Addressing Linux's missing PKI infrastructure

Jon Seager, VP of engineering for Canonical, has announced
a plan to develop a universal Public Key Infrastructure tool called
upki:

Earlier this year, LWN featured an excellent article titled
'Linux's missing CRL
infrastructure'. The article highlighted a number
of key issues surrounding traditional Public Key Infrastructure (PKI),
but critically noted how even the available measures are effectively
ignored by the majority of system-level software on Linux.

One of the motivators for the discussion is that the Online
Certificate Status Protocol (OCSP) will cease to be supported by Let's
Encrypt. The remaining alternative is to use Certificate Revocation
Lists (CRLs), yet there is little or no support for managing (or even
querying) these lists in most Linux system utilities.

To solve this, I'm happy to share that in partnership with rustls
maintainers Dirkjan Ochtman
and Joe Birr-Pixton, we're starting the
development of upki: a universal PKI tool. This project initially aims
to close the revocation gap through the combination of a new system
utility and eventual library support for common TLS/SSL libraries such
as OpenSSL, GnuTLS and rustls.

No code is available as of yet, but the announcement indicates that
upki will be available as an opt-in preview for
Ubuntu 26.04 LTS. Thanks to Dirjan Ochtman for the tip.