Provisioners are used by issuing authorities to authenticate certificate requests. Provisioners make it easy to automate certificate management where possible, and support semi-automated / self-serve workflows where required.
Certificate lifetimes, access control policies, renewal, templates, and many other options are configurable per-provisioner. Since an issuing authority can have multiple provisioners, you implement complex authentication and authorization policies and issue different kinds of certificates from one issuing authority.
Some common per-provisioner settings include default/min/max certificate lifetime, certificate algorithm, key usage (using templates), and subject alternative names. Each In all cases, users and machines will authenticate to a provisioner in order to receive a signed certificate.