ttyLP0
diff --git a/‎api/api.go
+1-2 b/‎api/api.go
+1-2
diff --git a/‎api/api_test.go
+6-7 b/‎api/api_test.go
+6-7
diff --git a/‎api/sign.go
+6-6 b/‎api/sign.go
+6-6
diff --git a/‎authority/config.go
+17-7 b/‎authority/config.go
+17-7
diff --git a/‎authority/config_test.go
+12-14 b/‎authority/config_test.go
+12-14
diff --git a/‎authority/tls.go
+2-3 b/‎authority/tls.go
+2-3
@@ -23,7 +23,6 @@ import (
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/logging"
-	"github.com/smallstep/cli/crypto/tlsutil"
 )
 
 // Authority is the interface implemented by a CA authority.
@@ -32,7 +31,7 @@ type Authority interface {
 	// context specifies the Authorize[Sign|Revoke|etc.] method.
 	Authorize(ctx context.Context, ott string) ([]provisioner.SignOption, error)
 	AuthorizeSign(ott string) ([]provisioner.SignOption, error)
-	GetTLSOptions() *tlsutil.TLSOptions
+	GetTLSOptions() *authority.TLSOptions
 	Root(shasum string) (*x509.Certificate, error)
 	Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
 	Renew(peer *x509.Certificate) ([]*x509.Certificate, error)
 
@@ -32,7 +32,6 @@ import (
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/logging"
 	"github.com/smallstep/certificates/templates"
-	"github.com/smallstep/cli/crypto/tlsutil"
 	"github.com/smallstep/cli/jose"
 	"golang.org/x/crypto/ssh"
 )
@@ -547,7 +546,7 @@ type mockAuthority struct {
 	ret1, ret2                   interface{}
 	err                          error
 	authorizeSign                func(ott string) ([]provisioner.SignOption, error)
-	getTLSOptions                func() *tlsutil.TLSOptions
+	getTLSOptions                func() *authority.TLSOptions
 	root                         func(shasum string) (*x509.Certificate, error)
 	sign                         func(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
 	renew                        func(cert *x509.Certificate) ([]*x509.Certificate, error)
@@ -584,11 +583,11 @@ func (m *mockAuthority) AuthorizeSign(ott string) ([]provisioner.SignOption, err
 	return m.ret1.([]provisioner.SignOption), m.err
 }
 
-func (m *mockAuthority) GetTLSOptions() *tlsutil.TLSOptions {
+func (m *mockAuthority) GetTLSOptions() *authority.TLSOptions {
 	if m.getTLSOptions != nil {
 		return m.getTLSOptions()
 	}
-	return m.ret1.(*tlsutil.TLSOptions)
+	return m.ret1.(*authority.TLSOptions)
 }
 
 func (m *mockAuthority) Root(shasum string) (*x509.Certificate, error) {
@@ -881,7 +880,7 @@ func Test_caHandler_Sign(t *testing.T) {
 				authorizeSign: func(ott string) ([]provisioner.SignOption, error) {
 					return tt.certAttrOpts, tt.autherr
 				},
-				getTLSOptions: func() *tlsutil.TLSOptions {
+				getTLSOptions: func() *authority.TLSOptions {
 					return nil
 				},
 			}).(*caHandler)
@@ -932,7 +931,7 @@ func Test_caHandler_Renew(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			h := New(&mockAuthority{
 				ret1: tt.cert, ret2: tt.root, err: tt.err,
-				getTLSOptions: func() *tlsutil.TLSOptions {
+				getTLSOptions: func() *authority.TLSOptions {
 					return nil
 				},
 			}).(*caHandler)
@@ -993,7 +992,7 @@ func Test_caHandler_Rekey(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			h := New(&mockAuthority{
 				ret1: tt.cert, ret2: tt.root, err: tt.err,
-				getTLSOptions: func() *tlsutil.TLSOptions {
+				getTLSOptions: func() *authority.TLSOptions {
 					return nil
 				},
 			}).(*caHandler)
 
@@ -5,9 +5,9 @@ import (
 	"encoding/json"
 	"net/http"
 
+	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/crypto/tlsutil"
 )
 
 // SignRequest is the request body for a certificate signature request.
@@ -37,11 +37,11 @@ func (s *SignRequest) Validate() error {
 
 // SignResponse is the response object of the certificate signature request.
 type SignResponse struct {
-	ServerPEM    Certificate          `json:"crt"`
-	CaPEM        Certificate          `json:"ca"`
-	CertChainPEM []Certificate        `json:"certChain"`
-	TLSOptions   *tlsutil.TLSOptions  `json:"tlsOptions,omitempty"`
-	TLS          *tls.ConnectionState `json:"-"`
+	ServerPEM    Certificate           `json:"crt"`
+	CaPEM        Certificate           `json:"ca"`
+	CertChainPEM []Certificate         `json:"certChain"`
+	TLSOptions   *authority.TLSOptions `json:"tlsOptions,omitempty"`
+	TLS          *tls.ConnectionState  `json:"-"`
 }
 
 // Sign is an HTTP handler that reads a certificate request and an
 
@@ -12,15 +12,13 @@ import (
 	"github.com/smallstep/certificates/db"
 	kms "github.com/smallstep/certificates/kms/apiv1"
 	"github.com/smallstep/certificates/templates"
-	"github.com/smallstep/cli/crypto/tlsutil"
-	"github.com/smallstep/cli/crypto/x509util"
 )
 
 var (
 	// DefaultTLSOptions represents the default TLS version as well as the cipher
 	// suites used in the TLS certificates.
-	DefaultTLSOptions = tlsutil.TLSOptions{
-		CipherSuites: x509util.CipherSuites{
+	DefaultTLSOptions = TLSOptions{
+		CipherSuites: CipherSuites{
 			"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
 			"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
 			"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
@@ -61,15 +59,27 @@ type Config struct {
 	DB               *db.Config           `json:"db,omitempty"`
 	Monitoring       json.RawMessage      `json:"monitoring,omitempty"`
 	AuthorityConfig  *AuthConfig          `json:"authority,omitempty"`
-	TLS              *tlsutil.TLSOptions  `json:"tls,omitempty"`
+	TLS              *TLSOptions          `json:"tls,omitempty"`
 	Password         string               `json:"password,omitempty"`
 	Templates        *templates.Templates `json:"templates,omitempty"`
 }
 
+// ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer
+// x509 Certificate blocks.
+type ASN1DN struct {
+	Country            string `json:"country,omitempty" step:"country"`
+	Organization       string `json:"organization,omitempty" step:"organization"`
+	OrganizationalUnit string `json:"organizationalUnit,omitempty" step:"organizationalUnit"`
+	Locality           string `json:"locality,omitempty" step:"locality"`
+	Province           string `json:"province,omitempty" step:"province"`
+	StreetAddress      string `json:"streetAddress,omitempty" step:"streetAddress"`
+	CommonName         string `json:"commonName,omitempty" step:"commonName"`
+}
+
 // AuthConfig represents the configuration options for the authority.
 type AuthConfig struct {
 	Provisioners         provisioner.List      `json:"provisioners"`
-	Template             *x509util.ASN1DN      `json:"template,omitempty"`
+	Template             *ASN1DN               `json:"template,omitempty"`
 	Claims               *provisioner.Claims   `json:"claims,omitempty"`
 	DisableIssuedAtCheck bool                  `json:"disableIssuedAtCheck,omitempty"`
 	Backdate             *provisioner.Duration `json:"backdate,omitempty"`
@@ -82,7 +92,7 @@ func (c *AuthConfig) init() {
 		c.Provisioners = provisioner.List{}
 	}
 	if c.Template == nil {
-		c.Template = &x509util.ASN1DN{}
+		c.Template = &ASN1DN{}
 	}
 	if c.Backdate == nil {
 		c.Backdate = &provisioner.Duration{
 
@@ -7,8 +7,6 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/authority/provisioner"
-	"github.com/smallstep/cli/crypto/tlsutil"
-	"github.com/smallstep/cli/crypto/x509util"
 	stepJOSE "github.com/smallstep/cli/jose"
 )
 
@@ -35,7 +33,7 @@ func TestConfigValidate(t *testing.T) {
 	type ConfigValidateTest struct {
 		config *Config
 		err    error
-		tls    tlsutil.TLSOptions
+		tls    TLSOptions
 	}
 	tests := map[string]func(*testing.T) ConfigValidateTest{
 		"empty-address": func(t *testing.T) ConfigValidateTest {
@@ -141,7 +139,7 @@ func TestConfigValidate(t *testing.T) {
 					DNSNames:         []string{"test.smallstep.com"},
 					Password:         "pass",
 					AuthorityConfig:  ac,
-					TLS:              &tlsutil.TLSOptions{},
+					TLS:              &TLSOptions{},
 				},
 				tls: DefaultTLSOptions,
 			}
@@ -156,17 +154,17 @@ func TestConfigValidate(t *testing.T) {
 					DNSNames:         []string{"test.smallstep.com"},
 					Password:         "pass",
 					AuthorityConfig:  ac,
-					TLS: &tlsutil.TLSOptions{
-						CipherSuites: x509util.CipherSuites{
+					TLS: &TLSOptions{
+						CipherSuites: CipherSuites{
 							"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
 						},
 						MinVersion:    1.0,
 						MaxVersion:    1.1,
 						Renegotiation: true,
 					},
 				},
-				tls: tlsutil.TLSOptions{
-					CipherSuites: x509util.CipherSuites{
+				tls: TLSOptions{
+					CipherSuites: CipherSuites{
 						"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
 					},
 					MinVersion:    1.0,
@@ -185,8 +183,8 @@ func TestConfigValidate(t *testing.T) {
 					DNSNames:         []string{"test.smallstep.com"},
 					Password:         "pass",
 					AuthorityConfig:  ac,
-					TLS: &tlsutil.TLSOptions{
-						CipherSuites: x509util.CipherSuites{
+					TLS: &TLSOptions{
+						CipherSuites: CipherSuites{
 							"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
 						},
 						MinVersion:    1.2,
@@ -217,7 +215,7 @@ func TestConfigValidate(t *testing.T) {
 }
 
 func TestAuthConfigValidate(t *testing.T) {
-	asn1dn := x509util.ASN1DN{
+	asn1dn := ASN1DN{
 		Country:       "Tazmania",
 		Organization:  "Acme Co",
 		Locality:      "Landscapes",
@@ -245,7 +243,7 @@ func TestAuthConfigValidate(t *testing.T) {
 
 	type AuthConfigValidateTest struct {
 		ac     *AuthConfig
-		asn1dn x509util.ASN1DN
+		asn1dn ASN1DN
 		err    error
 	}
 	tests := map[string]func(*testing.T) AuthConfigValidateTest{
@@ -258,15 +256,15 @@ func TestAuthConfigValidate(t *testing.T) {
 		"ok-empty-provisioners": func(t *testing.T) AuthConfigValidateTest {
 			return AuthConfigValidateTest{
 				ac:     &AuthConfig{},
-				asn1dn: x509util.ASN1DN{},
+				asn1dn: ASN1DN{},
 			}
 		},
 		"ok-empty-asn1dn-template": func(t *testing.T) AuthConfigValidateTest {
 			return AuthConfigValidateTest{
 				ac: &AuthConfig{
 					Provisioners: p,
 				},
-				asn1dn: x509util.ASN1DN{},
+				asn1dn: ASN1DN{},
 			}
 		},
 		"ok-custom-asn1dn": func(t *testing.T) AuthConfigValidateTest {
 
@@ -17,21 +17,20 @@ import (
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/cli/crypto/pemutil"
-	"github.com/smallstep/cli/crypto/tlsutil"
 	x509legacy "github.com/smallstep/cli/crypto/x509util"
 	"github.com/smallstep/cli/jose"
 	"go.step.sm/crypto/x509util"
 )
 
 // GetTLSOptions returns the tls options configured.
-func (a *Authority) GetTLSOptions() *tlsutil.TLSOptions {
+func (a *Authority) GetTLSOptions() *TLSOptions {
 	return a.config.TLS
 }
 
 var oidAuthorityKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 35}
 var oidSubjectKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 14}
 
-func withDefaultASN1DN(def *x509legacy.ASN1DN) provisioner.CertificateModifierFunc {
+func withDefaultASN1DN(def *ASN1DN) provisioner.CertificateModifierFunc {
 	return func(crt *x509.Certificate, opts provisioner.SignOptions) error {
 		if def == nil {
 			return errors.New("default ASN1DN template cannot be nil")