[Bug]: step ca provisioner update fails for JWK provisioner if --create is specified

[maxhoesel]

Steps to Reproduce

I am trying to apply the first example from the step ca provisioner update docs in a minimal test environment:

Update a JWK provisioner with newly generated keys and a template for x509 certificates:
step ca provisioner update cicd --create --x509-template ./templates/example.tpl

1. Start a step-ca container:

  $ docker run --rm -it --name step-ca-test \
  -p 9000:9000 \
  -e "DOCKER_STEPCA_INIT_NAME=Test" \
  -e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \
  smallstep/step-ca

2. In a second terminal, bootstrap step-cli (after backing up any previous configuration) and create a new provisioner:

  $ step-cli ca bootstrap --ca-url https://localhost:9000 --fingerprint <ca-fp> --force
  $ docker exec -it step-ca-test bash -c "echo hello > /tmp/password"
  $ docker exec -it step-ca-test step ca provisioner add test --type JWK --create --password-file /tmp/password
  ✔ CA Configuration: /home/step/config/ca.json

  Success! Your `step-ca` config has been updated. To pick up the new configuration SIGHUP (kill -1 <pid>) or restart the step-ca process.
  $ docker exec -it step-ca-test pgrep step-ca
  1
  $ docker exec -it step-ca-test kill -1 1

3. Attempt to recreate the provisioners keys:

  docker exec -it step-ca-test step ca provisioner update test --create --password-file /tmp/password

Your Environment

OS: Arch

Step CLI:

$ step cli version
Smallstep CLI/0.25.0 (linux/amd64)
Release Date: 2023-09-27

Step CA: 0.25.0

Expected Behavior

The provisioner gets updated with a newly generated key.

Actual Behavior

Updating the JWK provisioner fails with this error message:

  docker exec -it step-ca-test step ca provisioner update test --create --password-file /tmp/password
  ✔ CA Configuration: /home/step/config/ca.json

  error updating provisioner: error updating provisioner 'test' in authority cache: provisioner test:xlByq2UljmiUvKkhL_yg0dOd8ueVBWhoMJBoSVTAifc not found

Additional Context

I tried looking for information about the authority cache mentioned in the error message, but couldn't find anything in the issues/docs.

I also tried rekeying a provisioner on a long-running step-ca instance but got the same result (though that instance is still on 0.23.2, so it's a little behind).

I'm happy to provide additional details if needed.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).