diff --git a/challenge/challenge.go b/challenge/challenge.go
index d1b0ee4..c5cd56d 100644
--- a/challenge/challenge.go
+++ b/challenge/challenge.go
@@ -10,14 +10,21 @@ import (
 	scepserver "github.com/micromdm/scep/v2/server"
 )
 
+// Validator validates challenge passwords.
+type Validator interface {
+	// HasChallenge validates pw as valid.
+	HasChallenge(pw string) (bool, error)
+}
+
 // Store is a dynamic challenge password cache.
 type Store interface {
+	// SCEPChallenge generates a new challenge password.
 	SCEPChallenge() (string, error)
-	HasChallenge(pw string) (bool, error)
+	Validator
 }
 
-// Middleware wraps next in a CSRSigner that verifies and invalidates the challenge
-func Middleware(store Store, next scepserver.CSRSignerContext) scepserver.CSRSignerContextFunc {
+// Middleware wraps next in a CSRSigner that verifies and invalidates the challenge.
+func Middleware(store Validator, next scepserver.CSRSignerContext) scepserver.CSRSignerContextFunc {
 	return func(ctx context.Context, m *scep.CSRReqMessage) (*x509.Certificate, error) {
 		// TODO: compare challenge only for PKCSReq?
 		valid, err := store.HasChallenge(m.ChallengePassword)