diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3ed83ad9..53e79241 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -47,7 +47,7 @@ jobs:
           prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
 
   goreleaser:
-    name: Upload Assets to Github w/ goreleaser
+    name: Upload Assets to GitHub w/ goreleaser
     runs-on: ubuntu-latest
     needs: create_release
     steps:
@@ -80,7 +80,7 @@ jobs:
           version: 'latest'
           args: release --rm-dist
         env:
-          GITHUB_TOKEN: ${{ secrets.PAT }}
+          GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
           COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
           RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }}
 
@@ -174,20 +174,20 @@ jobs:
         uses: actions/checkout@master
         with:
           repository: smallstep/docs
-          token: ${{ secrets.PAT }}
+          token: ${{ secrets.DOCS_PAT }}
           path: './docs'
       - name: Update Reference
-        id: update_refrence
+        id: update_reference
         run: |
           ./bin/step help --markdown ./docs/src/pages/docs/step-cli/reference
           cd ./docs
           git config user.email "eng@smallstep.com"
-          git config user.name "Github Action CI"
+          git config user.name "GitHub Action CI"
           git add . && git commit -a -m "step-cli ${{ needs.create_release.outputs.vversion }} reference update"
       - name: Push changes
         uses: ad-m/github-push-action@v0.6.0
         with:
-          github_token: ${{ secrets.PAT }}
+          github_token: ${{ secrets.DOCS_PAT }}
           branch: 'main'
           directory: './docs'
           repository: 'smallstep/docs'
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 9da5b2c9..a3c907df 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -169,7 +169,7 @@ release:
     - 📦 [step-cli_{{ .Version }}_amd64.deb](https://dl.step.sm/gh-release/cli/gh-release-header/{{ .Tag }}/step-cli_{{ .Version }}_amd64.deb)
     - 📦 [step-cli_{{ .Version }}_amd64.rpm](https://dl.step.sm/gh-release/cli/gh-release-header/{{ .Tag }}/step-cli_{{ .Version }}_amd64.rpm)
 
-    #### OSX Darwin
+    #### macOS Darwin
 
     - 📦 [step_darwin_{{ .Version }}_amd64.tar.gz](https://dl.step.sm/gh-release/cli/gh-release-header/{{ .Tag }}/step_darwin_{{ .Version }}_amd64.tar.gz)
     - 📦 [step_darwin_{{ .Version }}_arm64.tar.gz](https://dl.step.sm/gh-release/cli/gh-release-header/{{ .Tag }}/step_darwin_{{ .Version }}_arm64.tar.gz)
@@ -212,7 +212,7 @@ release:
   # Defaults to false.
   #disable: true
 
-  # You can add extra pre-existing files to the release.
+  # You can add extra preexisting files to the release.
   # The filename on the release will be the last part of the path (base). If
   # another file with the same name exists, the latest one found will be used.
   # Defaults to empty.
diff --git a/CHANGELOG.md b/CHANGELOG.md
index a457be1c..d12cd1de 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -163,11 +163,11 @@ to the value of provisioner-password-file flag.
 
 ## [0.0.2]
 ### Added
-- `--bundle` flag to cert/inspect for inpecting all the full chain or bundle
+- `--bundle` flag to cert/inspect for inspecting all the full chain or bundle
 given a path. Default behavior is unchanged; only inspect the first (leaf)
 certificate.
 - distribution.md with documentation on how to create releases.
-- travis build and upload artifacts to Github Releases on tagged pushes.
+- travis build and upload artifacts to GitHub Releases on tagged pushes.
 - logging of invalid http requests to the oauth server
 ### Changed
 - default PEM format encryption alg AES128 -> AES256
diff --git a/Makefile b/Makefile
index 8a06f975..e8e4cac9 100644
--- a/Makefile
+++ b/Makefile
@@ -91,7 +91,7 @@ define BUNDLE
 	# $(2) -- Binary Output Dir Name
 	# $(3) -- Step Platform Name
 	# $(4) -- Step Binary Architecture
-	# $(5) -- Step Binary Name (For Windows Comaptibility)
+	# $(5) -- Step Binary Name (For Windows Compatibility)
 	$(q) ./make/bundle.sh $(1) "$(BINARY_OUTPUT)$(2)" "$(RELEASE)" "$(VERSION)" "$(3)" "$(4)" "$(5)"
 endef
 
diff --git a/README.md b/README.md
index dc885239..09f2921d 100644
--- a/README.md
+++ b/README.md
@@ -27,7 +27,7 @@ Step CLI's command groups illustrate its wide-ranging uses:
 
 - [`step certificate`](https://smallstep.com/docs/step-cli/reference/certificate/): Work with X.509 (TLS/HTTPS) certificates.
   - Create, revoke, validate, lint, and bundle X.509 certificates.
-  - Install (and remove) X.509 certificates into your system's (and brower's) trust store.
+  - Install (and remove) X.509 certificates into your system's (and browser's) trust store.
   - Validate certificate deployment and renewal status for automation
   - Create key pairs (RSA, ECDSA, EdDSA) and certificate signing requests (CSRs)
   - [Sign CSRs](https://smallstep.com/docs/step-cli/reference/certificate/sign/)
diff --git a/autocomplete/README.md b/autocomplete/README.md
index 4a1caca2..dcf3292a 100644
--- a/autocomplete/README.md
+++ b/autocomplete/README.md
@@ -1,2 +1,2 @@
 ## Deprecated
-The files in this folder are deprecated and will be removed in the future. The prefered way to acces the completion scripts is through `step completion <shell>`.
+The files in this folder are deprecated and will be removed in the future. The prefered way to access the completion scripts is through `step completion <shell>`.
diff --git a/command/README.md b/command/README.md
index be2fa3ce..57945372 100644
--- a/command/README.md
+++ b/command/README.md
@@ -79,8 +79,8 @@ required, and ensuring they're printed out as a part of the `step help` or
 `step <command> -h` flow. If you need to add a different type of annotation to
 document an argument just add it to the `usage.Argument` struct!
 
-When you add a flag, look into the pre-existing ones inside the `flags`
-package. Could you use one of the pre-existing flags in order to reduce
+When you add a flag, look into the preexisting ones inside the `flags`
+package. Could you use one of the preexisting flags in order to reduce
 duplication? If not, make sure to add a flag so it could be used in future!
 
 The `errs` package contains functionality for defining and working with errors
diff --git a/command/base64/base64.go b/command/base64/base64.go
index 5bc8ddb2..17e7495f 100644
--- a/command/base64/base64.go
+++ b/command/base64/base64.go
@@ -53,7 +53,7 @@ YWJjMTIzJCVeJiooKV8rLT1-Cg==
 '''
 
 Decode an url encoded base64 string. The encoding type can be enforced
-using the '-u' or '-r' flags, but it will be autodetected if they are not
+using the '-u' or '-r' flags, but it will be auto-detected if they are not
 passed:
 '''
 $ echo YWJjMTIzJCVeJiooKV8rLT1-Cg== | step base64 -d
diff --git a/command/ca/ca.go b/command/ca/ca.go
index dc2d1625..df2da3fc 100644
--- a/command/ca/ca.go
+++ b/command/ca/ca.go
@@ -74,7 +74,7 @@ $ step ca renew internal.crt internal.key \
 			revokeCertificateCommand(),
 			provisioner.Command(),
 			signCertificateCommand(),
-			rootComand(),
+			rootCommand(),
 			rootsCommand(),
 			federationCommand(),
 			acme.Command(),
diff --git a/command/ca/provisioner/caConfigClient.go b/command/ca/provisioner/caConfigClient.go
index 6825d9fa..195d02ff 100644
--- a/command/ca/provisioner/caConfigClient.go
+++ b/command/ca/provisioner/caConfigClient.go
@@ -12,7 +12,7 @@ import (
 	"go.step.sm/linkedca"
 )
 
-// nodb implements the certificates/Admiclient interface with noops.
+// nodb implements the certificates/Adminclient interface with noops.
 type nodb struct{}
 
 func newNoDB() *nodb {
@@ -179,7 +179,7 @@ func (client *caConfigClient) loadProvisioner(opts ...ca.ProvisionerOption) (pro
 		return nil, errors.New("provisioner options must define either ID or Name to remove")
 	}
 
-	return prov, errors.Wrapf(err, "erorr loading provisioner")
+	return prov, errors.Wrapf(err, "error loading provisioner")
 }
 
 func (client *caConfigClient) GetProvisioners(opts ...ca.ProvisionerOption) (provisioner.List, error) {
diff --git a/command/ca/provisioner/provisioner.go b/command/ca/provisioner/provisioner.go
index ed2fdabc..da2d1491 100644
--- a/command/ca/provisioner/provisioner.go
+++ b/command/ca/provisioner/provisioner.go
@@ -578,7 +578,7 @@ Use the '--remove-domain' flag multiple times to remove multiple domains.`,
 	}
 	oidcGroupFlag = cli.StringSliceFlag{
 		Name: "group",
-		Usage: `The <group> list used to validate the groups extenstion in an OpenID Connect token.
+		Usage: `The <group> list used to validate the groups extension in an OpenID Connect token.
 Use the '--group' flag multiple times to configure multiple groups.`,
 	}
 	oidcTenantIDFlag = cli.StringFlag{
diff --git a/command/ca/rekey.go b/command/ca/rekey.go
index 313892fe..dfb9b9e9 100644
--- a/command/ca/rekey.go
+++ b/command/ca/rekey.go
@@ -165,7 +165,7 @@ flag.`,
 			cli.StringFlag{
 				Name: "pid-file",
 				Usage: `The <file> from which to read the process id that will be signaled after the certificate
-has been rekeyed. By default the the SIGHUP (1) signal will be used, but this can be configured with the **--signal**
+has been rekeyed. By default the SIGHUP (1) signal will be used, but this can be configured with the **--signal**
 flag.`,
 			},
 			cli.IntFlag{
diff --git a/command/ca/renew.go b/command/ca/renew.go
index 50b8d095..d4903499 100644
--- a/command/ca/renew.go
+++ b/command/ca/renew.go
@@ -177,7 +177,7 @@ flag.`,
 			cli.StringFlag{
 				Name: "pid-file",
 				Usage: `The <file> from which to read the process id that will be signaled after the certificate
-has been renewed. By default the the SIGHUP (1) signal will be used, but this can be configured with the **--signal**
+has been renewed. By default the SIGHUP (1) signal will be used, but this can be configured with the **--signal**
 flag.`,
 			},
 			cli.IntFlag{
diff --git a/command/ca/revoke.go b/command/ca/revoke.go
index c758089b..1cbb1fe8 100644
--- a/command/ca/revoke.go
+++ b/command/ca/revoke.go
@@ -126,7 +126,7 @@ $ step ca revoke --offline 308893286343609293989051180431574390766
 '''
 
 Revoke a certificate in offline mode using --cert and --key (the cert/key pair
-will be validated against the root and intermediate certifcates configured in
+will be validated against the root and intermediate certificates configured in
 the step CA):
 '''
 $ step ca revoke --offline --cert foo.crt --key foo.key
diff --git a/command/ca/root.go b/command/ca/root.go
index 9d3f877f..9e1ca03c 100644
--- a/command/ca/root.go
+++ b/command/ca/root.go
@@ -16,7 +16,7 @@ import (
 	"go.step.sm/crypto/pemutil"
 )
 
-func rootComand() cli.Command {
+func rootCommand() cli.Command {
 	return cli.Command{
 		Name:   "root",
 		Action: command.ActionFunc(rootAction),
diff --git a/command/certificate/bundle.go b/command/certificate/bundle.go
index f1053396..a6d06235 100644
--- a/command/certificate/bundle.go
+++ b/command/certificate/bundle.go
@@ -28,7 +28,7 @@ func bundleCommand() cli.Command {
 : The path to a leaf certificate to bundle with issuing certificate(s).
 
 <ca>
-: The path to the Certificate Authority issusing certificate.
+: The path to the Certificate Authority issuing certificate.
 
 <bundle-file>
 : The path to write the bundle.
diff --git a/command/certificate/install.go b/command/certificate/install.go
index f35b6115..c8cfdbcd 100644
--- a/command/certificate/install.go
+++ b/command/certificate/install.go
@@ -43,17 +43,17 @@ Install a certificate in all the supported truststores:
 $ step certificate install --all root-ca.pem
 '''
 
-Install a certificate in Firefox and the system trustore:
+Install a certificate in Firefox and the system truststore:
 '''
 $ step certificate install --firefox root--ca.pem
 '''
 
-Install a certificate in Java and the system trustore:
+Install a certificate in Java and the system truststore:
 '''
 $ step certificate install --java root-ca.pem
 '''
 
-Install a certificate in Firefox, Java, but not in the system trustore:
+Install a certificate in Firefox, Java, but not in the system truststore:
 '''
 $ step certificate install --firefox --java --no-system root-ca.pem
 '''`,
@@ -113,12 +113,12 @@ Uninstall a certificate from all the supported truststores:
 $ step certificate uninstall --all root-ca.pem
 '''
 
-Uninstall a certificate from Firefox and the system trustore:
+Uninstall a certificate from Firefox and the system truststore:
 '''
 $ step certificate uninstall --firefox root--ca.pem
 '''
 
-Uninstall a certificate infrom Java and the system trustore:
+Uninstall a certificate from Java and the system truststore:
 '''
 $ step certificate uninstall --java root-ca.pem
 '''
diff --git a/command/certificate/p12.go b/command/certificate/p12.go
index 04fbde4b..68c45b24 100644
--- a/command/certificate/p12.go
+++ b/command/certificate/p12.go
@@ -147,7 +147,7 @@ func p12Action(ctx *cli.Context) error {
 
 		// The first certificate in the bundle will be our server cert
 		x509Cert := x509CertBundle[0]
-		// Any remaning certs will be intermediates for the server
+		// Any remaining certs will be intermediates for the server
 		x509CAs = append(x509CAs, x509CertBundle[1:]...)
 
 		pkcs12Data, err = pkcs12.Encode(rand.Reader, key, x509Cert, x509CAs, password)
diff --git a/command/certificate/remote.go b/command/certificate/remote.go
index 2e95abb1..211de504 100644
--- a/command/certificate/remote.go
+++ b/command/certificate/remote.go
@@ -71,7 +71,7 @@ func getPeerCertificates(addr, serverName, roots string, insecure bool) ([]*x509
 // by the URL prefix is used.
 //
 // Examples:
-// trimURL("https://smallstep.com/onbaording") -> "smallstep.com:443", true, nil
+// trimURL("https://smallstep.com/onboarding") -> "smallstep.com:443", true, nil
 // trimURL("https://ca.smallSTEP.com:8080") -> "ca.smallSTEP.com:8080", true, nil
 // trimURL("./certs/root_ca.crt") -> "", false, nil
 // trimURL("hTtPs://sMaLlStEp.cOm") -> "sMaLlStEp.cOm:443", true, nil
diff --git a/command/crl/inspect.go b/command/crl/inspect.go
index 7e873ea4..e9e15c9c 100644
--- a/command/crl/inspect.go
+++ b/command/crl/inspect.go
@@ -266,7 +266,7 @@ func inspectAction(ctx *cli.Context) error {
 type CRL struct {
 	Version             int                  `json:"version"`
 	SignatureAlgorithm  SignatureAlgorithm   `json:"signature_algorithm"`
-	Issuer              DistinguisedName     `json:"issuer"`
+	Issuer              DistinguishedName    `json:"issuer"`
 	ThisUpdate          time.Time            `json:"this_update"`
 	NextUpdate          time.Time            `json:"next_update"`
 	RevokedCertificates []RevokedCertificate `json:"revoked_certificates"`
@@ -417,8 +417,8 @@ type Signature struct {
 	Reason             string             `json:"reason,omitempty"`
 }
 
-// DistinguisedName is the JSON representation of the CRL issuer.
-type DistinguisedName struct {
+// DistinguishedName is the JSON representation of the CRL issuer.
+type DistinguishedName struct {
 	Country            []string                 `json:"country,omitempty"`
 	Organization       []string                 `json:"organization,omitempty"`
 	OrganizationalUnit []string                 `json:"organizational_unit,omitempty"`
@@ -433,7 +433,7 @@ type DistinguisedName struct {
 }
 
 // String returns the one line representation of the distinguished name.
-func (d DistinguisedName) String() string {
+func (d DistinguishedName) String() string {
 	var parts []string
 	for _, dn := range d.raw {
 		v := strings.ReplaceAll(pkix.RDNSequence{dn}.String(), "\\,", ",")
@@ -442,7 +442,7 @@ func (d DistinguisedName) String() string {
 	return strings.Join(parts, " ")
 }
 
-func newDistinguishedName(seq pkix.RDNSequence) DistinguisedName {
+func newDistinguishedName(seq pkix.RDNSequence) DistinguishedName {
 	var n pkix.Name
 	n.FillFromRDNSequence(&seq)
 
@@ -463,7 +463,7 @@ func newDistinguishedName(seq pkix.RDNSequence) DistinguisedName {
 		}
 	}
 
-	return DistinguisedName{
+	return DistinguishedName{
 		Country:            n.Country,
 		Organization:       n.Organization,
 		OrganizationalUnit: n.OrganizationalUnit,
diff --git a/command/crypto/crypto.go b/command/crypto/crypto.go
index f4123fcb..5ce64124 100644
--- a/command/crypto/crypto.go
+++ b/command/crypto/crypto.go
@@ -74,7 +74,7 @@ risks. That said, many of these factors are beyond the scope of this tool.
    compared to RSA. The strength of these keys is generally considered sufficient
    for the predictable and foreseeable future.
 
-:  Note that for cryptographic protocols that have perfect forward secrecry and
+:  Note that for cryptographic protocols that have perfect forward secrecy and
    only use asymmetric keys for symmetric key negotiation your system will remain
    secure against future threats as long as the keys are large enough that they
    cannot be cracked today. In other words, sizing your keys to protect against
@@ -111,7 +111,7 @@ risks. That said, many of these factors are beyond the scope of this tool.
    opted not to gate non-safe curves**. We've further elected to make **P-256**
    the default curve for EC keys.
 
-:  Still, it is important to be aware of the security risks assocated with their
+:  Still, it is important to be aware of the security risks associated with their
    risk. You should consider using "safe curves" if possible. We may change our
    mind as support for safe curves improves.
 
diff --git a/command/crypto/jwe/encrypt.go b/command/crypto/jwe/encrypt.go
index 0beaa6db..15297ec2 100644
--- a/command/crypto/jwe/encrypt.go
+++ b/command/crypto/jwe/encrypt.go
@@ -72,13 +72,13 @@ options must match unless the **--subtle** flag is also passed.
     :  ECDH-ES using Concat KDF and CEK wrapped with "A256KW
 
     **A128GCMKW**
-    :  Key wrappiung with AES GCM using 128-bit key
+    :  Key wrapping with AES GCM using 128-bit key
 
     **A192GCMKW**
-    :  Key wrappiung with AES GCM using 192-bit key
+    :  Key wrapping with AES GCM using 192-bit key
 
     **A256GCMKW** (default for oct keys)
-    :  Key wrappiung with AES GCM using 256-bit key
+    :  Key wrapping with AES GCM using 256-bit key
 
     **PBES2-HS256+A128KW**
     :  PBES2 with HMAC SHA-256 and "A128KW" wrapping
diff --git a/command/crypto/jwe/jwe.go b/command/crypto/jwe/jwe.go
index ec0ffe15..1a317e8a 100644
--- a/command/crypto/jwe/jwe.go
+++ b/command/crypto/jwe/jwe.go
@@ -39,7 +39,7 @@ parts:
 * Ciphertext: the ciphertext value resulting produced from authenticated
   encryption of the plaintext with additional authenticated data
 
-* Authentication Tag: value resulting fromthe authenticated encryption of
+* Authentication Tag: value resulting from the authenticated encryption of
   the plaintext with additional authenticated data
 
 ## What's with encrypted key?
diff --git a/command/crypto/jwk/create.go b/command/crypto/jwk/create.go
index f676be82..7fa8e0d0 100644
--- a/command/crypto/jwk/create.go
+++ b/command/crypto/jwk/create.go
@@ -21,7 +21,7 @@ import (
 const (
 	// 128-bit salt
 	pbkdf2SaltSize = 16
-	// 100k iterations. Nist recommends at least 10k, 1Passsword uses 100k.
+	// 100k iterations. Nist recommends at least 10k, 1Password uses 100k.
 	pbkdf2Iterations = 100000
 )
 
@@ -47,7 +47,7 @@ All flags are optional. Defaults are suitable for most use cases.
 ## POSITIONAL ARGUMENTS
 
 <public-jwk-file>
-:  Path to which the the public JWK should be written
+:  Path to which the public JWK should be written
 
 <private-jwk-file>
 :  Path to which the (JWE encrypted) private JWK should be written
diff --git a/command/crypto/jwk/jwk.go b/command/crypto/jwk/jwk.go
index 3f9c385b..a0c05091 100644
--- a/command/crypto/jwk/jwk.go
+++ b/command/crypto/jwk/jwk.go
@@ -19,7 +19,7 @@ JWK Set is a JSON object with a "keys" member whose value is an array of JWKs.
 Cryptographic algorithms and identifiers for used by JWKs are defined by the
 JSON Web Algorithms (JWA) specification in RFC7518. This tool also supports
 extensions defined in standards track RFC8037 defining curve and algorithm
-identifiers for Edwards-curve Digial Signatures.
+identifiers for Edwards-curve Digital Signatures.
 
 JWKs and JWK Sets are used in the JSON Web Signature (JWS; RFC7515) and JSON
 Web Encryption (JWE; RFC7516) specifications for signing and encrypting JSON
diff --git a/command/crypto/jwt/jwt.go b/command/crypto/jwt/jwt.go
index d3892a06..992c264f 100644
--- a/command/crypto/jwt/jwt.go
+++ b/command/crypto/jwt/jwt.go
@@ -55,7 +55,7 @@ eyJhdWQiOiJodHRwczovL2V4YW1wbGUuY29tIiwiZXhwIjoxNTM1MjQyNDcyLCJpYXQiOjE1MzI1NjQw
 DlSkxICjk2h1LarwJgXPbXQe7DwpLMOCvWp3I4GMcBP_5_QYPhVNBPQEeTKAUuQjYwlxZ5zVQnyp8ujvyf1Lqw
 '''
 
-Verify the the previous token:
+Verify the previous token:
 '''
 $ echo $TOKEN | step crypto jwt verify --key p256.pub.json --iss "joe@example.com" --aud "https://example.com"
 {
diff --git a/command/crypto/jwt/verify.go b/command/crypto/jwt/verify.go
index 996e668c..3ed71080 100644
--- a/command/crypto/jwt/verify.go
+++ b/command/crypto/jwt/verify.go
@@ -146,7 +146,7 @@ func verifyAction(ctx *cli.Context) error {
 		kid = tok.Headers[0].KeyID
 	}
 
-	// Validate subtled
+	// Validate subtle
 	isSubtle := ctx.Bool("subtle")
 	iss := ctx.String("iss")
 	aud := ctx.String("aud")
@@ -263,7 +263,7 @@ func validateClaimsWithLeeway(ctx *cli.Context, c jose.Claims, e jose.Expected,
 
 	// we're not currently checking the subject
 	if e.Subject != "" && e.Subject != c.Subject {
-		ers = append(ers, "invalid subject subject (sub)")
+		ers = append(ers, "invalid subject (sub)")
 	}
 
 	// we're not currently checking the id
diff --git a/command/crypto/key/format.go b/command/crypto/key/format.go
index b91ae8bc..f22a1cd8 100644
--- a/command/crypto/key/format.go
+++ b/command/crypto/key/format.go
@@ -325,7 +325,7 @@ func parseJWK(ctx *cli.Context, b []byte) (interface{}, error) {
 	// Parse decrypted key
 	var jwk jose.JSONWebKey
 	if err := json.Unmarshal(b, &jwk); err != nil {
-		return nil, errors.Wrap(err, "error unmarshalling key")
+		return nil, errors.Wrap(err, "error unmarshaling key")
 	}
 	if jwk.Key == nil {
 		return nil, errors.New("error parsing key: not found")
diff --git a/command/crypto/nacl/box.go b/command/crypto/nacl/box.go
index 65748a18..1b5ae7ab 100644
--- a/command/crypto/nacl/box.go
+++ b/command/crypto/nacl/box.go
@@ -286,7 +286,7 @@ func boxOpenAction(ctx *cli.Context) error {
 	copy(pb[:], pub)
 	copy(pv[:], priv)
 
-	// Fixme: if we prepend the nonce in the seal we can use use rawInput[24:]
+	// Fixme: if we prepend the nonce in the seal we can use rawInput[24:]
 	// as the message and rawInput[:24] as the nonce instead of requiring one.
 	raw, ok := box.Open(nil, rawInput, &n, &pb, &pv)
 	if !ok {
diff --git a/command/crypto/nacl/secretbox.go b/command/crypto/nacl/secretbox.go
index ff8fc853..ec858913 100644
--- a/command/crypto/nacl/secretbox.go
+++ b/command/crypto/nacl/secretbox.go
@@ -188,7 +188,7 @@ func secretboxOpenAction(ctx *cli.Context) error {
 	copy(n[:], nonce)
 	copy(k[:], key)
 
-	// Fixme: if we prepend the nonce in the seal we can use use rawInput[24:]
+	// Fixme: if we prepend the nonce in the seal we can use rawInput[24:]
 	// as the message and rawInput[:24] as the nonce instead of requiring one.
 	raw, ok := secretbox.Open(nil, rawInput, &n, &k)
 	if !ok {
diff --git a/command/oauth/cmd.go b/command/oauth/cmd.go
index 3d9f2f26..621a8385 100644
--- a/command/oauth/cmd.go
+++ b/command/oauth/cmd.go
@@ -857,7 +857,7 @@ func (o *oauth) DoDeviceAuthorization() (*token, error) {
 
 	var idr identifyDeviceResponse
 	if err := json.NewDecoder(bytes.NewReader(b)).Decode(&idr); err != nil {
-		return nil, errors.Wrap(err, "failure decoding device authz response to JWON")
+		return nil, errors.Wrap(err, "failure decoding device authz response to JSON")
 	}
 
 	switch {
diff --git a/command/ssh/certificate.go b/command/ssh/certificate.go
index c707a313..477d9189 100644
--- a/command/ssh/certificate.go
+++ b/command/ssh/certificate.go
@@ -33,7 +33,7 @@ func certificateCommand() cli.Command {
 	return cli.Command{
 		Name:   "certificate",
 		Action: command.ActionFunc(certificateAction),
-		Usage:  "sign a SSH certificate using the the SSH CA",
+		Usage:  "sign a SSH certificate using the SSH CA",
 		UsageText: `**step ssh certificate** <key-id> <key-file>
 [**--host**] [--**host-id**] [**--sign**] [**--principal**=<string>]
 [**--password-file**=<file>] [**--provisioner-password-file**=<file>]
diff --git a/command/ssh/rekey.go b/command/ssh/rekey.go
index 521993ab..d8ed9277 100644
--- a/command/ssh/rekey.go
+++ b/command/ssh/rekey.go
@@ -30,7 +30,7 @@ func rekeyCommand() cli.Command {
 [**--offline**] [**--ca-config**=<file>] [**--ca-url**=<uri>] [**--root**=<file>]
 [**--context**=<name>]`,
 		Description: `**step ssh rekey** command generates a new SSH Certificate and key using
-an existing SSH Cerfificate and key pair to authenticate and templatize the
+an existing SSH Certificate and key pair to authenticate and templatize the
 request. It writes the new certificate to disk - either overwriting
 <ssh-cert> or using new files when the **--out**=<file> flag is used.
 
diff --git a/command/ssh/renew.go b/command/ssh/renew.go
index 3ca5572f..36c95feb 100644
--- a/command/ssh/renew.go
+++ b/command/ssh/renew.go
@@ -28,7 +28,7 @@ func renewCommand() cli.Command {
 [**--issuer**=<name>] [**--password-file**=<file>] [**--force**] [**--offline**]
 [**--ca-config**=<file>] [**--ca-url**=<uri>] [**--root**=<file>]
 [**--context**=<name>]`,
-		Description: `**step ssh renew** command renews an SSH Host Cerfificate
+		Description: `**step ssh renew** command renews an SSH Host Certificate
 using [step certificates](https://github.com/smallstep/certificates).
 It writes the new certificate to disk - either overwriting <ssh-cert> or
 using a new file when the **--out**=<file> flag is used. This command cannot
diff --git a/command/ssh/revoke.go b/command/ssh/revoke.go
index 0077ffe5..251d285e 100644
--- a/command/ssh/revoke.go
+++ b/command/ssh/revoke.go
@@ -30,7 +30,7 @@ func revokeCommand() cli.Command {
 [**--offline**] [**--ca-config**=<file>] [**--ca-url**=<uri>] [**--root**=<file>]
 [**--context**=<name>]`,
 
-		Description: `**step ssh revoke** command revokes an SSH Cerfificate
+		Description: `**step ssh revoke** command revokes an SSH Certificate
 using [step certificates](https://github.com/smallstep/certificates).
 
 ## POSITIONAL ARGUMENTS
diff --git a/flags/flags.go b/flags/flags.go
index 5fd5152f..af0f69cd 100644
--- a/flags/flags.go
+++ b/flags/flags.go
@@ -467,7 +467,7 @@ func ParseTimeDuration(ctx *cli.Context) (notBefore, notAfter api.TimeDuration,
 	return
 }
 
-// ParseTemplateData parses the set and and set-file flags and returns a json
+// ParseTemplateData parses the set and set-file flags and returns a json
 // message to be used in certificate templates.
 func ParseTemplateData(ctx *cli.Context) (json.RawMessage, error) {
 	data, err := GetTemplateData(ctx)
diff --git a/integration/command.go b/integration/command.go
index dbb28ed2..abdac71a 100644
--- a/integration/command.go
+++ b/integration/command.go
@@ -54,7 +54,7 @@ func WithStdin(command string, r io.Reader) ([]byte, error) {
 	return cmd.Output()
 }
 
-// CLICommand repreents a command-line command to execute.
+// CLICommand represents a command-line command to execute.
 type CLICommand struct {
 	command   string
 	arguments string
diff --git a/integration/jwk_test.go b/integration/jwk_test.go
index 6f12d638..4cc1cfc9 100644
--- a/integration/jwk_test.go
+++ b/integration/jwk_test.go
@@ -236,7 +236,7 @@ func (j JWKTest) checkPubPriv(t *testing.T, m map[string]interface{}) {
 		}
 
 		k, ok := m["k"]
-		assert.True(t, ok, "JWK with \"kty\" of \"oct\" should have \"k\" paramater (key)")
+		assert.True(t, ok, "JWK with \"kty\" of \"oct\" should have \"k\" parameter (key)")
 
 		// Check `k` is correct size
 		checkSizeBytes(k.(string), 32)
diff --git a/integration/jwt_test.go b/integration/jwt_test.go
index aa418a66..62aed5b4 100644
--- a/integration/jwt_test.go
+++ b/integration/jwt_test.go
@@ -110,7 +110,7 @@ func (j JWTSignTest) test(t *testing.T, name string) string {
 	var jwt string
 	t.Run(name, func(t *testing.T) {
 		// Beware. This is fragile as hell. Ugh. If the output or prompt for the
-		// jwt sign cubcommand changes this will need to change too.
+		// jwt sign subcommand changes this will need to change too.
 		if j.jwk.password != "" {
 			cmd, err := gexpect.Spawn(j.command.cmd())
 			assert.FatalError(t, err)
@@ -694,7 +694,7 @@ func TestCryptoJWT(t *testing.T) {
 			jwt = mkossljwt(t, `{"typ": "JWT", "alg": "RS384"}`, `{"iss": "foo", "sub": "bar"}`, fmt.Sprintf("<(echo -en %q)", pem))
 			tst.verify.setFlag("iss", "foo").setFlag("aud", "bar").setFlag("alg", "RS384").fail(t, "wrong-alg", jwt, "alg RS384 does not match the alg on testdata-tmp/jwt-jwk-RSA-pub.json\n")
 
-			// We don't currently support JSON Serialization, Flattened JSON Serialzation, or multiple signatures
+			// We don't currently support JSON Serialization, Flattened JSON Serialization, or multiple signatures
 			// TODO: Right now these are parse failures. They should probably parse correctly and give more helpful error messages.
 			vtst := NewJWTVerifyTest(JWK{"testdata/rsa2048.pub", "testdata/rsa2048.pem", "", true, false}).setFlag("iss", "foo").setFlag("aud", "bar").setFlag("alg", "RS256")
 			jwtb, _ := os.ReadFile("testdata/jwt-json-serialization.json")
@@ -713,7 +713,7 @@ func TestCryptoJWT(t *testing.T) {
 			t.Run("nbf", func(t *testing.T) {
 				tst := mkjwt(jwkec)
 				jwt := tst.nbf(extraTime).sign.test(t, "sign")
-				tst.verify.fail(t, "verify-tosoon", jwt, "validation failed: token not valid yet (nbf)\n")
+				tst.verify.fail(t, "verify-too-soon", jwt, "validation failed: token not valid yet (nbf)\n")
 				time.Sleep(extraTime)
 				tst.verify.test(t, "verify-succeed", jwt)
 				if t.Failed() {
diff --git a/internal/kdf/scrypt.go b/internal/kdf/scrypt.go
index 23830a59..1a414142 100644
--- a/internal/kdf/scrypt.go
+++ b/internal/kdf/scrypt.go
@@ -16,7 +16,7 @@ const (
 )
 
 var (
-	// ScryptMaxCost the the maximum value for ln. Maximum is set to avoid
+	// ScryptMaxCost the maximum value for ln. Maximum is set to avoid
 	// panics due to not enough memory errors. Memory used is ~4*32*(2^ln)*r
 	// bytes.
 	ScryptMaxCost = 20
diff --git a/internal/sshutil/sshutil.go b/internal/sshutil/sshutil.go
index 1d5d59d6..e4fe467b 100644
--- a/internal/sshutil/sshutil.go
+++ b/internal/sshutil/sshutil.go
@@ -139,7 +139,7 @@ func parseDSA(in []byte) (*dsa.PublicKey, error) {
 		Rest       []byte `ssh:"rest"`
 	}
 	if err := ssh.Unmarshal(in, &w); err != nil {
-		return nil, errors.Wrap(err, "error unmarshalling public key")
+		return nil, errors.Wrap(err, "error unmarshaling public key")
 	}
 
 	param := dsa.Parameters{
@@ -161,7 +161,7 @@ func parseRSA(in []byte) (*rsa.PublicKey, error) {
 		Rest []byte `ssh:"rest"`
 	}
 	if err := ssh.Unmarshal(in, &w); err != nil {
-		return nil, errors.Wrap(err, "error unmarshalling public key")
+		return nil, errors.Wrap(err, "error unmarshaling public key")
 	}
 	if w.E.BitLen() > 24 {
 		return nil, errors.New("invalid public key: exponent too large")
@@ -186,7 +186,7 @@ func parseECDSA(in []byte) (*ecdsa.PublicKey, error) {
 	}
 
 	if err := ssh.Unmarshal(in, &w); err != nil {
-		return nil, errors.Wrap(err, "error unmarshalling public key")
+		return nil, errors.Wrap(err, "error unmarshaling public key")
 	}
 
 	key := new(ecdsa.PublicKey)
@@ -217,7 +217,7 @@ func parseED25519(in []byte) (ed25519.PublicKey, error) {
 	}
 
 	if err := ssh.Unmarshal(in, &w); err != nil {
-		return nil, errors.Wrap(err, "error unmarshalling public key")
+		return nil, errors.Wrap(err, "error unmarshaling public key")
 	}
 
 	return ed25519.PublicKey(w.KeyBytes), nil
diff --git a/pkg/blackfriday/README.md b/pkg/blackfriday/README.md
index 2e0db355..78c4e2b8 100644
--- a/pkg/blackfriday/README.md
+++ b/pkg/blackfriday/README.md
@@ -163,7 +163,7 @@ Extensions
 In addition to the standard markdown syntax, this package
 implements the following extensions:
 
-*   **Intra-word emphasis supression**. The `_` character is
+*   **Intra-word emphasis suppression**. The `_` character is
     commonly used inside words when discussing code, so having
     markdown interpret it as an emphasis command is usually the
     wrong thing. Blackfriday lets you treat all emphasis markers as
@@ -233,7 +233,7 @@ implements the following extensions:
 
 *   **Smart fractions**, where anything that looks like a fraction
     is translated into suitable HTML (instead of just a few special
-    cases like most smartypant processors). For example, `4/5`
+    cases like most smartypants processors). For example, `4/5`
     becomes `<sup>4</sup>&frasl;<sub>5</sub>`, which renders as
     <sup>4</sup>&frasl;<sub>5</sub>.
 
diff --git a/pkg/blackfriday/block_test.go b/pkg/blackfriday/block_test.go
index 0a2a4d84..59efdcfe 100644
--- a/pkg/blackfriday/block_test.go
+++ b/pkg/blackfriday/block_test.go
@@ -733,8 +733,8 @@ func TestOrderedList(t *testing.T) {
 		"1. List\n\n          code block with spaces\n",
 		"<ol>\n<li><p>List</p>\n\n<pre><code>  code block with spaces\n</code></pre></li>\n</ol>\n",
 
-		"1. List\n    * Mixted list\n",
-		"<ol>\n<li>List\n\n<ul>\n<li>Mixted list</li>\n</ul></li>\n</ol>\n",
+		"1. List\n    * Mixed list\n",
+		"<ol>\n<li>List\n\n<ul>\n<li>Mixed list</li>\n</ul></li>\n</ol>\n",
 
 		"1. List\n * Mixed list\n",
 		"<ol>\n<li>List\n\n<ul>\n<li>Mixed list</li>\n</ul></li>\n</ol>\n",
@@ -876,8 +876,8 @@ func TestPreformattedHtml(t *testing.T) {
 		"<div>\nAnything here\n  </div>\n",
 		"<div>\nAnything here\n  </div>\n",
 
-		"<div>\nThis is *not* &proceessed\n</div>\n",
-		"<div>\nThis is *not* &proceessed\n</div>\n",
+		"<div>\nThis is *not* &processed\n</div>\n",
+		"<div>\nThis is *not* &processed\n</div>\n",
 
 		"<faketag>\n  Something\n</faketag>\n",
 		"<p><faketag>\n  Something\n</faketag></p>\n",
@@ -1369,8 +1369,8 @@ func TestOrderedList_EXTENSION_NO_EMPTY_LINE_BEFORE_BLOCK(t *testing.T) {
 		"1. List\n\n          code block with spaces\n",
 		"<ol>\n<li><p>List</p>\n\n<pre><code>  code block with spaces\n</code></pre></li>\n</ol>\n",
 
-		"1. List\n    * Mixted list\n",
-		"<ol>\n<li>List\n\n<ul>\n<li>Mixted list</li>\n</ul></li>\n</ol>\n",
+		"1. List\n    * Mixed list\n",
+		"<ol>\n<li>List\n\n<ul>\n<li>Mixed list</li>\n</ul></li>\n</ol>\n",
 
 		"1. List\n * Mixed list\n",
 		"<ol>\n<li>List\n\n<ul>\n<li>Mixed list</li>\n</ul></li>\n</ol>\n",
diff --git a/pkg/blackfriday/html.go b/pkg/blackfriday/html.go
index 25fb185e..37b199bb 100644
--- a/pkg/blackfriday/html.go
+++ b/pkg/blackfriday/html.go
@@ -303,7 +303,7 @@ func needSkipLink(flags HTMLFlags, dest []byte) bool {
 	return flags&Safelink != 0 && !isSafeLink(dest) && !isMailto(dest)
 }
 
-func isSmartypantable(node *Node) bool {
+func isSmartypantsable(node *Node) bool {
 	pt := node.Parent.Type
 	return pt != Link && pt != CodeBlock && pt != Code
 }
diff --git a/pkg/blackfriday/markdown.go b/pkg/blackfriday/markdown.go
index f8144217..6bc2c9ba 100644
--- a/pkg/blackfriday/markdown.go
+++ b/pkg/blackfriday/markdown.go
@@ -469,12 +469,12 @@ func (p *Markdown) parseRefsToAST() {
 // The basic format is:
 //
 //    [1]: http://www.google.com/ "Google"
-//    [2]: http://www.github.com/ "Github"
+//    [2]: http://www.github.com/ "GitHub"
 //
 // Anywhere in the document, the reference can be linked by referring to its
 // label, i.e., 1 and 2 in this example, as in:
 //
-//    This library is hosted on [Github][2], a git hosting site.
+//    This library is hosted on [GitHub][2], a git hosting site.
 //
 // Actual footnotes as specified in Pandoc and supported by some other Markdown
 // libraries such as php-markdown are also taken care of. They look like this:
diff --git a/pkg/blackfriday/ref_test.go b/pkg/blackfriday/ref_test.go
index cecf7d1c..9a63620c 100644
--- a/pkg/blackfriday/ref_test.go
+++ b/pkg/blackfriday/ref_test.go
@@ -42,7 +42,7 @@ func TestReference(t *testing.T) {
 		"Ordered and unordered lists",
 		"Strong and em together",
 		"Tabs",
-		"Tidyness",
+		"Tidiness",
 	}
 	doTestsReference(t, files, 0)
 }
@@ -70,7 +70,7 @@ func TestReference_EXTENSION_NO_EMPTY_LINE_BEFORE_BLOCK(t *testing.T) {
 		"Ordered and unordered lists",
 		"Strong and em together",
 		"Tabs",
-		"Tidyness",
+		"Tidiness",
 	}
 	doTestsReference(t, files, NoEmptyLineBeforeBlock)
 }
@@ -103,7 +103,7 @@ func BenchmarkReference(b *testing.B) {
 		"Ordered and unordered lists",
 		"Strong and em together",
 		"Tabs",
-		"Tidyness",
+		"Tidiness",
 	}
 	var tests []string
 	for _, basename := range files {
diff --git a/pkg/blackfriday/testdata/Amps and angle encoding.html b/pkg/blackfriday/testdata/Amps and angle encoding.html
index 483f8ffa..fd6eace7 100644
--- a/pkg/blackfriday/testdata/Amps and angle encoding.html	
+++ b/pkg/blackfriday/testdata/Amps and angle encoding.html	
@@ -10,7 +10,7 @@
 
 <p>Here's a <a href="http://example.com/?foo=1&amp;bar=2">link</a> with an ampersand in the URL.</p>
 
-<p>Here's a link with an amersand in the link text: <a href="http://att.com/" title="AT&amp;T">AT&amp;T</a>.</p>
+<p>Here's a link with an ampersand in the link text: <a href="http://att.com/" title="AT&amp;T">AT&amp;T</a>.</p>
 
 <p>Here's an inline <a href="/script?foo=1&amp;bar=2">link</a>.</p>
 
diff --git a/pkg/blackfriday/testdata/Amps and angle encoding.text b/pkg/blackfriday/testdata/Amps and angle encoding.text
index 0e9527f9..ec3fff80 100644
--- a/pkg/blackfriday/testdata/Amps and angle encoding.text	
+++ b/pkg/blackfriday/testdata/Amps and angle encoding.text	
@@ -10,7 +10,7 @@ This & that.
 
 Here's a [link] [1] with an ampersand in the URL.
 
-Here's a link with an amersand in the link text: [AT&T] [2].
+Here's a link with an ampersand in the link text: [AT&T] [2].
 
 Here's an inline [link](/script?foo=1&bar=2).
 
diff --git a/pkg/blackfriday/testdata/Markdown Documentation - Basics.html b/pkg/blackfriday/testdata/Markdown Documentation - Basics.html
index ea3a61c3..87ccabb5 100644
--- a/pkg/blackfriday/testdata/Markdown Documentation - Basics.html	
+++ b/pkg/blackfriday/testdata/Markdown Documentation - Basics.html	
@@ -114,7 +114,7 @@ Or, if you prefer, &lt;strong&gt;use two underscores instead&lt;/strong&gt;.&lt;
 
 <p>Unordered (bulleted) lists use asterisks, pluses, and hyphens (<code>*</code>,
 <code>+</code>, and <code>-</code>) as list markers. These three markers are
-interchangable; this:</p>
+interchangeable; this:</p>
 
 <pre><code>*   Candy.
 *   Gum.
@@ -275,7 +275,7 @@ it easy to use Markdown to write about HTML example code:</p>
 <pre><code>I strongly recommend against using any `&lt;blink&gt;` tags.
 
 I wish SmartyPants used named entities like `&amp;mdash;`
-instead of decimal-encoded entites like `&amp;#8212;`.
+instead of decimal-encoded entities like `&amp;#8212;`.
 </code></pre>
 
 <p>Output:</p>
@@ -285,7 +285,7 @@ instead of decimal-encoded entites like `&amp;#8212;`.
 
 &lt;p&gt;I wish SmartyPants used named entities like
 &lt;code&gt;&amp;amp;mdash;&lt;/code&gt; instead of decimal-encoded
-entites like &lt;code&gt;&amp;amp;#8212;&lt;/code&gt;.&lt;/p&gt;
+entities like &lt;code&gt;&amp;amp;#8212;&lt;/code&gt;.&lt;/p&gt;
 </code></pre>
 
 <p>To specify an entire block of pre-formatted code, indent every line of
diff --git a/pkg/blackfriday/testdata/Markdown Documentation - Basics.text b/pkg/blackfriday/testdata/Markdown Documentation - Basics.text
index 486055ca..b499390f 100644
--- a/pkg/blackfriday/testdata/Markdown Documentation - Basics.text	
+++ b/pkg/blackfriday/testdata/Markdown Documentation - Basics.text	
@@ -123,7 +123,7 @@ Output:
 
 Unordered (bulleted) lists use asterisks, pluses, and hyphens (`*`,
 `+`, and `-`) as list markers. These three markers are
-interchangable; this:
+interchangeable; this:
 
     *   Candy.
     *   Gum.
@@ -270,7 +270,7 @@ it easy to use Markdown to write about HTML example code:
     I strongly recommend against using any `<blink>` tags.
 
     I wish SmartyPants used named entities like `&mdash;`
-    instead of decimal-encoded entites like `&#8212;`.
+    instead of decimal-encoded entities like `&#8212;`.
 
 Output:
 
@@ -279,7 +279,7 @@ Output:
     
     <p>I wish SmartyPants used named entities like
     <code>&amp;mdash;</code> instead of decimal-encoded
-    entites like <code>&amp;#8212;</code>.</p>
+    entities like <code>&amp;#8212;</code>.</p>
 
 
 To specify an entire block of pre-formatted code, indent every line of
diff --git a/pkg/blackfriday/testdata/Markdown Documentation - Syntax.html b/pkg/blackfriday/testdata/Markdown Documentation - Syntax.html
index 6cd05fb9..3d1e1353 100644
--- a/pkg/blackfriday/testdata/Markdown Documentation - Syntax.html	
+++ b/pkg/blackfriday/testdata/Markdown Documentation - Syntax.html	
@@ -302,7 +302,7 @@ Quote Level from the Text menu.</p>
 
 <p>Markdown supports ordered (numbered) and unordered (bulleted) lists.</p>
 
-<p>Unordered lists use asterisks, pluses, and hyphens -- interchangably
+<p>Unordered lists use asterisks, pluses, and hyphens -- interchangeably
 -- as list markers:</p>
 
 <pre><code>*   Red
@@ -642,7 +642,7 @@ or tabs for padding, which tends to look better with longer URLs:</p>
 <p>Link definitions are only used for creating links during Markdown
 processing, and are stripped from your document in the HTML output.</p>
 
-<p>Link definition names may constist of letters, numbers, spaces, and punctuation -- but they are <em>not</em> case sensitive. E.g. these two links:</p>
+<p>Link definition names may consist of letters, numbers, spaces, and punctuation -- but they are <em>not</em> case sensitive. E.g. these two links:</p>
 
 <pre><code>[link text][a]
 [link text][A]
diff --git a/pkg/blackfriday/testdata/Markdown Documentation - Syntax.text b/pkg/blackfriday/testdata/Markdown Documentation - Syntax.text
index 57360a16..2fe1e3f0 100644
--- a/pkg/blackfriday/testdata/Markdown Documentation - Syntax.text	
+++ b/pkg/blackfriday/testdata/Markdown Documentation - Syntax.text	
@@ -298,7 +298,7 @@ Quote Level from the Text menu.
 
 Markdown supports ordered (numbered) and unordered (bulleted) lists.
 
-Unordered lists use asterisks, pluses, and hyphens -- interchangably
+Unordered lists use asterisks, pluses, and hyphens -- interchangeably
 -- as list markers:
 
     *   Red
@@ -608,7 +608,7 @@ or tabs for padding, which tends to look better with longer URLs:
 Link definitions are only used for creating links during Markdown
 processing, and are stripped from your document in the HTML output.
 
-Link definition names may constist of letters, numbers, spaces, and punctuation -- but they are *not* case sensitive. E.g. these two links:
+Link definition names may consist of letters, numbers, spaces, and punctuation -- but they are *not* case sensitive. E.g. these two links:
 
 	[link text][a]
 	[link text][A]
diff --git a/pkg/blackfriday/testdata/Tidyness.html b/pkg/blackfriday/testdata/Tidiness.html
similarity index 100%
rename from pkg/blackfriday/testdata/Tidyness.html
rename to pkg/blackfriday/testdata/Tidiness.html
diff --git a/pkg/blackfriday/testdata/Tidyness.text b/pkg/blackfriday/testdata/Tidiness.text
similarity index 100%
rename from pkg/blackfriday/testdata/Tidyness.text
rename to pkg/blackfriday/testdata/Tidiness.text
diff --git a/systemd/cert-renewer@.timer b/systemd/cert-renewer@.timer
index baddfaa7..37551cb5 100644
--- a/systemd/cert-renewer@.timer
+++ b/systemd/cert-renewer@.timer
@@ -12,7 +12,7 @@ OnCalendar=*:1/15
 ; Always run the timer on time.
 AccuracySec=1us
 
-; Add jitter to prevent a "thundering hurd" of simultaneous certificate renewals.
+; Add jitter to prevent a "thundering herd" of simultaneous certificate renewals.
 RandomizedDelaySec=5m
 
 [Install]
diff --git a/systemd/ssh-cert-renewer.timer b/systemd/ssh-cert-renewer.timer
index 27249964..b51efbc8 100644
--- a/systemd/ssh-cert-renewer.timer
+++ b/systemd/ssh-cert-renewer.timer
@@ -11,7 +11,7 @@ OnCalendar=*:1/15
 ; Always run the timer on time.
 AccuracySec=1us
 
-; Add jitter to prevent a "thundering hurd" of simultaneous certificate renewals.
+; Add jitter to prevent a "thundering herd" of simultaneous certificate renewals.
 RandomizedDelaySec=5m
 
 [Install]
diff --git a/usage/renderer.go b/usage/renderer.go
index eb52bad1..aac2d37d 100644
--- a/usage/renderer.go
+++ b/usage/renderer.go
@@ -166,7 +166,7 @@ func (r *Renderer) RenderNode(w io.Writer, node *md.Node, entering bool) md.Walk
 	switch node.Type {
 	case md.Paragraph:
 		// Alternative idea here: call r.RenderNode() with our new buffer as
-		// `w`. In the `else` condition here render to the outter buffer and
+		// `w`. In the `else` condition here render to the outer buffer and
 		// always return md.Terminate. So when we enter a paragraph we start
 		// parsing with a new output buffer and capture the output.
 		if entering {
@@ -322,7 +322,7 @@ func (r *Renderer) RenderNode(w io.Writer, node *md.Node, entering bool) md.Walk
 		if entering {
 			r.capture(r.out.mode)
 		} else {
-			// Markdown doens't have a way to create a table without headers.
+			// Markdown doesn't have a way to create a table without headers.
 			// We've opted to fix that here by not rendering headers at all if
 			// they're empty.
 			result := r.finishCapture().Bytes()
diff --git a/utils/cautils/token_generator.go b/utils/cautils/token_generator.go
index 9debb2a2..a7758dcc 100644
--- a/utils/cautils/token_generator.go
+++ b/utils/cautils/token_generator.go
@@ -344,7 +344,7 @@ func loadJWK(ctx *cli.Context, p *provisioner.JWK, tokAttrs tokenAttrs) (jwk *jo
 
 		jwk = new(jose.JSONWebKey)
 		if err := json.Unmarshal(decrypted, jwk); err != nil {
-			return nil, "", errors.Wrap(err, "error unmarshalling provisioning key")
+			return nil, "", errors.Wrap(err, "error unmarshaling provisioning key")
 		}
 	} else {
 		// Get private key from given key file