Allow Tokens for Renewing Certificates

[hunoz]

Name of feature: Provide Functionality for Tokens to be Used for Renewing Certificates

Pain or issue this feature alleviates: Currently, a provisioner doesn't allow for tokens to be used in the provisioner.RenewWithToken function as the audience is set to use /1.0/sign, which makes the token invalid for renewing certificates.

Why is this important to the project (if not answered above): Renewal of certificates via tokens issued with a provisioner is required for planned application usage.

Is there documentation on how to use this feature? If so, where?

None that I am aware of.

In what environments or workflows is this feature supported?

Any environments where this usage is planned or expected.

In what environments or workflows is this feature explicitly NOT supported (if any)?

None

Supporting links/other PRs/issues: N/A

💔Thank you!

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[maraino]

I don't really know what you're trying to do here.

Without taking into account the rekeys, step-ca provides two different ways to renew an X.509 certificate:

• Using an mTLS connection with the certificate to renew.
• Making a request with an authorization token that contains the certificate embedded in the token and is signed by the private key of the certificate.

The token you are creating is a regular sign token with the audience changed. I would be surprised if that works.