the account was created
-				// matches the provisioner in the request URL.
-				reqProv := acme.MustProvisionerFromContext(ctx)
-				reqProvName := reqProv.GetName()
-				accProvName := acc.ProvisionerName
-				if reqProvName != accProvName {
-					// Provisioner in the URL must match the provisioner with
-					// which the account was created.
-					render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
-						"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
-						accProvName, reqProvName))
-					return
-				}
-			} else {
-				// This code will only execute for old ACME accounts that do
-				// not have a cached location. The following validation was
-				// the original implementation of the `kid` check which has
-				// since been deprecated. However, the code will remain to
-				// ensure consistent behavior for old ACME accounts.
-				linker := acme.MustLinkerFromContext(ctx)
-				kidPrefix := linker.GetLink(ctx, acme.AccountLinkType, "")
-				if !strings.HasPrefix(kid, kidPrefix) {
-					render.Error(w, acme.NewError(acme.ErrorMalformedType,
-						"kid does not have required prefix; expected %s, but got %s",
-						kidPrefix, kid))
-					return
-				}
-			}
 			ctx = context.WithValue(ctx, accContextKey, acc)
 			ctx = context.WithValue(ctx, jwkContextKey, acc.Key)
 			next(w, r.WithContext(ctx))
--- a/acme/api/middleware_test.go
+++ b/acme/api/middleware_test.go
@ -17,6 +17,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/acme"
+	"github.com/smallstep/nosql/database"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 )
@ -677,7 +678,31 @@ func TestHandler_lookupJWK(t *testing.T) {
 				linker:     acme.NewLinker("test.ca.smallstep.com", "acme"),
 				ctx:        ctx,
 				statusCode: 400,
-				err:        acme.NewError(acme.ErrorMalformedType, "signature missing 'kid'"),
+				err:        acme.NewError(acme.ErrorMalformedType, "kid does not have required prefix; expected %s, but got ", prefix),
+			}
+		},
+		"fail/bad-kid-prefix": func(t *testing.T) test {
+			_so := new(jose.SignerOptions)
+			_so.WithHeader("kid", "foo")
+			_signer, err := jose.NewSigner(jose.SigningKey{
+				Algorithm: jose.SignatureAlgorithm(jwk.Algorithm),
+				Key:       jwk.Key,
+			}, _so)
+			assert.FatalError(t, err)
+			_jws, err := _signer.Sign([]byte("baz"))
+			assert.FatalError(t, err)
+			_raw, err := _jws.CompactSerialize()
+			assert.FatalError(t, err)
+			_parsed, err := jose.ParseJWS(_raw)
+			assert.FatalError(t, err)
+			ctx := acme.NewProvisionerContext(context.Background(), prov)
+			ctx = context.WithValue(ctx, jwsContextKey, _parsed)
+			return test{
+				db:         &acme.MockDB{},
+				linker:     acme.NewLinker("test.ca.smallstep.com", "acme"),
+				ctx:        ctx,
+				statusCode: 400,
+				err:        acme.NewError(acme.ErrorMalformedType, "kid does not have required prefix; expected %s, but got foo", prefix),
 			}
 		},
 		"fail/account-not-found": func(t *testing.T) test {
@ -688,7 +713,7 @@ func TestHandler_lookupJWK(t *testing.T) {
 				db: &acme.MockDB{
 					MockGetAccount: func(ctx context.Context, accID string) (*acme.Account, error) {
 						assert.Equals(t, accID, accID)
-						return nil, acme.ErrNotFound
+						return nil, database.ErrNotFound
 					},
 				},
 				ctx:        ctx,
@ -729,77 +754,7 @@ func TestHandler_lookupJWK(t *testing.T) {
 				err:        acme.NewError(acme.ErrorUnauthorizedType, "account is not active"),
 			}
 		},
-		"fail/account-with-location-prefix/bad-kid": func(t *testing.T) test {
-			acc := &acme.Account{LocationPrefix: "foobar", Status: "valid"}
-			ctx := acme.NewProvisionerContext(context.Background(), prov)
-			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
-			return test{
-				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
-				db: &acme.MockDB{
-					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
-						assert.Equals(t, id, accID)
-						return acc, nil
-					},
-				},
-				ctx:        ctx,
-				statusCode: http.StatusUnauthorized,
-				err:        acme.NewError(acme.ErrorUnauthorizedType, "kid does not match stored account location; expected foobar, but %q", prefix+accID),
-			}
-		},
-		"fail/account-with-location-prefix/bad-provisioner": func(t *testing.T) test {
-			acc := &acme.Account{LocationPrefix: prefix + accID, Status: "valid", Key: jwk, ProvisionerName: "other"}
-			ctx := acme.NewProvisionerContext(context.Background(), prov)
-			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
-			return test{
-				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
-				db: &acme.MockDB{
-					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
-						assert.Equals(t, id, accID)
-						return acc, nil
-					},
-				},
-				ctx: ctx,
-				next: func(w http.ResponseWriter, r *http.Request) {
-					_acc, err := accountFromContext(r.Context())
-					assert.FatalError(t, err)
-					assert.Equals(t, _acc, acc)
-					_jwk, err := jwkFromContext(r.Context())
-					assert.FatalError(t, err)
-					assert.Equals(t, _jwk, jwk)
-					w.Write(testBody)
-				},
-				statusCode: http.StatusUnauthorized,
-				err: acme.NewError(acme.ErrorUnauthorizedType,
-					"account provisioner does not match requested provisioner; account provisioner = %s, reqested provisioner = %s",
-					prov.GetName(), "other"),
-			}
-		},
-		"ok/account-with-location-prefix": func(t *testing.T) test {
-			acc := &acme.Account{LocationPrefix: prefix + accID, Status: "valid", Key: jwk, ProvisionerName: prov.GetName()}
-			ctx := acme.NewProvisionerContext(context.Background(), prov)
-			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
-			return test{
-				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
-				db: &acme.MockDB{
-					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
-						assert.Equals(t, id, accID)
-						return acc, nil
-					},
-				},
-				ctx: ctx,
-				next: func(w http.ResponseWriter, r *http.Request) {
-					_acc, err := accountFromContext(r.Context())
-					assert.FatalError(t, err)
-					assert.Equals(t, _acc, acc)
-					_jwk, err := jwkFromContext(r.Context())
-					assert.FatalError(t, err)
-					assert.Equals(t, _jwk, jwk)
-					w.Write(testBody)
-				},
-				statusCode: http.StatusOK,
-			}
-		},
-		"ok/account-without-location-prefix": func(t *testing.T) test {
+		"ok": func(t *testing.T) test {
 			acc := &acme.Account{Status: "valid", Key: jwk}
 			ctx := acme.NewProvisionerContext(context.Background(), prov)
 			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
--- a/acme/challenge_tpmsimulator_test.go
+++ b/acme/challenge_tpmsimulator_test.go
@ -49,9 +49,8 @@ func withSimulator(t *testing.T) tpm.NewTPMOption {
 		err := sim.Close()
 		require.NoError(t, err)
 	})
-	sim, err := simulator.New()
-	require.NoError(t, err)
-	err = sim.Open()
+	sim = simulator.New()
+	err := sim.Open()
 	require.NoError(t, err)
 	return tpm.WithSimulator(sim)
 }
--- a/acme/db.go
+++ b/acme/db.go
@ -12,12 +12,6 @@ import (
 // account.
 var ErrNotFound = errors.New("not found")

-// IsErrNotFound returns true if the error is a "not found" error. Returns false
-// otherwise.
-func IsErrNotFound(err error) bool {
-	return errors.Is(err, ErrNotFound)
-}
-
 // DB is the DB interface expected by the step-ca ACME API.
 type DB interface {
 	CreateAccount(ctx context.Context, acc *Account) error
--- a/acme/db/nosql/account.go
+++ b/acme/db/nosql/account.go
@ -13,14 +13,12 @@ import (

 // dbAccount represents an ACME account.
 type dbAccount struct {
-	ID              string           `json:"id"`
-	Key             *jose.JSONWebKey `json:"key"`
-	Contact         []string         `json:"contact,omitempty"`
-	Status          acme.Status      `json:"status"`
-	LocationPrefix  string           `json:"locationPrefix"`
-	ProvisionerName string           `json:"provisionerName"`
-	CreatedAt       time.Time        `json:"createdAt"`
-	DeactivatedAt   time.Time        `json:"deactivatedAt"`
+	ID            string           `json:"id"`
+	Key           *jose.JSONWebKey `json:"key"`
+	Contact       []string         `json:"contact,omitempty"`
+	Status        acme.Status      `json:"status"`
+	CreatedAt     time.Time        `json:"createdAt"`
+	DeactivatedAt time.Time        `json:"deactivatedAt"`
 }

 func (dba *dbAccount) clone() *dbAccount {
@ -64,12 +62,10 @@ func (db *DB) GetAccount(ctx context.Context, id string) (*acme.Account, error)
 	}

 	return &acme.Account{
-		Status:          dbacc.Status,
-		Contact:         dbacc.Contact,
-		Key:             dbacc.Key,
-		ID:              dbacc.ID,
-		LocationPrefix:  dbacc.LocationPrefix,
-		ProvisionerName: dbacc.ProvisionerName,
+		Status:  dbacc.Status,
+		Contact: dbacc.Contact,
+		Key:     dbacc.Key,
+		ID:      dbacc.ID,
 	}, nil
 }

@ -91,13 +87,11 @@ func (db *DB) CreateAccount(ctx context.Context, acc *acme.Account) error {
 	}

 	dba := &dbAccount{
-		ID:              acc.ID,
-		Key:             acc.Key,
-		Contact:         acc.Contact,
-		Status:          acc.Status,
-		CreatedAt:       clock.Now(),
-		LocationPrefix:  acc.LocationPrefix,
-		ProvisionerName: acc.ProvisionerName,
+		ID:        acc.ID,
+		Key:       acc.Key,
+		Contact:   acc.Contact,
+		Status:    acc.Status,
+		CreatedAt: clock.Now(),
 	}

 	kid, err := acme.KeyToID(dba.Key)
--- a/acme/db/nosql/account_test.go
+++ b/acme/db/nosql/account_test.go
@ -197,8 +197,6 @@ func TestDB_getAccountIDByKeyID(t *testing.T) {

 func TestDB_GetAccount(t *testing.T) {
 	accID := "accID"
-	locationPrefix := "https://test.ca.smallstep.com/acme/foo/account/"
-	provisionerName := "foo"
 	type test struct {
 		db      nosql.DB
 		err     error
@ -224,14 +222,12 @@ func TestDB_GetAccount(t *testing.T) {
 			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 			assert.FatalError(t, err)
 			dbacc := &dbAccount{
-				ID:              accID,
-				Status:          acme.StatusDeactivated,
-				CreatedAt:       now,
-				DeactivatedAt:   now,
-				Contact:         []string{"foo", "bar"},
-				Key:             jwk,
-				LocationPrefix:  locationPrefix,
-				ProvisionerName: provisionerName,
+				ID:            accID,
+				Status:        acme.StatusDeactivated,
+				CreatedAt:     now,
+				DeactivatedAt: now,
+				Contact:       []string{"foo", "bar"},
+				Key:           jwk,
 			}
 			b, err := json.Marshal(dbacc)
 			assert.FatalError(t, err)
@ -270,8 +266,6 @@ func TestDB_GetAccount(t *testing.T) {
 				assert.Equals(t, acc.ID, tc.dbacc.ID)
 				assert.Equals(t, acc.Status, tc.dbacc.Status)
 				assert.Equals(t, acc.Contact, tc.dbacc.Contact)
-				assert.Equals(t, acc.LocationPrefix, tc.dbacc.LocationPrefix)
-				assert.Equals(t, acc.ProvisionerName, tc.dbacc.ProvisionerName)
 				assert.Equals(t, acc.Key.KeyID, tc.dbacc.Key.KeyID)
 			}
 		})
@ -385,7 +379,6 @@ func TestDB_GetAccountByKeyID(t *testing.T) {
 }

 func TestDB_CreateAccount(t *testing.T) {
-	locationPrefix := "https://test.ca.smallstep.com/acme/foo/account/"
 	type test struct {
 		db  nosql.DB
 		acc *acme.Account
@ -397,10 +390,9 @@ func TestDB_CreateAccount(t *testing.T) {
 			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 			assert.FatalError(t, err)
 			acc := &acme.Account{
-				Status:         acme.StatusValid,
-				Contact:        []string{"foo", "bar"},
-				Key:            jwk,
-				LocationPrefix: locationPrefix,
+				Status:  acme.StatusValid,
+				Contact: []string{"foo", "bar"},
+				Key:     jwk,
 			}
 			return test{
 				db: &db.MockNoSQLDB{
@ -421,10 +413,9 @@ func TestDB_CreateAccount(t *testing.T) {
 			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 			assert.FatalError(t, err)
 			acc := &acme.Account{
-				Status:         acme.StatusValid,
-				Contact:        []string{"foo", "bar"},
-				Key:            jwk,
-				LocationPrefix: locationPrefix,
+				Status:  acme.StatusValid,
+				Contact: []string{"foo", "bar"},
+				Key:     jwk,
 			}
 			return test{
 				db: &db.MockNoSQLDB{
@ -445,10 +436,9 @@ func TestDB_CreateAccount(t *testing.T) {
 			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 			assert.FatalError(t, err)
 			acc := &acme.Account{
-				Status:         acme.StatusValid,
-				Contact:        []string{"foo", "bar"},
-				Key:            jwk,
-				LocationPrefix: locationPrefix,
+				Status:  acme.StatusValid,
+				Contact: []string{"foo", "bar"},
+				Key:     jwk,
 			}
 			return test{
 				db: &db.MockNoSQLDB{
@ -466,8 +456,6 @@ func TestDB_CreateAccount(t *testing.T) {
 							assert.FatalError(t, json.Unmarshal(nu, dbacc))
 							assert.Equals(t, dbacc.ID, string(key))
 							assert.Equals(t, dbacc.Contact, acc.Contact)
-							assert.Equals(t, dbacc.LocationPrefix, acc.LocationPrefix)
-							assert.Equals(t, dbacc.ProvisionerName, acc.ProvisionerName)
 							assert.Equals(t, dbacc.Key.KeyID, acc.Key.KeyID)
 							assert.True(t, clock.Now().Add(-time.Minute).Before(dbacc.CreatedAt))
 							assert.True(t, clock.Now().Add(time.Minute).After(dbacc.CreatedAt))
@ -491,10 +479,9 @@ func TestDB_CreateAccount(t *testing.T) {
 			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 			assert.FatalError(t, err)
 			acc := &acme.Account{
-				Status:         acme.StatusValid,
-				Contact:        []string{"foo", "bar"},
-				Key:            jwk,
-				LocationPrefix: locationPrefix,
+				Status:  acme.StatusValid,
+				Contact: []string{"foo", "bar"},
+				Key:     jwk,
 			}
 			return test{
 				db: &db.MockNoSQLDB{
@ -513,8 +500,6 @@ func TestDB_CreateAccount(t *testing.T) {
 							assert.FatalError(t, json.Unmarshal(nu, dbacc))
 							assert.Equals(t, dbacc.ID, string(key))
 							assert.Equals(t, dbacc.Contact, acc.Contact)
-							assert.Equals(t, dbacc.LocationPrefix, acc.LocationPrefix)
-							assert.Equals(t, dbacc.ProvisionerName, acc.ProvisionerName)
 							assert.Equals(t, dbacc.Key.KeyID, acc.Key.KeyID)
 							assert.True(t, clock.Now().Add(-time.Minute).Before(dbacc.CreatedAt))
 							assert.True(t, clock.Now().Add(time.Minute).After(dbacc.CreatedAt))
@ -554,14 +539,12 @@ func TestDB_UpdateAccount(t *testing.T) {
 	jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 	assert.FatalError(t, err)
 	dbacc := &dbAccount{
-		ID:              accID,
-		Status:          acme.StatusDeactivated,
-		CreatedAt:       now,
-		DeactivatedAt:   now,
-		Contact:         []string{"foo", "bar"},
-		LocationPrefix:  "foo",
-		ProvisionerName: "alpha",
-		Key:             jwk,
+		ID:            accID,
+		Status:        acme.StatusDeactivated,
+		CreatedAt:     now,
+		DeactivatedAt: now,
+		Contact:       []string{"foo", "bar"},
+		Key:           jwk,
 	}
 	b, err := json.Marshal(dbacc)
 	assert.FatalError(t, err)
@ -661,12 +644,10 @@ func TestDB_UpdateAccount(t *testing.T) {
 		},
 		"ok": func(t *testing.T) test {
 			acc := &acme.Account{
-				ID:              accID,
-				Status:          acme.StatusDeactivated,
-				Contact:         []string{"baz", "zap"},
-				LocationPrefix:  "bar",
-				ProvisionerName: "beta",
-				Key:             jwk,
+				ID:      accID,
+				Status:  acme.StatusDeactivated,
+				Contact: []string{"foo", "bar"},
+				Key:     jwk,
 			}
 			return test{
 				acc: acc,
@ -685,10 +666,7 @@ func TestDB_UpdateAccount(t *testing.T) {
 						assert.FatalError(t, json.Unmarshal(nu, dbNew))
 						assert.Equals(t, dbNew.ID, dbacc.ID)
 						assert.Equals(t, dbNew.Status, acc.Status)
-						assert.Equals(t, dbNew.Contact, acc.Contact)
-						// LocationPrefix should not change.
-						assert.Equals(t, dbNew.LocationPrefix, dbacc.LocationPrefix)
-						assert.Equals(t, dbNew.ProvisionerName, dbacc.ProvisionerName)
+						assert.Equals(t, dbNew.Contact, dbacc.Contact)
 						assert.Equals(t, dbNew.Key.KeyID, dbacc.Key.KeyID)
 						assert.Equals(t, dbNew.CreatedAt, dbacc.CreatedAt)
 						assert.True(t, dbNew.DeactivatedAt.Add(-time.Minute).Before(now))
@ -708,7 +686,12 @@ func TestDB_UpdateAccount(t *testing.T) {
 					assert.HasPrefix(t, err.Error(), tc.err.Error())
 				}
 			} else {
-				assert.Nil(t, tc.err)
+				if assert.Nil(t, tc.err) {
+					assert.Equals(t, tc.acc.ID, dbacc.ID)
+					assert.Equals(t, tc.acc.Status, dbacc.Status)
+					assert.Equals(t, tc.acc.Contact, dbacc.Contact)
+					assert.Equals(t, tc.acc.Key.KeyID, dbacc.Key.KeyID)
+				}
 			}
 		})
 	}
--- a/api/api.go
+++ b/api/api.go
@ -244,11 +244,24 @@ func (p ProvisionersResponse) MarshalJSON() ([]byte, error) {
 			continue
 		}

-		old := scepProv.ChallengePassword
+		type old struct {
+			challengePassword    string
+			decrypterCertificate []byte
+			decrypterKey         string
+			decrypterKeyPassword string
+		}
+		o := old{scepProv.ChallengePassword, scepProv.DecrypterCertificate, scepProv.DecrypterKey, scepProv.DecrypterKeyPassword}
 		scepProv.ChallengePassword = "*** REDACTED ***"
-		defer func(p string) { //nolint:gocritic // defer in loop required to restore initial state of provisioners
-			scepProv.ChallengePassword = p
-		}(old)
+		scepProv.DecrypterCertificate = []byte("*** REDACTED ***")
+		scepProv.DecrypterKey = "*** REDACTED ***"
+		scepProv.DecrypterKeyPassword = "*** REDACTED ***"
+
+		defer func(o old) { //nolint:gocritic // defer in loop required to restore initial state of provisioners
+			scepProv.ChallengePassword = o.challengePassword
+			scepProv.DecrypterCertificate = o.decrypterCertificate
+			scepProv.DecrypterKey = o.decrypterKey
+			scepProv.DecrypterKeyPassword = o.decrypterKeyPassword
+		}(o)
 	}

 	var list = struct {
--- a/authority/authority.go
+++ b/authority/authority.go
@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto"
+	"crypto/rsa"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/hex"
@ -61,7 +62,7 @@ type Authority struct {
 	x509Enforcers         []provisioner.CertificateEnforcer

 	// SCEP CA
-	scepService *scep.Service
+	scepAuthority *scep.Authority

 	// SSH CA
 	sshHostPassword         []byte
@ -261,6 +262,15 @@ func (a *Authority) ReloadAdminResources(ctx context.Context) error {
 	a.config.AuthorityConfig.Admins = adminList
 	a.admins = adminClxn

+	// update the SCEP service with the currently active SCEP
+	// provisioner names and revalidate the configuration.
+	if a.scepAuthority != nil {
+		a.scepAuthority.UpdateProvisioners(a.getSCEPProvisionerNames())
+		if err := a.scepAuthority.Validate(); err != nil {
+			log.Printf("failed validating SCEP authority: %v\n", err)
+		}
+	}
+
 	return nil
 }

@ -640,48 +650,63 @@ func (a *Authority) init() error {
 		return err
 	}

-	// Check if a KMS with decryption capability is required and available
-	if a.requiresDecrypter() {
-		if _, ok := a.keyManager.(kmsapi.Decrypter); !ok {
-			return errors.New("keymanager doesn't provide crypto.Decrypter")
-		}
-	}
-
-	// TODO: decide if this is a good approach for providing the SCEP functionality
-	// It currently mirrors the logic for the x509CAService
-	if a.requiresSCEPService() && a.scepService == nil {
+	// The SCEP functionality is provided through an instance of
+	// scep.Service. It is initialized once when the CA is started.
+	// TODO(hs): should the SCEP service support reloading? For example,
+	// when the admin resources are reloaded, specifically the provisioners,
+	// it can happen that the SCEP service is no longer required and can
+	// be destroyed, or that it needs to be instantiated. It may also need
+	// to be revalidated, because not all SCEP provisioner may have a
+	// valid decrypter available.
+	if a.requiresSCEP() && a.GetSCEP() == nil {
 		var options scep.Options
-
-		// Read intermediate and create X509 signer and decrypter for default CAS.
-		options.CertificateChain, err = pemutil.ReadCertificateBundle(a.config.IntermediateCert)
+		options.Roots = a.rootX509Certs
+		options.Intermediates, err = pemutil.ReadCertificateBundle(a.config.IntermediateCert)
 		if err != nil {
 			return err
 		}
-		options.CertificateChain = append(options.CertificateChain, a.rootX509Certs...)
-		options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
+		options.SignerCert = options.Intermediates[0]
+		if options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
 			SigningKey: a.config.IntermediateKey,
 			Password:   a.password,
-		})
-		if err != nil {
+		}); err != nil {
 			return err
 		}

-		if km, ok := a.keyManager.(kmsapi.Decrypter); ok {
-			options.Decrypter, err = km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
+		// TODO(hs): instead of creating the decrypter here, pass the
+		// intermediate key + chain down to the SCEP service / authority,
+		// and only instantiate it when required there. Is that possible?
+		// Also with entering passwords?
+		// TODO(hs): if moving the logic, try improving the logic for the
+		// decrypter password too? Right now it needs to be entered multiple
+		// times; I've observed it to be three times maximum, every time
+		// the intermediate key is read.
+		_, isRSA := options.Signer.Public().(*rsa.PublicKey)
+		if km, ok := a.keyManager.(kmsapi.Decrypter); ok && isRSA {
+			if decrypter, err := km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
 				DecryptionKey: a.config.IntermediateKey,
 				Password:      a.password,
-			})
-			if err != nil {
-				return err
+			}); err == nil {
+				// only pass the decrypter down when it was successfully created,
+				// meaning it's an RSA key, and `CreateDecrypter` did not fail.
+				options.Decrypter = decrypter
 			}
 		}

-		a.scepService, err = scep.NewService(ctx, options)
+		// provide the current SCEP provisioner names, so that the provisioners
+		// can be validated when the CA is started.
+		options.SCEPProvisionerNames = a.getSCEPProvisionerNames()
+
+		// create a new SCEP authority
+		a.scepAuthority, err = scep.New(a, options)
 		if err != nil {
 			return err
 		}

-		// TODO: mimick the x509CAService GetCertificateAuthority here too?
+		// validate the SCEP authority
+		if err := a.scepAuthority.Validate(); err != nil {
+			a.initLogf("failed validating SCEP authority: %v", err)
+		}
 	}

 	// Load X509 constraints engine.
@ -833,17 +858,9 @@ func (a *Authority) IsRevoked(sn string) (bool, error) {
 	return a.db.IsRevoked(sn)
 }

-// requiresDecrypter returns whether the Authority
-// requires a KMS that provides a crypto.Decrypter
-// Currently this is only required when SCEP is
-// enabled.
-func (a *Authority) requiresDecrypter() bool {
-	return a.requiresSCEPService()
-}
-
-// requiresSCEPService iterates over the configured provisioners
-// and determines if one of them is a SCEP provisioner.
-func (a *Authority) requiresSCEPService() bool {
+// requiresSCEP iterates over the configured provisioners
+// and determines if at least one of them is a SCEP provisioner.
+func (a *Authority) requiresSCEP() bool {
 	for _, p := range a.config.AuthorityConfig.Provisioners {
 		if p.GetType() == provisioner.TypeSCEP {
 			return true
@ -852,13 +869,18 @@ func (a *Authority) requiresSCEPService() bool {
 	return false
 }

-// GetSCEPService returns the configured SCEP Service.
-//
-// TODO: this function is intended to exist temporarily in order to make SCEP
-// work more easily. It can be made more correct by using the right
-// interfaces/abstractions after it works as expected.
-func (a *Authority) GetSCEPService() *scep.Service {
-	return a.scepService
+func (a *Authority) getSCEPProvisionerNames() (names []string) {
+	for _, p := range a.config.AuthorityConfig.Provisioners {
+		if p.GetType() == provisioner.TypeSCEP {
+			names = append(names, p.GetName())
+		}
+	}
+	return
+}
+
+// GetSCEP returns the configured SCEP Authority
+func (a *Authority) GetSCEP() *scep.Authority {
+	return a.scepAuthority
 }

 func (a *Authority) startCRLGenerator() error {
--- a/authority/authority_test.go
+++ b/authority/authority_test.go
@ -478,7 +478,7 @@ func testScepAuthority(t *testing.T, opts ...Option) *Authority {
 	return a
 }

-func TestAuthority_GetSCEPService(t *testing.T) {
+func TestAuthority_GetSCEP(t *testing.T) {
 	_ = testScepAuthority(t)
 	p := provisioner.List{
 		&provisioner.SCEP{
@ -542,7 +542,7 @@ func TestAuthority_GetSCEPService(t *testing.T) {
 				return
 			}
 			if tt.wantService {
-				if got := a.GetSCEPService(); (got != nil) != tt.wantService {
+				if got := a.GetSCEP(); (got != nil) != tt.wantService {
 					t.Errorf("Authority.GetSCEPService() = %v, wantService %v", got, tt.wantService)
 				}
 			}
--- a/authority/provisioner/aws.go
+++ b/authority/provisioner/aws.go
@ -24,7 +24,6 @@ import (
 	"go.step.sm/linkedca"

 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/certificates/webhook"
 )

 // awsIssuer is the string used as issuer in the generated tokens.
@ -522,11 +521,7 @@ func (p *AWS) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 		commonNameValidator(payload.Claims.Subject),
 		newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
 		newX509NamePolicyValidator(p.ctl.getPolicy().getX509()),
-		p.ctl.newWebhookController(
-			data,
-			linkedca.Webhook_X509,
-			webhook.WithAuthorizationPrincipal(doc.InstanceID),
-		),
+		p.ctl.newWebhookController(data, linkedca.Webhook_X509),
 	), nil
 }

@ -809,10 +804,6 @@ func (p *AWS) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 		// Ensure that all principal names are allowed
 		newSSHNamePolicyValidator(p.ctl.getPolicy().getSSHHost(), nil),
 		// Call webhooks
-		p.ctl.newWebhookController(
-			data,
-			linkedca.Webhook_SSH,
-			webhook.WithAuthorizationPrincipal(doc.InstanceID),
-		),
+		p.ctl.newWebhookController(data, linkedca.Webhook_SSH),
 	), nil
 }
--- a/authority/provisioner/azure.go
+++ b/authority/provisioner/azure.go
@ -20,7 +20,6 @@ import (
 	"go.step.sm/linkedca"

 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/certificates/webhook"
 )

 // azureOIDCBaseURL is the base discovery url for Microsoft Azure tokens.
@ -404,11 +403,7 @@ func (p *Azure) AuthorizeSign(_ context.Context, token string) ([]SignOption, er
 		defaultPublicKeyValidator{},
 		newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
 		newX509NamePolicyValidator(p.ctl.getPolicy().getX509()),
-		p.ctl.newWebhookController(
-			data,
-			linkedca.Webhook_X509,
-			webhook.WithAuthorizationPrincipal(identityObjectID),
-		),
+		p.ctl.newWebhookController(data, linkedca.Webhook_X509),
 	), nil
 }

@ -426,7 +421,7 @@ func (p *Azure) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption,
 		return nil, errs.Unauthorized("azure.AuthorizeSSHSign; sshCA is disabled for provisioner '%s'", p.GetName())
 	}

-	_, name, _, _, identityObjectID, err := p.authorizeToken(token)
+	_, name, _, _, _, err := p.authorizeToken(token)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSSHSign")
 	}
@ -478,11 +473,7 @@ func (p *Azure) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption,
 		// Ensure that all principal names are allowed
 		newSSHNamePolicyValidator(p.ctl.getPolicy().getSSHHost(), nil),
 		// Call webhooks
-		p.ctl.newWebhookController(
-			data,
-			linkedca.Webhook_SSH,
-			webhook.WithAuthorizationPrincipal(identityObjectID),
-		),
+		p.ctl.newWebhookController(data, linkedca.Webhook_SSH),
 	), nil
 }

--- a/authority/provisioner/controller.go
+++ b/authority/provisioner/controller.go
@ -10,7 +10,6 @@ import (

 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/certificates/webhook"
 	"go.step.sm/linkedca"
 	"golang.org/x/crypto/ssh"
 )
@ -78,7 +77,7 @@ func (c *Controller) AuthorizeSSHRenew(ctx context.Context, cert *ssh.Certificat
 	return DefaultAuthorizeSSHRenew(ctx, c, cert)
 }

-func (c *Controller) newWebhookController(templateData WebhookSetter, certType linkedca.Webhook_CertType, opts ...webhook.RequestBodyOption) *WebhookController {
+func (c *Controller) newWebhookController(templateData WebhookSetter, certType linkedca.Webhook_CertType) *WebhookController {
 	client := c.webhookClient
 	if client == nil {
 		client = http.DefaultClient
@ -88,7 +87,6 @@ func (c *Controller) newWebhookController(templateData WebhookSetter, certType l
 		client:       client,
 		webhooks:     c.webhooks,
 		certType:     certType,
-		options:      opts,
 	}
 }

--- a/authority/provisioner/controller_test.go
+++ b/authority/provisioner/controller_test.go
@ -4,18 +4,15 @@ import (
 	"context"
 	"crypto/x509"
 	"fmt"
-	"net/http"
 	"reflect"
 	"testing"
 	"time"

-	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 	"go.step.sm/linkedca"
 	"golang.org/x/crypto/ssh"

 	"github.com/smallstep/certificates/authority/policy"
-	"github.com/smallstep/certificates/webhook"
 )

 var trueValue = true
@ -452,39 +449,16 @@ func TestDefaultAuthorizeSSHRenew(t *testing.T) {
 }

 func Test_newWebhookController(t *testing.T) {
-	cert, err := pemutil.ReadCertificate("testdata/certs/x5c-leaf.crt", pemutil.WithFirstBlock())
-	if err != nil {
-		t.Fatal(err)
+	c := &Controller{}
+	data := x509util.TemplateData{"foo": "bar"}
+	ctl := c.newWebhookController(data, linkedca.Webhook_X509)
+	if !reflect.DeepEqual(ctl.TemplateData, data) {
+		t.Error("Failed to set templateData")
 	}
-	opts := []webhook.RequestBodyOption{webhook.WithX5CCertificate(cert)}
-
-	type args struct {
-		templateData WebhookSetter
-		certType     linkedca.Webhook_CertType
-		opts         []webhook.RequestBodyOption
+	if ctl.certType != linkedca.Webhook_X509 {
+		t.Error("Failed to set certType")
 	}
-	tests := []struct {
-		name string
-		args args
-		want *WebhookController
-	}{
-		{"ok", args{x509util.TemplateData{"foo": "bar"}, linkedca.Webhook_X509, nil}, &WebhookController{
-			TemplateData: x509util.TemplateData{"foo": "bar"},
-			certType:     linkedca.Webhook_X509,
-			client:       http.DefaultClient,
-		}},
-		{"ok with options", args{x509util.TemplateData{"foo": "bar"}, linkedca.Webhook_SSH, opts}, &WebhookController{
-			TemplateData: x509util.TemplateData{"foo": "bar"},
-			certType:     linkedca.Webhook_SSH,
-			client:       http.DefaultClient,
-			options:      opts,
-		}},
-	}
-	for _, tt := range tests {
-		c := &Controller{}
-		got := c.newWebhookController(tt.args.templateData, tt.args.certType, tt.args.opts...)
-		if !reflect.DeepEqual(got, tt.want) {
-			t.Errorf("newWebhookController() = %v, want %v", got, tt.want)
-		}
+	if ctl.client == nil {
+		t.Error("Failed to set client")
 	}
 }
--- a/authority/provisioner/gcp.go
+++ b/authority/provisioner/gcp.go
@ -21,7 +21,6 @@ import (
 	"go.step.sm/linkedca"

 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/certificates/webhook"
 )

 // gcpCertsURL is the url that serves Google OAuth2 public keys.
@ -276,11 +275,7 @@ func (p *GCP) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 		defaultPublicKeyValidator{},
 		newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
 		newX509NamePolicyValidator(p.ctl.getPolicy().getX509()),
-		p.ctl.newWebhookController(
-			data,
-			linkedca.Webhook_X509,
-			webhook.WithAuthorizationPrincipal(ce.InstanceID),
-		),
+		p.ctl.newWebhookController(data, linkedca.Webhook_X509),
 	), nil
 }

@ -447,10 +442,6 @@ func (p *GCP) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 		// Ensure that all principal names are allowed
 		newSSHNamePolicyValidator(p.ctl.getPolicy().getSSHHost(), nil),
 		// Call webhooks
-		p.ctl.newWebhookController(
-			data,
-			linkedca.Webhook_SSH,
-			webhook.WithAuthorizationPrincipal(ce.InstanceID),
-		),
+		p.ctl.newWebhookController(data, linkedca.Webhook_SSH),
 	), nil
 }
--- a/authority/provisioner/scep.go
+++ b/authority/provisioner/scep.go
@ -2,13 +2,19 @@ package provisioner

 import (
 	"context"
+	"crypto"
+	"crypto/rsa"
 	"crypto/subtle"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"net/http"
 	"time"

 	"github.com/pkg/errors"

+	"go.step.sm/crypto/kms"
+	kmsapi "go.step.sm/crypto/kms/apiv1"
 	"go.step.sm/linkedca"

 	"github.com/smallstep/certificates/webhook"
@ -32,6 +38,12 @@ type SCEP struct {
 	// MinimumPublicKeyLength is the minimum length for public keys in CSRs
 	MinimumPublicKeyLength int `json:"minimumPublicKeyLength,omitempty"`

+	// TODO
+	KMS                  *kms.Options `json:"kms,omitempty"`
+	DecrypterCertificate []byte       `json:"decrypterCertificate"`
+	DecrypterKey         string       `json:"decrypterKey"`
+	DecrypterKeyPassword string       `json:"decrypterKeyPassword"`
+
 	// Numerical identifier for the ContentEncryptionAlgorithm as defined in github.com/mozilla-services/pkcs7
 	// at https://github.com/mozilla-services/pkcs7/blob/33d05740a3526e382af6395d3513e73d4e66d1cb/encrypt.go#L63
 	// Defaults to 0, being DES-CBC
@ -41,6 +53,9 @@ type SCEP struct {
 	ctl                           *Controller
 	encryptionAlgorithm           int
 	challengeValidationController *challengeValidationController
+	keyManager                    kmsapi.KeyManager
+	decrypter                     crypto.Decrypter
+	decrypterCertificate          *x509.Certificate
 }

 // GetID returns the provisioner unique identifier.
@ -177,6 +192,45 @@ func (s *SCEP) Init(config Config) (err error) {
 		s.GetOptions().GetWebhooks(),
 	)

+	if s.KMS != nil {
+		if s.keyManager, err = kms.New(context.Background(), *s.KMS); err != nil {
+			return fmt.Errorf("failed initializing kms: %w", err)
+		}
+		km, ok := s.keyManager.(kmsapi.Decrypter)
+		if !ok {
+			return fmt.Errorf("%q is not a kmsapi.Decrypter", s.KMS.Type)
+		}
+		if s.DecrypterKey != "" || len(s.DecrypterCertificate) > 0 {
+			if s.decrypter, err = km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
+				DecryptionKey: s.DecrypterKey,
+				Password:      []byte(s.DecrypterKeyPassword),
+			}); err != nil {
+				return fmt.Errorf("failed creating decrypter: %w", err)
+			}
+
+			// parse the decrypter certificate
+			block, rest := pem.Decode(s.DecrypterCertificate)
+			if len(rest) > 0 {
+				return errors.New("failed parsing decrypter certificate: trailing data")
+			}
+			if block == nil {
+				return errors.New("failed parsing decrypter certificate: no PEM block found")
+			}
+			if s.decrypterCertificate, err = x509.ParseCertificate(block.Bytes); err != nil {
+				return fmt.Errorf("failed parsing decrypter certificate: %w", err)
+			}
+
+			// validate the decrypter key
+			decrypterPublicKey, ok := s.decrypter.Public().(*rsa.PublicKey)
+			if !ok {
+				return fmt.Errorf("only RSA keys are supported")
+			}
+			if !decrypterPublicKey.Equal(s.decrypterCertificate.PublicKey) {
+				return errors.New("mismatch between decryption certificate and decrypter public keys")
+			}
+		}
+	}
+
 	// TODO: add other, SCEP specific, options?

 	s.ctl, err = NewController(s, s.Claims, config, s.Options)
@ -259,3 +313,7 @@ func (s *SCEP) selectValidationMethod() validationMethod {
 	}
 	return validationMethodNone
 }
+
+func (s *SCEP) GetDecrypter() (*x509.Certificate, crypto.Decrypter) {
+	return s.decrypterCertificate, s.decrypter
+}
--- a/authority/provisioner/webhook.go
+++ b/authority/provisioner/webhook.go
@ -30,7 +30,6 @@ type WebhookController struct {
 	client       *http.Client
 	webhooks     []*Webhook
 	certType     linkedca.Webhook_CertType
-	options      []webhook.RequestBodyOption
 	TemplateData WebhookSetter
 }

@ -40,14 +39,6 @@ func (wc *WebhookController) Enrich(req *webhook.RequestBody) error {
 	if wc == nil {
 		return nil
 	}
-
-	// Apply extra options in the webhook controller
-	for _, fn := range wc.options {
-		if err := fn(req); err != nil {
-			return err
-		}
-	}
-
 	for _, wh := range wc.webhooks {
 		if wh.Kind != linkedca.Webhook_ENRICHING.String() {
 			continue
@ -72,14 +63,6 @@ func (wc *WebhookController) Authorize(req *webhook.RequestBody) error {
 	if wc == nil {
 		return nil
 	}
-
-	// Apply extra options in the webhook controller
-	for _, fn := range wc.options {
-		if err := fn(req); err != nil {
-			return err
-		}
-	}
-
 	for _, wh := range wc.webhooks {
 		if wh.Kind != linkedca.Webhook_AUTHORIZING.String() {
 			continue
--- a/authority/provisioner/webhook_test.go
+++ b/authority/provisioner/webhook_test.go
@ -4,7 +4,6 @@ import (
 	"crypto/hmac"
 	"crypto/sha256"
 	"crypto/tls"
-	"crypto/x509"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
@ -17,7 +16,6 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/webhook"
-	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 	"go.step.sm/linkedca"
 )
@ -98,18 +96,12 @@ func TestWebhookController_isCertTypeOK(t *testing.T) {
 }

 func TestWebhookController_Enrich(t *testing.T) {
-	cert, err := pemutil.ReadCertificate("testdata/certs/x5c-leaf.crt", pemutil.WithFirstBlock())
-	if err != nil {
-		t.Fatal(err)
-	}
-
 	type test struct {
 		ctl                *WebhookController
 		req                *webhook.RequestBody
 		responses          []*webhook.ResponseBody
 		expectErr          bool
 		expectTemplateData any
-		assertRequest      func(t *testing.T, req *webhook.RequestBody)
 	}
 	tests := map[string]test{
 		"ok/no enriching webhooks": {
@ -178,29 +170,6 @@ func TestWebhookController_Enrich(t *testing.T) {
 				},
 			},
 		},
-		"ok/with options": {
-			ctl: &WebhookController{
-				client:       http.DefaultClient,
-				webhooks:     []*Webhook{{Name: "people", Kind: "ENRICHING"}},
-				TemplateData: x509util.TemplateData{},
-				options:      []webhook.RequestBodyOption{webhook.WithX5CCertificate(cert)},
-			},
-			req:                &webhook.RequestBody{},
-			responses:          []*webhook.ResponseBody{{Allow: true, Data: map[string]any{"role": "bar"}}},
-			expectErr:          false,
-			expectTemplateData: x509util.TemplateData{"Webhooks": map[string]any{"people": map[string]any{"role": "bar"}}},
-			assertRequest: func(t *testing.T, req *webhook.RequestBody) {
-				key, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
-				assert.FatalError(t, err)
-				assert.Equals(t, &webhook.X5CCertificate{
-					Raw:                cert.Raw,
-					PublicKey:          key,
-					PublicKeyAlgorithm: cert.PublicKeyAlgorithm.String(),
-					NotBefore:          cert.NotBefore,
-					NotAfter:           cert.NotAfter,
-				}, req.X5CCertificate)
-			},
-		},
 		"deny": {
 			ctl: &WebhookController{
 				client:       http.DefaultClient,
@ -212,20 +181,6 @@ func TestWebhookController_Enrich(t *testing.T) {
 			expectErr:          true,
 			expectTemplateData: x509util.TemplateData{},
 		},
-		"fail/with options": {
-			ctl: &WebhookController{
-				client:       http.DefaultClient,
-				webhooks:     []*Webhook{{Name: "people", Kind: "ENRICHING"}},
-				TemplateData: x509util.TemplateData{},
-				options: []webhook.RequestBodyOption{webhook.WithX5CCertificate(&x509.Certificate{
-					PublicKey: []byte("bad"),
-				})},
-			},
-			req:                &webhook.RequestBody{},
-			responses:          []*webhook.ResponseBody{{Allow: false}},
-			expectErr:          true,
-			expectTemplateData: x509util.TemplateData{},
-		},
 	}
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
@ -245,25 +200,16 @@ func TestWebhookController_Enrich(t *testing.T) {
 				t.Fatalf("Got err %v, want %v", err, test.expectErr)
 			}
 			assert.Equals(t, test.expectTemplateData, test.ctl.TemplateData)
-			if test.assertRequest != nil {
-				test.assertRequest(t, test.req)
-			}
 		})
 	}
 }

 func TestWebhookController_Authorize(t *testing.T) {
-	cert, err := pemutil.ReadCertificate("testdata/certs/x5c-leaf.crt", pemutil.WithFirstBlock())
-	if err != nil {
-		t.Fatal(err)
-	}
-
 	type test struct {
-		ctl           *WebhookController
-		req           *webhook.RequestBody
-		responses     []*webhook.ResponseBody
-		expectErr     bool
-		assertRequest func(t *testing.T, req *webhook.RequestBody)
+		ctl       *WebhookController
+		req       *webhook.RequestBody
+		responses []*webhook.ResponseBody
+		expectErr bool
 	}
 	tests := map[string]test{
 		"ok/no enriching webhooks": {
@ -294,27 +240,6 @@ func TestWebhookController_Authorize(t *testing.T) {
 			responses: []*webhook.ResponseBody{{Allow: false}},
 			expectErr: false,
 		},
-		"ok/with options": {
-			ctl: &WebhookController{
-				client:   http.DefaultClient,
-				webhooks: []*Webhook{{Name: "people", Kind: "AUTHORIZING"}},
-				options:  []webhook.RequestBodyOption{webhook.WithX5CCertificate(cert)},
-			},
-			req:       &webhook.RequestBody{},
-			responses: []*webhook.ResponseBody{{Allow: true}},
-			expectErr: false,
-			assertRequest: func(t *testing.T, req *webhook.RequestBody) {
-				key, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
-				assert.FatalError(t, err)
-				assert.Equals(t, &webhook.X5CCertificate{
-					Raw:                cert.Raw,
-					PublicKey:          key,
-					PublicKeyAlgorithm: cert.PublicKeyAlgorithm.String(),
-					NotBefore:          cert.NotBefore,
-					NotAfter:           cert.NotAfter,
-				}, req.X5CCertificate)
-			},
-		},
 		"deny": {
 			ctl: &WebhookController{
 				client:   http.DefaultClient,
@ -324,18 +249,6 @@ func TestWebhookController_Authorize(t *testing.T) {
 			responses: []*webhook.ResponseBody{{Allow: false}},
 			expectErr: true,
 		},
-		"fail/with options": {
-			ctl: &WebhookController{
-				client:   http.DefaultClient,
-				webhooks: []*Webhook{{Name: "people", Kind: "AUTHORIZING"}},
-				options: []webhook.RequestBodyOption{webhook.WithX5CCertificate(&x509.Certificate{
-					PublicKey: []byte("bad"),
-				})},
-			},
-			req:       &webhook.RequestBody{},
-			responses: []*webhook.ResponseBody{{Allow: false}},
-			expectErr: true,
-		},
 	}
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
@ -354,9 +267,6 @@ func TestWebhookController_Authorize(t *testing.T) {
 			if (err != nil) != test.expectErr {
 				t.Fatalf("Got err %v, want %v", err, test.expectErr)
 			}
-			if test.assertRequest != nil {
-				test.assertRequest(t, test.req)
-			}
 		})
 	}
 }
--- a/authority/provisioner/x5c.go
+++ b/authority/provisioner/x5c.go
@ -15,7 +15,6 @@ import (
 	"go.step.sm/linkedca"

 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/certificates/webhook"
 )

 // x5cPayload extends jwt.Claims with step attributes.
@ -216,8 +215,7 @@ func (p *X5C) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 	// The X509 certificate will be available using the template variable
 	// AuthorizationCrt. For example {{ .AuthorizationCrt.DNSNames }} can be
 	// used to get all the domains.
-	x5cLeaf := claims.chains[0][0]
-	data.SetAuthorizationCertificate(x5cLeaf)
+	data.SetAuthorizationCertificate(claims.chains[0][0])

 	templateOptions, err := TemplateOptions(p.Options, data)
 	if err != nil {
@ -240,7 +238,7 @@ func (p *X5C) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 		newProvisionerExtensionOption(TypeX5C, p.Name, ""),
 		profileLimitDuration{
 			p.ctl.Claimer.DefaultTLSCertDuration(),
-			x5cLeaf.NotBefore, x5cLeaf.NotAfter,
+			claims.chains[0][0].NotBefore, claims.chains[0][0].NotAfter,
 		},
 		// validators
 		commonNameValidator(claims.Subject),
@ -248,12 +246,7 @@ func (p *X5C) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 		defaultPublicKeyValidator{},
 		newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
 		newX509NamePolicyValidator(p.ctl.getPolicy().getX509()),
-		p.ctl.newWebhookController(
-			data,
-			linkedca.Webhook_X509,
-			webhook.WithX5CCertificate(x5cLeaf),
-			webhook.WithAuthorizationPrincipal(x5cLeaf.Subject.CommonName),
-		),
+		p.ctl.newWebhookController(data, linkedca.Webhook_X509),
 	}, nil
 }

@ -312,8 +305,7 @@ func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 	// The X509 certificate will be available using the template variable
 	// AuthorizationCrt. For example {{ .AuthorizationCrt.DNSNames }} can be
 	// used to get all the domains.
-	x5cLeaf := claims.chains[0][0]
-	data.SetAuthorizationCertificate(x5cLeaf)
+	data.SetAuthorizationCertificate(claims.chains[0][0])

 	templateOptions, err := TemplateSSHOptions(p.Options, data)
 	if err != nil {
@ -333,7 +325,7 @@ func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 	return append(signOptions,
 		p,
 		// Checks the validity bounds, and set the validity if has not been set.
-		&sshLimitDuration{p.ctl.Claimer, x5cLeaf.NotAfter},
+		&sshLimitDuration{p.ctl.Claimer, claims.chains[0][0].NotAfter},
 		// Validate public key.
 		&sshDefaultPublicKeyValidator{},
 		// Validate the validity period.
@ -343,11 +335,6 @@ func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 		// Ensure that all principal names are allowed
 		newSSHNamePolicyValidator(p.ctl.getPolicy().getSSHHost(), p.ctl.getPolicy().getSSHUser()),
 		// Call webhooks
-		p.ctl.newWebhookController(
-			data,
-			linkedca.Webhook_SSH,
-			webhook.WithX5CCertificate(x5cLeaf),
-			webhook.WithAuthorizationPrincipal(x5cLeaf.Subject.CommonName),
-		),
+		p.ctl.newWebhookController(data, linkedca.Webhook_SSH),
 	), nil
 }
--- a/authority/provisioner/x5c_test.go
+++ b/authority/provisioner/x5c_test.go
@ -12,7 +12,6 @@ import (
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/randutil"
-	"go.step.sm/linkedca"

 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/api/render"
@ -498,8 +497,6 @@ func TestX5C_AuthorizeSign(t *testing.T) {
 								assert.Equals(t, nil, v.policyEngine)
 							case *WebhookController:
 								assert.Len(t, 0, v.webhooks)
-								assert.Equals(t, linkedca.Webhook_X509, v.certType)
-								assert.Len(t, 2, v.options)
 							default:
 								assert.FatalError(t, fmt.Errorf("unexpected sign option of type %T", v))
 							}
@ -804,8 +801,6 @@ func TestX5C_AuthorizeSSHSign(t *testing.T) {
 							case *sshDefaultPublicKeyValidator, *sshCertDefaultValidator, sshCertificateOptionsFunc:
 							case *WebhookController:
 								assert.Len(t, 0, v.webhooks)
-								assert.Equals(t, linkedca.Webhook_SSH, v.certType)
-								assert.Len(t, 2, v.options)
 							default:
 								assert.FatalError(t, fmt.Errorf("unexpected sign option of type %T", v))
 							}
--- a/authority/provisioners.go
+++ b/authority/provisioners.go
@ -8,6 +8,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"os"
+	"strings"

 	"github.com/pkg/errors"
 	"gopkg.in/square/go-jose.v2/jwt"
@ -15,6 +16,7 @@ import (
 	"go.step.sm/cli-utils/step"
 	"go.step.sm/cli-utils/ui"
 	"go.step.sm/crypto/jose"
+	"go.step.sm/crypto/kms"
 	"go.step.sm/linkedca"

 	"github.com/smallstep/certificates/authority/admin"
@ -235,7 +237,7 @@ func (a *Authority) StoreProvisioner(ctx context.Context, prov *linkedca.Provisi
 	}

 	if err := certProv.Init(provisionerConfig); err != nil {
-		return admin.WrapError(admin.ErrorBadRequestType, err, "error validating configuration for provisioner %s", prov.Name)
+		return admin.WrapError(admin.ErrorBadRequestType, err, "error validating configuration for provisioner %q", prov.Name)
 	}

 	// Store to database -- this will set the ID.
@ -960,7 +962,7 @@ func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface,
 		}, nil
 	case *linkedca.ProvisionerDetails_SCEP:
 		cfg := d.SCEP
-		return &provisioner.SCEP{
+		s := &provisioner.SCEP{
 			ID:                            p.Id,
 			Type:                          p.Type.String(),
 			Name:                          p.Name,
@ -972,7 +974,19 @@ func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface,
 			EncryptionAlgorithmIdentifier: int(cfg.EncryptionAlgorithmIdentifier),
 			Claims:                        claims,
 			Options:                       options,
-		}, nil
+		}
+		if decrypter := cfg.GetDecrypter(); decrypter != nil {
+			if dkms := decrypter.GetKms(); dkms != nil {
+				s.KMS = &kms.Options{
+					Type:            kms.Type(strings.ToLower(linkedca.KMS_Type_name[int32(dkms.Type)])),
+					CredentialsFile: dkms.CredentialsFile,
+				}
+			}
+			s.DecrypterCertificate = decrypter.DecrypterCertificate
+			s.DecrypterKey = decrypter.DecrypterKey
+			s.DecrypterKeyPassword = decrypter.DecrypterKeyPassword
+		}
+		return s, nil
 	case *linkedca.ProvisionerDetails_Nebula:
 		var roots []byte
 		for i, root := range d.Nebula.GetRoots() {
--- a/ca/bootstrap_test.go
+++ b/ca/bootstrap_test.go
@ -606,13 +606,7 @@ func doReload(ca *CA) error {
 	}
 	// Use same address in new server
 	newCA.srv.Addr = ca.srv.Addr
-	if err := ca.srv.Reload(newCA.srv); err != nil {
-		return err
-	}
-
-	// Wait a few ms until the http server calls listener.Accept()
-	time.Sleep(100 * time.Millisecond)
-	return nil
+	return ca.srv.Reload(newCA.srv)
 }

 func TestBootstrapListener(t *testing.T) {
--- a/ca/ca.go
+++ b/ca/ca.go
@ -250,19 +250,24 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {

 	var scepAuthority *scep.Authority
 	if ca.shouldServeSCEPEndpoints() {
-		scepPrefix := "scep"
-		scepAuthority, err = scep.New(auth, scep.AuthorityOptions{
-			Service: auth.GetSCEPService(),
-			DNS:     dns,
-			Prefix:  scepPrefix,
-		})
-		if err != nil {
-			return nil, errors.Wrap(err, "error creating SCEP authority")
+		// validate the SCEP authority configuration. Currently this
+		// will not result in a failure to start if one or more SCEP
+		// provisioners are not correctly configured. Only a log will
+		// be emitted.
+		scepAuthority = auth.GetSCEP()
+		if err := scepAuthority.Validate(); err != nil {
+			err = errors.Wrap(err, "failed validating SCEP authority")
+			shouldFail := false
+			if shouldFail {
+				return nil, err
+			}
+			log.Println(err)
 		}

 		// According to the RFC (https://tools.ietf.org/html/rfc8894#section-7.10),
 		// SCEP operations are performed using HTTP, so that's why the API is mounted
 		// to the insecure mux.
+		scepPrefix := "scep"
 		insecureMux.Route("/"+scepPrefix, func(r chi.Router) {
 			scepAPI.Route(r)
 		})
@ -584,10 +589,10 @@ func (ca *CA) getTLSConfig(auth *authority.Authority) (*tls.Config, *tls.Config,

 // shouldServeSCEPEndpoints returns if the CA should be
 // configured with endpoints for SCEP. This is assumed to be
-// true if a SCEPService exists, which is true in case a
-// SCEP provisioner was configured.
+// true if a SCEPService exists, which is true in case at
+// least one SCEP provisioner was configured.
 func (ca *CA) shouldServeSCEPEndpoints() bool {
-	return ca.auth.GetSCEPService() != nil
+	return ca.auth.GetSCEP() != nil
 }

 //nolint:unused // useful for debugging
--- a/ca/tls_test.go
+++ b/ca/tls_test.go
@ -229,7 +229,7 @@ func TestClient_GetServerTLSConfig_http(t *testing.T) {
 					defer resp.Body.Close()
 					b, err := io.ReadAll(resp.Body)
 					if err != nil {
-						t.Fatalf("io.ReadAll() error = %v", err)
+						t.Fatalf("ioutil.RealAdd() error = %v", err)
 					}
 					if !bytes.Equal(b, []byte("ok")) {
 						t.Errorf("response body unexpected, got %s, want ok", b)
@ -343,7 +343,7 @@ func TestClient_GetServerTLSConfig_renew(t *testing.T) {
 					defer resp.Body.Close()
 					b, err := io.ReadAll(resp.Body)
 					if err != nil {
-						t.Errorf("io.ReadAll() error = %v", err)
+						t.Errorf("ioutil.RealAdd() error = %v", err)
 						return
 					}
 					if !bytes.Equal(b, []byte("ok")) {
--- a/cas/vaultcas/vaultcas.go
+++ b/cas/vaultcas/vaultcas.go
@ -37,7 +37,6 @@ type VaultOptions struct {
 	PKIRoleEd25519 string          `json:"pkiRoleEd25519,omitempty"`
 	AuthType       string          `json:"authType,omitempty"`
 	AuthMountPath  string          `json:"authMountPath,omitempty"`
-	Namespace      string          `json:"namespace,omitempty"`
 	AuthOptions    json.RawMessage `json:"authOptions,omitempty"`
 }

@ -91,10 +90,6 @@ func New(ctx context.Context, opts apiv1.Options) (*VaultCAS, error) {
 		return nil, fmt.Errorf("unable to configure %s auth method: %w", vc.AuthType, err)
 	}

-	if vc.Namespace != "" {
-		client.SetNamespace(vc.Namespace)
-	}
-
 	authInfo, err := client.Auth().Login(ctx, method)
 	if err != nil {
 		return nil, fmt.Errorf("unable to login to %s auth method: %w", vc.AuthType, err)
--- a/docker/Dockerfile.hsm
+++ b/docker/Dockerfile.hsm
@ -6,7 +6,7 @@ COPY . .
 RUN apt-get update
 RUN apt-get install -y --no-install-recommends \
        gcc pkgconf libpcsclite-dev libcap2-bin
-RUN make V=1 GO_ENVS="CGO_ENABLED=1" bin/step-ca
+RUN make V=1 GOFLAGS="" bin/step-ca
 RUN setcap CAP_NET_BIND_SERVICE=+eip bin/step-ca

 FROM smallstep/step-kms-plugin:bullseye AS kms
--- a/go.mod
+++ b/go.mod
@ -3,54 +3,52 @@ module github.com/smallstep/certificates
 go 1.19

 require (
-	cloud.google.com/go/longrunning v0.5.1
-	cloud.google.com/go/security v1.15.1
+	cloud.google.com/go/longrunning v0.4.2
+	cloud.google.com/go/security v1.14.1
 	github.com/Masterminds/sprig/v3 v3.2.3
-	github.com/dgraph-io/badger v1.6.2
-	github.com/dgraph-io/badger/v2 v2.2007.4
 	github.com/fxamacker/cbor/v2 v2.4.0
 	github.com/go-chi/chi v4.1.2+incompatible
 	github.com/golang/mock v1.6.0
 	github.com/google/go-cmp v0.5.9
 	github.com/google/go-tpm v0.3.3
 	github.com/google/uuid v1.3.0
-	github.com/googleapis/gax-go/v2 v2.12.0
+	github.com/googleapis/gax-go/v2 v2.9.1
 	github.com/hashicorp/vault/api v1.9.2
 	github.com/hashicorp/vault/api/auth/approle v0.4.1
 	github.com/hashicorp/vault/api/auth/kubernetes v0.4.1
 	github.com/micromdm/scep/v2 v2.1.0
-	github.com/newrelic/go-agent/v3 v3.23.1
+	github.com/newrelic/go-agent/v3 v3.21.1
 	github.com/pkg/errors v0.9.1
 	github.com/rs/xid v1.5.0
-	github.com/sirupsen/logrus v1.9.3
+	github.com/sirupsen/logrus v1.9.2
 	github.com/slackhq/nebula v1.6.1
 	github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262
 	github.com/smallstep/go-attestation v0.4.4-0.20230509120429-e17291421738
 	github.com/smallstep/nosql v0.6.0
-	github.com/stretchr/testify v1.8.4
-	github.com/urfave/cli v1.22.14
+	github.com/stretchr/testify v1.8.3
+	github.com/urfave/cli v1.22.13
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
 	go.step.sm/cli-utils v0.7.6
-	go.step.sm/crypto v0.32.4
-	go.step.sm/linkedca v0.20.0
-	golang.org/x/crypto v0.11.0
+	go.step.sm/crypto v0.31.0
+	go.step.sm/linkedca v0.19.1
+	golang.org/x/crypto v0.9.0
 	golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0
-	golang.org/x/net v0.12.0
-	google.golang.org/api v0.132.0
-	google.golang.org/grpc v1.56.2
-	google.golang.org/protobuf v1.31.0
+	golang.org/x/net v0.10.0
+	google.golang.org/api v0.123.0
+	google.golang.org/grpc v1.55.0
+	google.golang.org/protobuf v1.30.0
 	gopkg.in/square/go-jose.v2 v2.6.0
 )

 require (
-	cloud.google.com/go v0.110.4 // indirect
-	cloud.google.com/go/compute v1.20.1 // indirect
+	cloud.google.com/go v0.110.0 // indirect
+	cloud.google.com/go/compute v1.19.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/iam v1.1.0 // indirect
-	cloud.google.com/go/kms v1.13.0 // indirect
+	cloud.google.com/go/iam v0.13.0 // indirect
+	cloud.google.com/go/kms v1.10.2 // indirect
 	filippo.io/edwards25519 v1.0.0 // indirect
 	github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect
@ -59,13 +57,15 @@ require (
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.2.0 // indirect
 	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
-	github.com/aws/aws-sdk-go v1.44.295 // indirect
+	github.com/aws/aws-sdk-go v1.44.267 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
 	github.com/cespare/xxhash v1.1.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dgraph-io/badger v1.6.2 // indirect
+	github.com/dgraph-io/badger/v2 v2.2007.4 // indirect
 	github.com/dgraph-io/ristretto v0.1.0 // indirect
 	github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
 	github.com/dustin/go-humanize v1.0.0 // indirect
@ -83,8 +83,8 @@ require (
 	github.com/google/certificate-transparency-go v1.1.4 // indirect
 	github.com/google/go-tpm-tools v0.3.12 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
-	github.com/google/s2a-go v0.1.4 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
+	github.com/google/s2a-go v0.1.3 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
@ -129,14 +129,12 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	go.etcd.io/bbolt v1.3.7 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	golang.org/x/oauth2 v0.10.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
-	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/oauth2 v0.7.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
 	golang.org/x/time v0.1.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
+	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

@ -148,3 +146,5 @@ require (

 // use github.com/smallstep/pkcs7 fork with patches applied
 replace go.mozilla.org/pkcs7 => github.com/smallstep/pkcs7 v0.0.0-20230302202335-4c094085c948
+
+replace go.step.sm/linkedca => ./../linkedca
--- a/go.sum
+++ b/go.sum
@ -31,35 +31,35 @@ cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aD
 cloud.google.com/go v0.92.2/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI=
 cloud.google.com/go v0.92.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI=
 cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI=
-cloud.google.com/go v0.110.4 h1:1JYyxKMN9hd5dR2MYTPWkGUgcoxVVhg0LKNKEo0qvmk=
-cloud.google.com/go v0.110.4/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI=
+cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys=
+cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
 cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/compute v1.20.1 h1:6aKEtlUiwEpJzM001l0yFkpXmUVXaN8W+fbkb2AZNbg=
-cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
+cloud.google.com/go/compute v1.19.0 h1:+9zda3WGgW1ZSTlVppLCYFIr48Pa35q1uG2N1itbCEQ=
+cloud.google.com/go/compute v1.19.0/go.mod h1:rikpw2y+UMidAe9tISo04EHNOIf42RLYF/q8Bs93scU=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
-cloud.google.com/go/iam v1.1.0 h1:67gSqaPukx7O8WLLHMa0PNs3EBGd2eE4d+psbO/CO94=
-cloud.google.com/go/iam v1.1.0/go.mod h1:nxdHjaKfCr7fNYx/HJMM8LgiMugmveWlkatear5gVyk=
-cloud.google.com/go/kms v1.13.0 h1:s+sRhcowXwuLsa2Z8g3Tmh5l0HWNBf//HogCgiuDs/0=
-cloud.google.com/go/kms v1.13.0/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM=
-cloud.google.com/go/longrunning v0.5.1 h1:Fr7TXftcqTudoyRJa113hyaqlGdiBQkp0Gq7tErFDWI=
-cloud.google.com/go/longrunning v0.5.1/go.mod h1:spvimkwdz6SPWKEt/XBij79E9fiTkHSQl/fRUUQJYJc=
+cloud.google.com/go/iam v0.13.0 h1:+CmB+K0J/33d0zSQ9SlFWUeCCEn5XJA0ZMZ3pHE9u8k=
+cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0=
+cloud.google.com/go/kms v1.10.2 h1:8UePKEypK3SQ6g+4mn/s/VgE5L7XOh+FwGGRUqvY3Hw=
+cloud.google.com/go/kms v1.10.2/go.mod h1:9mX3Q6pdroWzL20pbK6RaOdBbXBEhMNgK4Pfz2bweb4=
+cloud.google.com/go/longrunning v0.4.2 h1:WDKiiNXFTaQ6qz/G8FCOkuY9kJmOJGY67wPUC1M2RbE=
+cloud.google.com/go/longrunning v0.4.2/go.mod h1:OHrnaYyLUV6oqwh0xiS7e5sLQhP1m0QU9R+WhGDMgIQ=
 cloud.google.com/go/monitoring v0.1.0/go.mod h1:Hpm3XfzJv+UTiXzCG5Ffp0wijzHTC7Cv4eR7o3x/fEE=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
 cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
 cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
 cloud.google.com/go/pubsub v1.5.0/go.mod h1:ZEwJccE3z93Z2HWvstpri00jOg7oO4UZDtKhwDwqF0w=
-cloud.google.com/go/security v1.15.1 h1:jR3itwycg/TgGA0uIgTItcVhA55hKWiNJxaNNpQJaZE=
-cloud.google.com/go/security v1.15.1/go.mod h1:MvTnnbsWnehoizHi09zoiZob0iCHVcL4AUBj76h9fXA=
+cloud.google.com/go/security v1.14.1 h1:ZN+MFf1djt4VhuVd+JYoBjRftics3qKParPAXT5l4Uo=
+cloud.google.com/go/security v1.14.1/go.mod h1:ItQAI0zVZd1OkHh+raoef892dsr7VY2QzMDJ4nOPtOs=
 cloud.google.com/go/spanner v1.7.0/go.mod h1:sd3K2gZ9Fd0vMPLXzeCrF6fq4i63Q7aTLW/lBIfBkIk=
 cloud.google.com/go/spanner v1.17.0/go.mod h1:+17t2ixFwRG4lWRwE+5kipDR9Ef07Jkmc8z0IbMDKUs=
 cloud.google.com/go/spanner v1.18.0/go.mod h1:LvAjUXPeJRGNuGpikMULjhLj/t9cRvdc+fxRoLiugXA=
@ -88,8 +88,8 @@ github.com/Azure/azure-amqp-common-go/v2 v2.1.0/go.mod h1:R8rea+gJRuJR6QxTir/XuE
 github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4=
 github.com/Azure/azure-sdk-for-go v29.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go v30.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1 h1:SEy2xmstIphdPwNBUi7uhvjyjhVKISfwjfOJmuy7kg4=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 h1:8kDqDngH+DmVBiCtIjCFTGa7MBnsIOkF9IccInFEbjk=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 h1:vcYCAze6p19qBW7MhZybIsqD8sMV8js0NyQM8JDnVtg=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY=
@ -104,7 +104,7 @@ github.com/Azure/go-autorest v12.0.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSW
 github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkMqLPymWEppkm7vgPQY2XsHoEkaMQ0AdZY=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/GoogleCloudPlatform/cloudsql-proxy v0.0.0-20191009163259-e802c2cb94ae/go.mod h1:mjwGPas4yKduTyubHvD1Atl9r1rUq8DfVy+gkVvZ+oo=
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
@ -165,8 +165,8 @@ github.com/aws/aws-sdk-go v1.25.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi
 github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
-github.com/aws/aws-sdk-go v1.44.295 h1:SGjU1+MqttXfRiWHD6WU0DRhaanJgAFY+xIhEaugV8Y=
-github.com/aws/aws-sdk-go v1.44.295/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
+github.com/aws/aws-sdk-go v1.44.267 h1:Asrp6EMqqRxZvjK0NjzkWcrOk15RnWtupuUrUuZMabk=
+github.com/aws/aws-sdk-go v1.44.267/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
@ -474,8 +474,8 @@ github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/rpmpack v0.0.0-20191226140753-aa36bfddb3a0/go.mod h1:RaTPr0KUf2K7fnZYLNDrr8rxAamWs3iNywJLtQ2AzBg=
-github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc=
-github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
+github.com/google/s2a-go v0.1.3 h1:FAgZmpLl/SXurPEZyCMPBIiiYeTbqfjlbdnCNTAkbGE=
+github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
 github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
 github.com/google/trillian v1.3.11/go.mod h1:0tPraVHrSDkA3BO6vKX67zgLXs6SsOAbHEivX+9mPgw=
 github.com/google/trillian v1.3.14-0.20210409160123-c5ea3abd4a41/go.mod h1:1dPv0CUjNQVFEDuAUFhZql16pw/VlPgaX8qj+g5pVzQ=
@ -488,13 +488,13 @@ github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/wire v0.3.0/go.mod h1:i1DMg/Lu8Sz5yYl25iOdmc5CT5qusaa+zmRWs16741s=
-github.com/googleapis/enterprise-certificate-proxy v0.2.5 h1:UR4rDjcgpgEnqpIEvkiqTYKBCKLNmlge2eVjoZfySzM=
-github.com/googleapis/enterprise-certificate-proxy v0.2.5/go.mod h1:RxW0N9901Cko1VOCW3SXCpWP+mlIEkk2tP7jnHy9a3w=
+github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k=
+github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
 github.com/googleapis/gax-go v2.0.2+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas=
-github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU=
+github.com/googleapis/gax-go/v2 v2.9.1 h1:DpTpJqzZ3NvX9zqjhIuI1oVzYZMvboZe+3LoeEIJjHM=
+github.com/googleapis/gax-go/v2 v2.9.1/go.mod h1:4FG3gMrVZlyMp5itSYKMU9z/lBE7+SbnUOvzH2HqbEY=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU=
 github.com/goreleaser/goreleaser v0.134.0/go.mod h1:ZT6Y2rSYa6NxQzIsdfWWNWAlYGXGbreo66NmE+3X3WQ=
@ -778,8 +778,8 @@ github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzE
 github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w=
 github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w=
 github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
-github.com/newrelic/go-agent/v3 v3.23.1 h1:n4CK4EEod2A47T74wQFztavh9g3wHxxmlndj53ksbVg=
-github.com/newrelic/go-agent/v3 v3.23.1/go.mod h1:dG7Q7yLUrqOo7SYVJADVDN9+P8c/87xp9axldPxmdHM=
+github.com/newrelic/go-agent/v3 v3.21.1 h1:nSLaQK+w/BHPUEpkPB+fX3ikgaRR2qyQiTECrcY+AmQ=
+github.com/newrelic/go-agent/v3 v3.21.1/go.mod h1:AGagR69YHzamnvfxq9aDHnImvZwxr7C+4w7UN0Bm3UM=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/nishanths/predeclared v0.0.0-20190419143655-18a43bb90ffc/go.mod h1:62PewwiQTlm/7Rj+cxVYqZvDIUc+JjZq6GHAC1fsObQ=
 github.com/nishanths/predeclared v0.0.0-20200524104333-86fad755b4d3/go.mod h1:nt3d53pc1VYcphSCIaYAJtnPYnr3Zyn8fMq2wvPGPso=
@ -909,8 +909,8 @@ github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMB
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.2 h1:oxx1eChJGI6Uks2ZC4W1zpLlVgqB8ner4EuQwV4Ik1Y=
+github.com/sirupsen/logrus v1.9.2/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/slackhq/nebula v1.6.1 h1:/OCTR3abj0Sbf2nGoLUrdDXImrCv0ZVFpVPP5qa0DsM=
 github.com/slackhq/nebula v1.6.1/go.mod h1:UmkqnXe4O53QwToSl/gG7sM4BroQwAB7dd4hUaT6MlI=
 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY=
@ -969,8 +969,9 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY=
+github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg=
 github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
@ -992,8 +993,8 @@ github.com/ulikunitz/xz v0.5.7/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oW
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
-github.com/urfave/cli v1.22.14 h1:ebbhrRiGK2i4naQJr+1Xj92HXZCrK7MsyTS/ob3HnAk=
-github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA=
+github.com/urfave/cli v1.22.13 h1:wsLILXG8qCJNse/qAgLNf23737Cx05GflHg/PJGe1Ok=
+github.com/urfave/cli v1.22.13/go.mod h1:VufqObjsMTF2BBwKawpx9R8eAneNEWhoO0yx8Vd+FkE=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xanzy/go-gitlab v0.31.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug=
@ -1063,10 +1064,8 @@ go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16g
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.step.sm/cli-utils v0.7.6 h1:YkpLVrepmy2c5+eaz/wduiGxlgrRx3YdAStE37if25g=
 go.step.sm/cli-utils v0.7.6/go.mod h1:j+FxFZ2gbWkAJl0eded/rksuxmNqWpmyxbkXcukGJaY=
-go.step.sm/crypto v0.32.4 h1:jSr5sB6vJCciqFB3BFKgK5ykRtuzKqdl4j9+CYkS8Hc=
-go.step.sm/crypto v0.32.4/go.mod h1:A009Gtqx80nTz/9DreRMflMGgaSWTuhK8En6XycK9yA=
-go.step.sm/linkedca v0.20.0 h1:bH41rvyDm3nSSJ5xgGsKUZOpzJcq5x2zacMIeqtq9oI=
-go.step.sm/linkedca v0.20.0/go.mod h1:eybHw6ZTpuFmkUQnTBRWM2SPIGaP0VbYeo1bupfPT70=
+go.step.sm/crypto v0.31.0 h1:8ZG/BxC+0+LzPpk/764h5yubpG3GfxcRVR4E+Aye72g=
+go.step.sm/crypto v0.31.0/go.mod h1:Dv4lpkijKiZVkoc6zp+Xaw1xmy+voia1mykvbpQIvuc=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
@ -1112,8 +1111,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
-golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
+golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g=
+golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -1212,8 +1211,8 @@ golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
-golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
+golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -1233,8 +1232,8 @@ golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8=
-golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI=
+golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g=
+golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -1248,7 +1247,7 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sys v0.0.0-20170728174421-0f826bdd13b5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -1340,15 +1339,15 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
-golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c=
+golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -1361,8 +1360,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
-golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@ -1488,8 +1487,8 @@ google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtuk
 google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw=
 google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU=
 google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k=
-google.golang.org/api v0.132.0 h1:8t2/+qZ26kAOGSmOiHwVycqVaDg7q3JDILrNi/Z6rvc=
-google.golang.org/api v0.132.0/go.mod h1:AeTBC6GpJnJSRJjktDcPX0QwtS8pGYZOV6MSuSCusw0=
+google.golang.org/api v0.123.0 h1:yHVU//vA+qkOhm4reEC9LtzHVUCN/IqqNRl1iQ9xE20=
+google.golang.org/api v0.123.0/go.mod h1:gcitW0lvnyWjSp9nKxAbdHKIZ6vF4aajGueeslZOyms=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@ -1567,12 +1566,8 @@ google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKr
 google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
 google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w=
 google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 h1:Au6te5hbKUV8pIYWHqOUZ1pva5qK/rwbIhoXEUB9Lu8=
-google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:O9kGHb51iE/nOGvQaDUuadVYqovW56s5emA88lQnj6Y=
-google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130 h1:XVeBY8d/FaK4848myy41HBqnDwvxeV3zMZhwN1TvAMU=
-google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:mPBs5jNgx2GuQGvFwUvVKqtn6HsUw9nP64BedgvqEsQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 h1:bVf09lpb+OJbByTj913DRJioFFAjf/ZGxEz7MajTp2U=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM=
+google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A=
+google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU=
 google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@ -1608,8 +1603,8 @@ google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD
 google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
-google.golang.org/grpc v1.56.2 h1:fVRFRnXvU+x6C4IlHZewvJOVHoOv1TUuQyoRsYnB4bI=
-google.golang.org/grpc v1.56.2/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
+google.golang.org/grpc v1.55.0 h1:3Oj82/tFSCeUrRTg/5E/7d/W5A1tj6Ky1ABAuZuv5ag=
+google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@ -1626,8 +1621,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
+google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
--- a/scep/api/api.go
+++ b/scep/api/api.go
@ -221,7 +221,7 @@ func lookupProvisioner(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}

-		ctx = context.WithValue(ctx, scep.ProvisionerContextKey, scep.Provisioner(prov))
+		ctx = scep.NewProvisionerContext(ctx, scep.Provisioner(prov))
 		next(w, r.WithContext(ctx))
 	}
 }
--- a/scep/authority.go
+++ b/scep/authority.go
@ -2,10 +2,10 @@ package scep

 import (
 	"context"
+	"crypto"
 	"crypto/x509"
 	"errors"
 	"fmt"
-	"net/url"

 	microx509util "github.com/micromdm/scep/v2/cryptoutil/x509util"
 	microscep "github.com/micromdm/scep/v2/scep"
@ -18,12 +18,13 @@ import (

 // Authority is the layer that handles all SCEP interactions.
 type Authority struct {
-	prefix                  string
-	dns                     string
-	intermediateCertificate *x509.Certificate
-	caCerts                 []*x509.Certificate // TODO(hs): change to use these instead of root and intermediate
-	service                 *Service
-	signAuth                SignAuthority
+	signAuth             SignAuthority
+	roots                []*x509.Certificate
+	intermediates        []*x509.Certificate
+	signerCertificate    *x509.Certificate
+	signer               crypto.Signer
+	defaultDecrypter     crypto.Decrypter
+	scepProvisionerNames []string
 }

 type authorityKey struct{}
@ -49,19 +50,6 @@ func MustFromContext(ctx context.Context) *Authority {
 	}
 }

-// AuthorityOptions required to create a new SCEP Authority.
-type AuthorityOptions struct {
-	// Service provides the certificate chain, the signer and the decrypter to the Authority
-	Service *Service
-	// DNS is the host used to generate accurate SCEP links. By default the authority
-	// will use the Host from the request, so this value will only be used if
-	// request.Host is empty.
-	DNS string
-	// Prefix is a URL path prefix under which the SCEP api is served. This
-	// prefix is required to generate accurate SCEP links.
-	Prefix string
-}
-
 // SignAuthority is the interface for a signing authority
 type SignAuthority interface {
 	Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
@ -69,26 +57,54 @@ type SignAuthority interface {
 }

 // New returns a new Authority that implements the SCEP interface.
-func New(signAuth SignAuthority, ops AuthorityOptions) (*Authority, error) {
+func New(signAuth SignAuthority, opts Options) (*Authority, error) {
+	if err := opts.Validate(); err != nil {
+		return nil, err
+	}
 	authority := &Authority{
-		prefix:   ops.Prefix,
-		dns:      ops.DNS,
-		signAuth: signAuth,
+		signAuth:             signAuth, // TODO: provide signAuth through context instead?
+		roots:                opts.Roots,
+		intermediates:        opts.Intermediates,
+		signerCertificate:    opts.SignerCert,
+		signer:               opts.Signer,
+		defaultDecrypter:     opts.Decrypter,
+		scepProvisionerNames: opts.SCEPProvisionerNames,
 	}
-
-	// TODO: this is not really nice to do; the Service should be removed
-	// in its entirety to make this more interoperable with the rest of
-	// step-ca, I think.
-	if ops.Service != nil {
-		authority.caCerts = ops.Service.certificateChain
-		// TODO(hs): look into refactoring SCEP into using just caCerts everywhere, if it makes sense for more elaborate SCEP configuration. Keeping it like this for clarity (for now).
-		authority.intermediateCertificate = ops.Service.certificateChain[0]
-		authority.service = ops.Service
-	}
-
 	return authority, nil
 }

+// Validate validates if the SCEP Authority has a valid configuration.
+// The validation includes a check if a decrypter is available, either
+// an authority wide decrypter, or a provisioner specific decrypter.
+func (a *Authority) Validate() error {
+	noDefaultDecrypterAvailable := a.defaultDecrypter == nil
+	for _, name := range a.scepProvisionerNames {
+		p, err := a.LoadProvisionerByName(name)
+		if err != nil {
+			return fmt.Errorf("failed loading provisioner %q: %w", name, err)
+		}
+		if scepProv, ok := p.(*provisioner.SCEP); ok {
+			cert, decrypter := scepProv.GetDecrypter()
+			// TODO(hs): return sentinel/typed error, to be able to ignore/log these cases during init?
+			if cert == nil && noDefaultDecrypterAvailable {
+				return fmt.Errorf("SCEP provisioner %q does not have a decrypter certificate", name)
+			}
+			if decrypter == nil && noDefaultDecrypterAvailable {
+				return fmt.Errorf("SCEP provisioner %q does not have decrypter", name)
+			}
+		}
+	}
+
+	return nil
+}
+
+// UpdateProvisioners updates the SCEP Authority with the new, and hopefully
+// current SCEP provisioners configured. This allows the Authority to be
+// validated with the latest data.
+func (a *Authority) UpdateProvisioners(scepProvisionerNames []string) {
+	a.scepProvisionerNames = scepProvisionerNames
+}
+
 var (
 	// TODO: check the default capabilities; https://tools.ietf.org/html/rfc8894#section-3.5.2
 	defaultCapabilities = []string{
@ -108,87 +124,52 @@ func (a *Authority) LoadProvisionerByName(name string) (provisioner.Interface, e
 	return a.signAuth.LoadProvisionerByName(name)
 }

-// GetLinkExplicit returns the requested link from the directory.
-func (a *Authority) GetLinkExplicit(provName string, abs bool, baseURL *url.URL, inputs ...string) string {
-	return a.getLinkExplicit(provName, abs, baseURL, inputs...)
-}
+// GetCACertificates returns the certificate (chain) for the CA.
+//
+// This methods returns the "SCEP Server (RA)" certificate, the issuing CA up to and excl. the root.
+// Some clients do need the root certificate however; also see: https://github.com/openxpki/openxpki/issues/73
+//
+// In case a provisioner specific decrypter is available, this is used as the "SCEP Server (RA)" certificate
+// instead of the CA intermediate directly. This uses a distinct instance of a KMS for doing the SCEp key
+// operations, so that RSA can be used for just SCEP.
+//
+// Using an RA does not seem to exist in https://tools.ietf.org/html/rfc8894, but is mentioned in
+// https://tools.ietf.org/id/draft-nourse-scep-21.html.
+func (a *Authority) GetCACertificates(ctx context.Context) (certs []*x509.Certificate, err error) {
+	p := provisionerFromContext(ctx)

-// getLinkExplicit returns an absolute or partial path to the given resource and a base
-// URL dynamically obtained from the request for which the link is being calculated.
-func (a *Authority) getLinkExplicit(provisionerName string, abs bool, baseURL *url.URL, _ ...string) string {
-	link := "/" + provisionerName
-	if abs {
-		// Copy the baseURL value from the pointer. https://github.com/golang/go/issues/38351
-		u := url.URL{}
-		if baseURL != nil {
-			u = *baseURL
-		}
-
-		// If no Scheme is set, then default to http (in case of SCEP)
-		if u.Scheme == "" {
-			u.Scheme = "http"
-		}
-
-		// If no Host is set, then use the default (first DNS attr in the ca.json).
-		if u.Host == "" {
-			u.Host = a.dns
-		}
-
-		u.Path = a.prefix + link
-		return u.String()
+	// if a provisioner specific RSA decrypter is available, it is returned as
+	// the first certificate.
+	if decrypterCertificate, _ := p.GetDecrypter(); decrypterCertificate != nil {
+		certs = append(certs, decrypterCertificate)
 	}

-	return link
-}
+	// TODO(hs): ensure logic is in place that checks the signer is the first
+	// intermediate and that there are no double certificates.
+	certs = append(certs, a.intermediates...)

-// GetCACertificates returns the certificate (chain) for the CA
-func (a *Authority) GetCACertificates(ctx context.Context) ([]*x509.Certificate, error) {
-	// TODO: this should return: the "SCEP Server (RA)" certificate, the issuing CA up to and excl. the root
-	// Some clients do need the root certificate however; also see: https://github.com/openxpki/openxpki/issues/73
-	//
-	// This means we might need to think about if we should use the current intermediate CA
-	// certificate as the "SCEP Server (RA)" certificate. It might be better to have a distinct
-	// RA certificate, with a corresponding rsa.PrivateKey, just for SCEP usage, which is signed by
-	// the intermediate CA. Will need to look how we can provide this nicely within step-ca.
-	//
-	// This might also mean that we might want to use a distinct instance of KMS for doing the key operations,
-	// so that we can use RSA just for SCEP.
-	//
-	// Using an RA does not seem to exist in https://tools.ietf.org/html/rfc8894, but is mentioned in
-	// https://tools.ietf.org/id/draft-nourse-scep-21.html. Will continue using the CA directly for now.
-	//
-	// The certificate to use should probably depend on the (configured) provisioner and may
-	// use a distinct certificate, apart from the intermediate.
-
-	p, err := provisionerFromContext(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(a.caCerts) == 0 {
-		return nil, errors.New("no intermediate certificate available in SCEP authority")
-	}
-
-	certs := []*x509.Certificate{}
-	certs = append(certs, a.caCerts[0])
-
-	// NOTE: we're adding the CA roots here, but they are (highly likely) different than what the RFC means.
-	// Clients are responsible to select the right cert(s) to use, though.
-	if p.ShouldIncludeRootInChain() && len(a.caCerts) > 1 {
-		certs = append(certs, a.caCerts[1])
+	// the CA roots are added for completeness when configured to do so. Clients
+	// are responsible to select the right cert(s) to store and use.
+	if p.ShouldIncludeRootInChain() {
+		certs = append(certs, a.roots...)
 	}

 	return certs, nil
 }

 // DecryptPKIEnvelope decrypts an enveloped message
-func (a *Authority) DecryptPKIEnvelope(_ context.Context, msg *PKIMessage) error {
+func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) error {
 	p7c, err := pkcs7.Parse(msg.P7.Content)
 	if err != nil {
 		return fmt.Errorf("error parsing pkcs7 content: %w", err)
 	}

-	envelope, err := p7c.Decrypt(a.intermediateCertificate, a.service.decrypter)
+	cert, pkey, err := a.selectDecrypter(ctx)
+	if err != nil {
+		return fmt.Errorf("failed selecting decrypter: %w", err)
+	}
+
+	envelope, err := p7c.Decrypt(cert, pkey)
 	if err != nil {
 		return fmt.Errorf("error decrypting encrypted pkcs7 content: %w", err)
 	}
@ -208,6 +189,9 @@ func (a *Authority) DecryptPKIEnvelope(_ context.Context, msg *PKIMessage) error
 		if err != nil {
 			return fmt.Errorf("parse CSR from pkiEnvelope: %w", err)
 		}
+		if err := csr.CheckSignature(); err != nil {
+			return fmt.Errorf("invalid CSR signature; %w", err)
+		}
 		// check for challengePassword
 		cp, err := microx509util.ParseChallengePassword(msg.pkiEnvelope)
 		if err != nil {
@ -226,6 +210,21 @@ func (a *Authority) DecryptPKIEnvelope(_ context.Context, msg *PKIMessage) error
 	return nil
 }

+func (a *Authority) selectDecrypter(ctx context.Context) (cert *x509.Certificate, pkey crypto.PrivateKey, err error) {
+	p := provisionerFromContext(ctx)
+
+	// return provisioner specific decrypter, if available
+	if cert, pkey = p.GetDecrypter(); cert != nil && pkey != nil {
+		return
+	}
+
+	// fallback to the CA wide decrypter
+	cert = a.signerCertificate
+	pkey = a.defaultDecrypter
+
+	return
+}
+
 // SignCSR creates an x509.Certificate based on a CSR template and Cert Authority credentials
 // returns a new PKIMessage with CertRep data
 func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage) (*PKIMessage, error) {
@ -234,10 +233,7 @@ func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, m
 	// poll for the status. It seems to be similar as what can happen in ACME, so might want to model
 	// the implementation after the one in the ACME authority. Requires storage, etc.

-	p, err := provisionerFromContext(ctx)
-	if err != nil {
-		return nil, err
-	}
+	p := provisionerFromContext(ctx)

 	// check if CSRReqMessage has already been decrypted
 	if msg.CSRReqMessage.CSR == nil {
@ -358,10 +354,11 @@ func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, m
 	// as the first certificate in the array
 	signedData.AddCertificate(cert)

-	authCert := a.intermediateCertificate
+	authCert := a.signerCertificate
+	signer := a.signer

 	// sign the attributes
-	if err := signedData.AddSigner(authCert, a.service.signer, config); err != nil {
+	if err := signedData.AddSigner(authCert, signer, config); err != nil {
 		return nil, err
 	}

@ -429,7 +426,7 @@ func (a *Authority) CreateFailureResponse(_ context.Context, _ *x509.Certificate
 	}

 	// sign the attributes
-	if err := signedData.AddSigner(a.intermediateCertificate, a.service.signer, config); err != nil {
+	if err := signedData.AddSigner(a.signerCertificate, a.signer, config); err != nil {
 		return nil, err
 	}

@ -457,10 +454,7 @@ func (a *Authority) CreateFailureResponse(_ context.Context, _ *x509.Certificate

 // GetCACaps returns the CA capabilities
 func (a *Authority) GetCACaps(ctx context.Context) []string {
-	p, err := provisionerFromContext(ctx)
-	if err != nil {
-		return defaultCapabilities
-	}
+	p := provisionerFromContext(ctx)

 	caps := p.GetCapabilities()
 	if len(caps) == 0 {
@ -477,9 +471,6 @@ func (a *Authority) GetCACaps(ctx context.Context) []string {
 }

 func (a *Authority) ValidateChallenge(ctx context.Context, challenge, transactionID string) error {
-	p, err := provisionerFromContext(ctx)
-	if err != nil {
-		return err
-	}
+	p := provisionerFromContext(ctx)
 	return p.ValidateChallenge(ctx, challenge, transactionID)
 }
--- a/scep/common.go
+++ b/scep/common.go
@ -1,29 +0,0 @@
-package scep
-
-import (
-	"context"
-	"errors"
-)
-
-// ContextKey is the key type for storing and searching for SCEP request
-// essentials in the context of a request.
-type ContextKey string
-
-const (
-	// ProvisionerContextKey provisioner key
-	ProvisionerContextKey = ContextKey("provisioner")
-)
-
-// provisionerFromContext searches the context for a SCEP provisioner.
-// Returns the provisioner or an error.
-func provisionerFromContext(ctx context.Context) (Provisioner, error) {
-	val := ctx.Value(ProvisionerContextKey)
-	if val == nil {
-		return nil, errors.New("provisioner expected in request context")
-	}
-	p, ok := val.(Provisioner)
-	if !ok || p == nil {
-		return nil, errors.New("provisioner in context is not a SCEP provisioner")
-	}
-	return p, nil
-}
--- a/scep/database.go
+++ b/scep/database.go
@ -1,7 +0,0 @@
-package scep
-
-import "crypto/x509"
-
-type DB interface {
-	StoreCertificate(crt *x509.Certificate) error
-}
--- a/scep/options.go
+++ b/scep/options.go
@ -4,65 +4,76 @@ import (
 	"crypto"
 	"crypto/rsa"
 	"crypto/x509"
-
-	"github.com/pkg/errors"
+	"errors"
 )

 type Options struct {
-	// CertificateChain is the issuer certificate, along with any other bundled certificates
-	// to be returned in the chain for consumers. Configured in the ca.json crt property.
-	CertificateChain []*x509.Certificate
+	// Roots contains the (federated) CA roots certificate(s)
+	Roots []*x509.Certificate `json:"-"`
+	// Intermediates points issuer certificate, along with any other bundled certificates
+	// to be returned in the chain for consumers.
+	Intermediates []*x509.Certificate `json:"-"`
+	// SignerCert points to the certificate of the CA signer. It usually is the same as the
+	// first certificate in the CertificateChain.
+	SignerCert *x509.Certificate `json:"-"`
 	// Signer signs CSRs in SCEP. Configured in the ca.json key property.
 	Signer crypto.Signer `json:"-"`
 	// Decrypter decrypts encrypted SCEP messages. Configured in the ca.json key property.
 	Decrypter crypto.Decrypter `json:"-"`
+	// SCEPProvisionerNames contains the currently configured SCEP provioner names. These
+	// are used to be able to load the provisioners when the SCEP authority is being
+	// validated.
+	SCEPProvisionerNames []string
+}
+
+type comparablePublicKey interface {
+	Equal(crypto.PublicKey) bool
 }

 // Validate checks the fields in Options.
 func (o *Options) Validate() error {
-	if o.CertificateChain == nil {
-		return errors.New("certificate chain not configured correctly")
+	switch {
+	case len(o.Intermediates) == 0:
+		return errors.New("no intermediate certificate available for SCEP authority")
+	case o.Signer == nil:
+		return errors.New("no signer available for SCEP authority")
+	case o.SignerCert == nil:
+		return errors.New("no signer certificate available for SCEP authority")
 	}

-	if len(o.CertificateChain) < 1 {
-		return errors.New("certificate chain should at least have one certificate")
+	// check if the signer (intermediate CA) certificate has the same public key as
+	// the signer. According to the RFC it seems valid to have different keys for
+	// the intermediate and the CA signing new certificates, so this might change
+	// in the future.
+	signerPublicKey := o.Signer.Public().(comparablePublicKey)
+	if !signerPublicKey.Equal(o.SignerCert.PublicKey) {
+		return errors.New("mismatch between signer certificate and public key")
 	}

-	// According to the RFC: https://tools.ietf.org/html/rfc8894#section-3.1, SCEP
-	// can be used with something different than RSA, but requires the encryption
-	// to be performed using the challenge password. An older version of specification
-	// states that only RSA is supported: https://tools.ietf.org/html/draft-nourse-scep-23#section-2.1.1
-	// Other algorithms than RSA do not seem to be supported in certnanny/sscep, but it might work
+	// decrypter can be nil in case a signing only key is used; validation complete.
+	if o.Decrypter == nil {
+		return nil
+	}
+
+	// If a decrypter is available, check that it's backed by an RSA key. According to the
+	// RFC: https://tools.ietf.org/html/rfc8894#section-3.1, SCEP can be used with something
+	// different than RSA, but requires the encryption to be performed using the challenge
+	// password in that case. An older version of specification states that only RSA is
+	// supported: https://tools.ietf.org/html/draft-nourse-scep-23#section-2.1.1. Other
+	// algorithms do not seem to be supported in certnanny/sscep, but it might work
 	// in micromdm/scep. Currently only RSA is allowed, but it might be an option
 	// to try other algorithms in the future.
-	intermediate := o.CertificateChain[0]
-	if intermediate.PublicKeyAlgorithm != x509.RSA {
-		return errors.New("only the RSA algorithm is (currently) supported")
-	}
-
-	// TODO: add checks for key usage?
-
-	signerPublicKey, ok := o.Signer.Public().(*rsa.PublicKey)
-	if !ok {
-		return errors.New("only RSA public keys are (currently) supported as signers")
-	}
-
-	// check if the intermediate ca certificate has the same public key as the signer.
-	// According to the RFC it seems valid to have different keys for the intermediate
-	// and the CA signing new certificates, so this might change in the future.
-	if !signerPublicKey.Equal(intermediate.PublicKey) {
-		return errors.New("mismatch between certificate chain and signer public keys")
-	}
-
 	decrypterPublicKey, ok := o.Decrypter.Public().(*rsa.PublicKey)
 	if !ok {
-		return errors.New("only RSA public keys are (currently) supported as decrypters")
+		return errors.New("only RSA keys are (currently) supported as decrypters")
 	}

 	// check if intermediate public key is the same as the decrypter public key.
 	// In certnanny/sscep it's mentioned that the signing key can be different
-	// from the decrypting (and encrypting) key. Currently that's not supported.
-	if !decrypterPublicKey.Equal(intermediate.PublicKey) {
+	// from the decrypting (and encrypting) key. These options are only used and
+	// validated when the intermediate CA is also used as the decrypter, though,
+	// so they should match.
+	if !decrypterPublicKey.Equal(o.SignerCert.PublicKey) {
 		return errors.New("mismatch between certificate chain and decrypter public keys")
 	}

--- a/scep/provisioner.go
+++ b/scep/provisioner.go
@ -2,6 +2,8 @@ package scep

 import (
 	"context"
+	"crypto"
+	"crypto/x509"
 	"time"

 	"github.com/smallstep/certificates/authority/provisioner"
@ -16,6 +18,25 @@ type Provisioner interface {
 	GetOptions() *provisioner.Options
 	GetCapabilities() []string
 	ShouldIncludeRootInChain() bool
+	GetDecrypter() (*x509.Certificate, crypto.Decrypter)
 	GetContentEncryptionAlgorithm() int
 	ValidateChallenge(ctx context.Context, challenge, transactionID string) error
 }
+
+// provisionerKey is the key type for storing and searching a
+// SCEP provisioner in the context.
+type provisionerKey struct{}
+
+// provisionerFromContext searches the context for a SCEP provisioner.
+// Returns the provisioner or panics if no SCEP provisioner is found.
+func provisionerFromContext(ctx context.Context) Provisioner {
+	p, ok := ctx.Value(provisionerKey{}).(Provisioner)
+	if !ok {
+		panic("SCEP provisioner expected in request context")
+	}
+	return p
+}
+
+func NewProvisionerContext(ctx context.Context, p Provisioner) context.Context {
+	return context.WithValue(ctx, provisionerKey{}, p)
+}
--- a/scep/service.go
+++ b/scep/service.go
@ -1,28 +0,0 @@
-package scep
-
-import (
-	"context"
-	"crypto"
-	"crypto/x509"
-)
-
-// Service is a wrapper for crypto.Signer and crypto.Decrypter
-type Service struct {
-	certificateChain []*x509.Certificate
-	signer           crypto.Signer
-	decrypter        crypto.Decrypter
-}
-
-// NewService returns a new Service type.
-func NewService(_ context.Context, opts Options) (*Service, error) {
-	if err := opts.Validate(); err != nil {
-		return nil, err
-	}
-
-	// TODO: should this become similar to the New CertificateAuthorityService as in x509CAService?
-	return &Service{
-		certificateChain: opts.CertificateChain,
-		signer:           opts.Signer,
-		decrypter:        opts.Decrypter,
-	}, nil
-}
--- a/scripts/README.md
+++ b/scripts/README.md
@ -2,7 +2,3 @@

 Please note that `install-step-ra.sh` is referenced on the `files.smallstep.com` S3 website bucket as a redirect to `raw.githubusercontent.com`. If you move it, please update the S3 redirect.

-## badger-migration
-
-badger-migration is a tool that allows migrating data data from BadgerDB (v1 or
-v2) to MySQL or PostgreSQL.
--- a/scripts/badger-migration/main.go
+++ b/scripts/badger-migration/main.go
@ -1,352 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"encoding/base64"
-	"encoding/binary"
-	"errors"
-	"flag"
-	"fmt"
-	"os"
-	"path/filepath"
-
-	badgerv1 "github.com/dgraph-io/badger"
-	badgerv2 "github.com/dgraph-io/badger/v2"
-
-	"github.com/smallstep/nosql"
-)
-
-var (
-	authorityTables = []string{
-		"x509_certs",
-		"x509_certs_data",
-		"revoked_x509_certs",
-		"x509_crl",
-		"revoked_ssh_certs",
-		"used_ott",
-		"ssh_certs",
-		"ssh_hosts",
-		"ssh_users",
-		"ssh_host_principals",
-	}
-	acmeTables = []string{
-		"acme_accounts",
-		"acme_keyID_accountID_index",
-		"acme_authzs",
-		"acme_challenges",
-		"nonces",
-		"acme_orders",
-		"acme_account_orders_index",
-		"acme_certs",
-		"acme_serial_certs_index",
-		"acme_external_account_keys",
-		"acme_external_account_keyID_reference_index",
-		"acme_external_account_keyID_provisionerID_index",
-	}
-	adminTables = []string{
-		"admins",
-		"provisioners",
-		"authority_policies",
-	}
-)
-
-type DB interface {
-	CreateTable([]byte) error
-	Set(bucket, key, value []byte) error
-}
-
-type dryRunDB struct{}
-
-func (*dryRunDB) CreateTable([]byte) error            { return nil }
-func (*dryRunDB) Set(bucket, key, value []byte) error { return nil }
-
-func usage(fs *flag.FlagSet) {
-	name := filepath.Base(os.Args[0])
-	fmt.Fprintf(os.Stderr, "%s is a tool to migrate data from BadgerDB to MySQL or PostgreSQL.\n", name)
-	fmt.Fprintln(os.Stderr, "\nUsage:")
-	fmt.Fprintf(os.Stderr, "  %s [-v1|-v2] -dir=<path> [-value-dir=<path>] -type=type -database=<source>\n", name)
-	fmt.Fprintln(os.Stderr, "\nExamples:")
-	fmt.Fprintf(os.Stderr, "  %s -v1 -dir /var/lib/step-ca/db -type=mysql -database \"user@unix/step_ca\"\n", name)
-	fmt.Fprintf(os.Stderr, "  %s -v1 -dir /var/lib/step-ca/db -type=mysql -database \"user:password@tcp(localhost:3306)/step_ca\"\n", name)
-	fmt.Fprintf(os.Stderr, "  %s -v2 -dir /var/lib/step-ca/db -type=postgresql -database \"user=postgres dbname=step_ca\"\n", name)
-	fmt.Fprintf(os.Stderr, "  %s -v2 -dir /var/lib/step-ca/db -dry-run\"\n", name)
-	fmt.Fprintln(os.Stderr, "\nOptions:")
-	fs.PrintDefaults()
-}
-
-func main() {
-	var v1, v2, dryRun bool
-	var dir, valueDir string
-	var typ, database string
-	var key string
-
-	fs := flag.NewFlagSet(os.Args[0], flag.ExitOnError)
-
-	fs.BoolVar(&v1, "v1", false, "use badger v1 as the source database")
-	fs.BoolVar(&v2, "v2", false, "use badger v2 as the source database")
-	fs.StringVar(&dir, "dir", "", "badger database directory")
-	fs.StringVar(&valueDir, "value-dir", "", "badger database value directory")
-	fs.StringVar(&typ, "type", "", "the destination database type to use")
-	fs.StringVar(&database, "database", "", "the destination driver-specific data source name")
-	fs.StringVar(&key, "key", "", "the key used to resume the migration")
-	fs.BoolVar(&dryRun, "dry-run", false, "runs the migration scripts without writing anything")
-	fs.Usage = func() { usage(fs) }
-	fs.Parse(os.Args[1:])
-
-	switch {
-	case v1 == v2:
-		fatal("flag -v1 or -v2 are required")
-	case dir == "":
-		fatal("flag -dir is required")
-	case typ != "postgresql" && typ != "mysql" && !dryRun:
-		fatal(`flag -type must be "postgresql" or "mysql"`)
-	case database == "" && !dryRun:
-		fatal("flag --database required")
-	}
-
-	var (
-		err     error
-		v1DB    *badgerv1.DB
-		v2DB    *badgerv2.DB
-		lastKey []byte
-	)
-
-	if key != "" {
-		if lastKey, err = base64.StdEncoding.DecodeString(key); err != nil {
-			fatal("error decoding key: %v", err)
-		}
-	}
-
-	if v1 {
-		if v1DB, err = badgerV1Open(dir, valueDir); err != nil {
-			fatal("error opening badger v1 database: %v", err)
-		}
-	} else {
-		if v2DB, err = badgerV2Open(dir, valueDir); err != nil {
-			fatal("error opening badger v2 database: %v", err)
-		}
-	}
-
-	var db DB
-	if dryRun {
-		db = &dryRunDB{}
-	} else {
-		db, err = nosql.New(typ, database)
-		if err != nil {
-			fatal("error opening %s database: %v", typ, err)
-		}
-	}
-
-	allTables := append([]string{}, authorityTables...)
-	allTables = append(allTables, acmeTables...)
-	allTables = append(allTables, adminTables...)
-
-	// Convert prefix names to badger key prefixes
-	badgerKeys := make([][]byte, len(allTables))
-	for i, name := range allTables {
-		badgerKeys[i], err = badgerEncode([]byte(name))
-		if err != nil {
-			fatal("error encoding table %s: %v", name, err)
-		}
-	}
-
-	for i, prefix := range badgerKeys {
-		table := allTables[i]
-
-		// With a key flag, resume from that table and prefix
-		if lastKey != nil {
-			bucket, _ := parseBadgerEncode(lastKey)
-			if table != string(bucket) {
-				fmt.Printf("skipping table %s\n", table)
-				continue
-			}
-			// Continue with a new prefix
-			prefix = lastKey
-			lastKey = nil
-		}
-
-		var n int64
-		fmt.Printf("migrating %s ...", table)
-		if err := db.CreateTable([]byte(table)); err != nil {
-			fatal("error creating table %s: %v", table, err)
-		}
-
-		if v1 {
-			if badgerKey, err := badgerV1Iterate(v1DB, prefix, func(bucket, key, value []byte) error {
-				n++
-				return db.Set(bucket, key, value)
-			}); err != nil {
-				fmt.Println()
-				fatal("error inserting into %s: %v\nLast key: %s", table, err, base64.StdEncoding.EncodeToString(badgerKey))
-			}
-		} else {
-			if badgerKey, err := badgerV2Iterate(v2DB, prefix, func(bucket, key, value []byte) error {
-				n++
-				return db.Set(bucket, key, value)
-			}); err != nil {
-				fmt.Println()
-				fatal("error inserting into %s: %v\nLast key: %s", table, err, base64.StdEncoding.EncodeToString(badgerKey))
-			}
-		}
-
-		fmt.Printf(" %d rows\n", n)
-	}
-}
-
-func fatal(format string, args ...any) {
-	fmt.Fprintf(os.Stderr, format, args...)
-	fmt.Fprintln(os.Stderr)
-	os.Exit(1)
-}
-
-func badgerV1Open(dir, valueDir string) (*badgerv1.DB, error) {
-	opts := badgerv1.DefaultOptions(dir)
-	if valueDir != "" {
-		opts.ValueDir = valueDir
-	}
-	return badgerv1.Open(opts)
-}
-
-func badgerV2Open(dir, valueDir string) (*badgerv2.DB, error) {
-	opts := badgerv2.DefaultOptions(dir)
-	if valueDir != "" {
-		opts.ValueDir = valueDir
-	}
-	return badgerv2.Open(opts)
-}
-
-type Iterator interface {
-	Seek([]byte)
-	ValidForPrefix([]byte) bool
-	Next()
-}
-
-type Item interface {
-	KeyCopy([]byte) []byte
-	ValueCopy([]byte) ([]byte, error)
-}
-
-func badgerV1Iterate(db *badgerv1.DB, prefix []byte, fn func(bucket, key, value []byte) error) (badgerKey []byte, err error) {
-	err = db.View(func(txn *badgerv1.Txn) error {
-		it := txn.NewIterator(badgerv1.DefaultIteratorOptions)
-		defer it.Close()
-		badgerKey, err = badgerIterate(it, prefix, fn)
-		return err
-	})
-	return
-}
-
-func badgerV2Iterate(db *badgerv2.DB, prefix []byte, fn func(bucket, key, value []byte) error) (badgerKey []byte, err error) {
-	err = db.View(func(txn *badgerv2.Txn) error {
-		it := txn.NewIterator(badgerv2.DefaultIteratorOptions)
-		defer it.Close()
-		badgerKey, err = badgerIterate(it, prefix, fn)
-		return err
-	})
-	return
-}
-
-func badgerIterate(it Iterator, prefix []byte, fn func(bucket, key, value []byte) error) ([]byte, error) {
-	var badgerKey []byte
-	for it.Seek(prefix); it.ValidForPrefix(prefix); it.Next() {
-		var item Item
-		switch itt := it.(type) {
-		case *badgerv1.Iterator:
-			item = itt.Item()
-		case *badgerv2.Iterator:
-			item = itt.Item()
-		default:
-			return badgerKey, fmt.Errorf("unexpected iterator type %T", it)
-		}
-
-		badgerKey = item.KeyCopy(nil)
-		if isBadgerTable(badgerKey) {
-			continue
-		}
-
-		bucket, key, err := fromBadgerKey(badgerKey)
-		if err != nil {
-			return badgerKey, fmt.Errorf("error converting from badger key %s", badgerKey)
-		}
-		value, err := item.ValueCopy(nil)
-		if err != nil {
-			return badgerKey, fmt.Errorf("error retrieving contents from database value: %w", err)
-		}
-
-		if err := fn(bucket, key, value); err != nil {
-			return badgerKey, fmt.Errorf("error exporting %s[%s]=%x", bucket, key, value)
-		}
-	}
-
-	return badgerKey, nil
-}
-
-// badgerEncode encodes a byte slice into a section of a BadgerKey. See
-// documentation for toBadgerKey.
-func badgerEncode(val []byte) ([]byte, error) {
-	l := len(val)
-	switch {
-	case l == 0:
-		return nil, errors.New("input cannot be empty")
-	case l > 65535:
-		return nil, errors.New("length of input cannot be greater than 65535")
-	default:
-		lb := new(bytes.Buffer)
-		if err := binary.Write(lb, binary.LittleEndian, uint16(l)); err != nil {
-			return nil, fmt.Errorf("error doing binary Write: %w", err)
-		}
-		return append(lb.Bytes(), val...), nil
-	}
-}
-
-// parseBadgerEncode decodes the badger key and returns the bucket and the rest.
-func parseBadgerEncode(bk []byte) (value, rest []byte) {
-	var (
-		keyLen uint16
-		start  = uint16(2)
-		length = uint16(len(bk))
-	)
-	if uint16(len(bk)) < start {
-		return nil, bk
-	}
-	// First 2 bytes stores the length of the value.
-	if err := binary.Read(bytes.NewReader(bk[:2]), binary.LittleEndian, &keyLen); err != nil {
-		return nil, bk
-	}
-	end := start + keyLen
-	switch {
-	case length < end:
-		return nil, bk
-	case length == end:
-		return bk[start:end], nil
-	default:
-		return bk[start:end], bk[end:]
-	}
-}
-
-// isBadgerTable returns True if the slice is a badgerTable token, false
-// otherwise. badgerTable means that the slice contains only the [size|value] of
-// one section of a badgerKey and no remainder. A badgerKey is [bucket|key],
-// while a badgerTable is only the bucket section.
-func isBadgerTable(bk []byte) bool {
-	if k, rest := parseBadgerEncode(bk); len(k) > 0 && len(rest) == 0 {
-		return true
-	}
-	return false
-}
-
-// fromBadgerKey returns the bucket and key encoded in a BadgerKey. See
-// documentation for toBadgerKey.
-func fromBadgerKey(bk []byte) ([]byte, []byte, error) {
-	bucket, rest := parseBadgerEncode(bk)
-	if len(bucket) == 0 || len(rest) == 0 {
-		return nil, nil, fmt.Errorf("invalid badger key: %v", bk)
-	}
-
-	key, rest2 := parseBadgerEncode(rest)
-	if len(key) == 0 || len(rest2) != 0 {
-		return nil, nil, fmt.Errorf("invalid badger key: %v", bk)
-	}
-
-	return bucket, key, nil
-}
--- a/webhook/options.go
+++ b/webhook/options.go
@ -68,13 +68,6 @@ func WithAttestationData(data *AttestationData) RequestBodyOption {
 	}
 }

-func WithAuthorizationPrincipal(p string) RequestBodyOption {
-	return func(rb *RequestBody) error {
-		rb.AuthorizationPrincipal = p
-		return nil
-	}
-}
-
 func WithSSHCertificateRequest(cr sshutil.CertificateRequest) RequestBodyOption {
 	return func(rb *RequestBody) error {
 		rb.SSHCertificateRequest = &SSHCertificateRequest{
@ -102,23 +95,3 @@ func WithSSHCertificate(cert *sshutil.Certificate, certTpl *ssh.Certificate) Req
 		return nil
 	}
 }
-
-func WithX5CCertificate(leaf *x509.Certificate) RequestBodyOption {
-	return func(rb *RequestBody) error {
-		rb.X5CCertificate = &X5CCertificate{
-			Raw:                leaf.Raw,
-			PublicKeyAlgorithm: leaf.PublicKeyAlgorithm.String(),
-			NotBefore:          leaf.NotBefore,
-			NotAfter:           leaf.NotAfter,
-		}
-		if leaf.PublicKey != nil {
-			key, err := x509.MarshalPKIXPublicKey(leaf.PublicKey)
-			if err != nil {
-				return err
-			}
-			rb.X5CCertificate.PublicKey = key
-		}
-
-		return nil
-	}
-}
--- a/webhook/options_test.go
+++ b/webhook/options_test.go
@ -7,7 +7,6 @@ import (
 	"time"

 	"github.com/smallstep/assert"
-	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"
 	"golang.org/x/crypto/ssh"
@ -17,15 +16,6 @@ func TestNewRequestBody(t *testing.T) {
 	t1 := time.Now()
 	t2 := t1.Add(time.Hour)

-	key, err := keyutil.GenerateDefaultSigner()
-	if err != nil {
-		t.Fatal(err)
-	}
-	keyBytes, err := x509.MarshalPKIXPublicKey(key.Public())
-	if err != nil {
-		t.Fatal(err)
-	}
-
 	type test struct {
 		options []RequestBodyOption
 		want    *RequestBody
@ -113,40 +103,6 @@ func TestNewRequestBody(t *testing.T) {
 			},
 			wantErr: false,
 		},
-		"X5C Certificate": {
-			options: []RequestBodyOption{
-				WithX5CCertificate(&x509.Certificate{
-					Raw:                []byte("some raw data"),
-					NotBefore:          t1,
-					NotAfter:           t2,
-					PublicKeyAlgorithm: x509.ECDSA,
-					PublicKey:          key.Public(),
-				}),
-			},
-			want: &RequestBody{
-				X5CCertificate: &X5CCertificate{
-					Raw:                []byte("some raw data"),
-					PublicKeyAlgorithm: "ECDSA",
-					NotBefore:          t1,
-					NotAfter:           t2,
-					PublicKey:          keyBytes,
-				},
-			},
-			wantErr: false,
-		},
-		"fail/X5C Certificate": {
-			options: []RequestBodyOption{
-				WithX5CCertificate(&x509.Certificate{
-					Raw:                []byte("some raw data"),
-					NotBefore:          t1,
-					NotAfter:           t2,
-					PublicKeyAlgorithm: x509.ECDSA,
-					PublicKey:          []byte("fail"),
-				}),
-			},
-			want:    nil,
-			wantErr: true,
-		},
 	}
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
--- a/webhook/types.go
+++ b/webhook/types.go
@ -56,17 +56,6 @@ type AttestationData struct {
 	PermanentIdentifier string `json:"permanentIdentifier"`
 }

-// X5CCertificate is the authorization certificate sent to webhook servers for
-// enriching or authorizing webhooks when signing X509 or SSH certificates using
-// the X5C provisioner.
-type X5CCertificate struct {
-	Raw                []byte    `json:"raw"`
-	PublicKey          []byte    `json:"publicKey"`
-	PublicKeyAlgorithm string    `json:"publicKeyAlgorithm"`
-	NotBefore          time.Time `json:"notBefore"`
-	NotAfter           time.Time `json:"notAfter"`
-}
-
 // RequestBody is the body sent to webhook servers.
 type RequestBody struct {
 	Timestamp time.Time `json:"timestamp"`
@ -82,8 +71,4 @@ type RequestBody struct {
 	// Only set for SCEP challenge validation requests
 	SCEPChallenge     string `json:"scepChallenge,omitempty"`
 	SCEPTransactionID string `json:"scepTransactionID,omitempty"`
-	// Only set for X5C provisioners
-	X5CCertificate *X5CCertificate `json:"x5cCertificate,omitempty"`
-	// Set for X5C, AWS, GCP, and Azure provisioners
-	AuthorizationPrincipal string `json:"authorizationPrincipal,omitempty"`
 }
Author	SHA1	Message	Date
Herman Slatman	b2bf2c330b	Simplify SCEP provisioner context handling	2023-06-01 16:22:00 +02:00
Herman Slatman	8fc3a46387	Refactor the SCEP authority initialization Instead of relying on an intermediate `scep.Service` struct, initialize the `scep.Authority` directly. This removes one redundant layer of indirection.	2023-06-01 15:50:51 +02:00
Herman Slatman	6985b4be62	Clean up the SCEP authority and provisioner	2023-06-01 14:43:32 +02:00
Herman Slatman	a1f187e3df	Merge branch 'master' into herman/scep-provisioner-decrypter	2023-06-01 12:12:12 +02:00
Herman Slatman	180162bd6a	Refactor SCEP provisioner and decrypter	2023-06-01 12:10:54 +02:00
Herman Slatman	0377fe559b	Add basic version of provisioner specific SCEP decrypter	2023-05-26 23:52:49 +02:00