Deprecate retry_bootstrap (#6050 )

* Deprecate retry_bootstrap Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
Wait for server to come up before using it (#6174 )
2025-07-10 10:06:38 -03:00 · 2025-07-09 07:19:04 +01:00 · 2025-07-08 22:41:56 +01:00 · 2025-07-08 21:43:37 +01:00 · 2025-07-07 20:21:53 +01:00 · 2025-07-04 16:14:29 -03:00
835 changed files with 34556 additions and 13645 deletions
--- a/.github/workflows/dco.yaml
+++ b/.github/workflows/dco.yaml
@ -10,9 +10,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Set up Python 3.x
-        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
        with:
          python-version: '3.x'
      - name: Check DCO
--- a/.github/workflows/depsreview.yaml
+++ b/.github/workflows/depsreview.yaml
@ -10,6 +10,6 @@ jobs:

    steps:
      - name: 'Checkout Repository'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: 'Dependency Review'
-        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
--- a/.github/workflows/nightly_build.yaml
+++ b/.github/workflows/nightly_build.yaml
@ -19,13 +19,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Install cosign
-        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
        with:
          cosign-release: v2.2.3
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Build images
        run: make images
      - name: Log in to GHCR
--- a/.github/workflows/pr_build.yaml
+++ b/.github/workflows/pr_build.yaml
@ -19,13 +19,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Setup dep cache
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -43,18 +43,18 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Setup build tool cache
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
@ -80,13 +80,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -104,13 +104,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -128,13 +128,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Download archived images
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
@ -146,7 +146,7 @@ jobs:
      - name: Build artifacts
        run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
      - name: Archive artifacts
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: binaries-linux
          path: ./artifacts/
@ -162,31 +162,31 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
      - name: Build images
        run: make images-no-load
      - name: Export images
        run: tar -czvf images.tar.gz *-image.tar
      - name: Archive images
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: images
          path: images.tar.gz
@ -202,12 +202,12 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Load cached executables
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ./bin/
-          key: ${{ runner.os }}-executables-${{ hashFiles('**/*.exe') }}
+          key: ${{ runner.os }}-executables-${{ github.sha }}
      - name: Build images
        run: make images-windows
      - name: Export images
@ -215,7 +215,7 @@ jobs:
          docker save spire-server-windows:latest-local spire-agent-windows:latest-local oidc-discovery-provider-windows:latest-local -o images-windows.tar
          gzip images-windows.tar
      - name: Archive images
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: images-windows
          path: images-windows.tar.gz
@ -228,7 +228,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - id: set-matrix
        name: Collect versions
        run: |
@ -239,10 +239,9 @@ jobs:
    outputs:
      test: ${{ steps.set-matrix.outputs.test }}
  
-
  integration:
-    name: integration (linux)
-    runs-on: ubuntu-22.04
+    name: integration (${{ matrix.arch }}) (${{ strategy.job-index}}/${{ strategy.job-total }})
+    runs-on: ${{ matrix.runs-on }}
    needs: [cache-deps, images]
    timeout-minutes: 45

@ -252,11 +251,17 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        num_runners: [5]
-        runner_id: [1, 2, 3, 4, 5]
+        arch: [x64, arm64]
+        num_runners: [10]
+        runner_id: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
+        include:
+          - arch: x64
+            runs-on: ubuntu-22.04
+          - arch: arm64
+            runs-on: ubuntu-22.04-arm
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          # The "upgrade" integration test needs the history to ensure
          # that the version number in the source code has been bumped as
@ -264,18 +269,18 @@ jobs:
          # fetch depth of zero.
          fetch-depth: 0
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
@ -294,13 +299,12 @@ jobs:
          THIS_RUNNER: ${{ matrix.runner_id }}
          TERM: dumb
          CICD_TARGET_BRANCH: ${{ github.event.pull_request.base.ref }}
+          IGNORE_SUITES: ${{ matrix.arch == 'arm64' && 'suites/upstream-authority-ejbca' || '' }} # Waiting for EJBCA to support arm64 (https://github.com/spiffe/spire/issues/6060)
        run: ./.github/workflows/scripts/split.sh | xargs ./test/integration/test.sh

-
-
  integration-k8s:
-    name: integration-k8s
-    runs-on: ubuntu-22.04
+    name: integration-k8s-${{ matrix.test[0] }}-${{ matrix.arch }}
+    runs-on: ${{ matrix.runs-on }}
    needs: [cache-deps, images, build-matrix]
    timeout-minutes: 45

@ -310,13 +314,21 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-         num_runners: [1]
-         runner_id: [1]
-         #Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
-         test: ${{ fromJson(needs.build-matrix.outputs.test) }}
+        arch: [x64, arm64]
+        include:
+          - arch: x64
+            runs-on: ubuntu-22.04
+            num_runners: 1
+            runner_id: 1
+          - arch: arm64
+            runs-on: ubuntu-22.04-arm
+            num_runners: 1
+            runner_id: 1
+        #Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
+        test: ${{ fromJson(needs.build-matrix.outputs.test) }}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          # The "upgrade" integration test needs the history to ensure
          # that the version number in the source code has been bumped as
@ -324,18 +336,18 @@ jobs:
          # fetch depth of zero.
          fetch-depth: 0
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
@ -379,24 +391,24 @@ jobs:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
          cache: true
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@ddf331adaebd714795f1042345e6ca57bd66cea8 # v2.24.1
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -429,14 +441,14 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
          cache: true
      - name: Setup dep cache
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -462,24 +474,24 @@ jobs:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
          cache: true
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Setup build tool cache
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@ddf331adaebd714795f1042345e6ca57bd66cea8 # v2.24.1
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -511,19 +523,19 @@ jobs:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
          cache: true
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@ddf331adaebd714795f1042345e6ca57bd66cea8 # v2.24.1
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -551,24 +563,24 @@ jobs:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
          cache: true
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@ddf331adaebd714795f1042345e6ca57bd66cea8 # v2.24.1
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -577,21 +589,21 @@ jobs:
      - name: Build binaries
        run: make build
      - name: Setup executables cache
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ./bin/
-          key: ${{ runner.os }}-executables-${{ hashFiles('**/*.exe') }}
+          key: ${{ runner.os }}-executables-${{ github.sha }}
      - name: Build artifacts
        run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
      - name: Archive artifacts
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: binaries-windows
          path: ./artifacts/

  success:
    runs-on: ubuntu-22.04
-    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
+    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, integration-k8s, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
    timeout-minutes: 30
    permissions:
      contents: read
--- a/.github/workflows/release_build.yaml
+++ b/.github/workflows/release_build.yaml
@ -13,13 +13,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Setup dep cache
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -36,18 +36,18 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Setup build tool cache
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
@ -72,13 +72,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -95,13 +95,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -119,13 +119,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Download archived images
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
@ -137,7 +137,7 @@ jobs:
      - name: Build artifacts
        run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
      - name: Archive artifacts
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: binaries-linux
          path: ./artifacts/
@ -152,18 +152,18 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
@ -172,7 +172,7 @@ jobs:
      - name: Export images
        run: tar -czvf images.tar.gz *-image.tar
      - name: Archive images
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: images
          path: images.tar.gz
@ -187,12 +187,12 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Load cached executables
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ./bin/
-          key: ${{ runner.os }}-executables-${{ hashFiles('**/*.exe') }}
+          key: ${{ runner.os }}-executables-${{ github.sha }}
      - name: Build images
        run: make images-windows
      - name: Export images
@ -200,7 +200,7 @@ jobs:
          docker save spire-server-windows:latest-local spire-agent-windows:latest-local oidc-discovery-provider-windows:latest-local -o images-windows.tar
          gzip images-windows.tar
      - name: Archive images
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: images-windows
          path: images-windows.tar.gz
@ -213,7 +213,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - id: set-matrix
        name: Collect versions
        run: |
@ -225,9 +225,10 @@ jobs:
      test: ${{ steps.set-matrix.outputs.test }}

  integration:
-    name: integration (linux)
-    runs-on: ubuntu-22.04
+    name: integration (${{ matrix.arch }}) (${{ strategy.job-index}}/${{ strategy.job-total }})
+    runs-on: ${{ matrix.runs-on }}
    needs: [cache-deps, images]
+    timeout-minutes: 45

    permissions:
      contents: read
@ -235,11 +236,17 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        num_runners: [5]
-        runner_id: [1, 2, 3, 4, 5]
+        arch: [x64, arm64]
+        num_runners: [10]
+        runner_id: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
+        include:
+          - arch: x64
+            runs-on: ubuntu-22.04
+          - arch: arm64
+            runs-on: ubuntu-22.04-arm
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          # The "upgrade" integration test needs the history to ensure
          # that the version number in the source code has been bumped as
@ -256,18 +263,18 @@ jobs:
      - name: Fix tag annotations
        run: git fetch --tags --force
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
@ -285,14 +292,15 @@ jobs:
          NUM_RUNNERS: ${{ matrix.num_runners }}
          THIS_RUNNER: ${{ matrix.runner_id }}
          TERM: dumb
+          IGNORE_SUITES: ${{ matrix.arch == 'arm64' && 'suites/upstream-authority-ejbca' || '' }} # Waiting for EJBCA to support arm64 (https://github.com/spiffe/spire/issues/6060)
          # We don't need to specify CICD_TARGET_BRANCH since the upgrade
          # integration test will detect the annotated tag for version checking.
          # CICD_TARGET_BRANCH:
        run: ./.github/workflows/scripts/split.sh | xargs ./test/integration/test.sh

  integration-k8s:
-    name: integration-k8s
-    runs-on: ubuntu-22.04
+    name: integration-k8s-${{ matrix.test[0] }}-${{ matrix.arch }}
+    runs-on: ${{ matrix.runs-on }}
    needs: [cache-deps, images, build-matrix]
    timeout-minutes: 45

@ -302,13 +310,21 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-         num_runners: [1]
-         runner_id: [1]
-         #Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
-         test: ${{ fromJson(needs.build-matrix.outputs.test) }}
+        arch: [x64, arm64]
+        include:
+          - arch: x64
+            runs-on: ubuntu-22.04
+            num_runners: 1
+            runner_id: 1
+          - arch: arm64
+            runs-on: ubuntu-22.04-arm
+            num_runners: 1
+            runner_id: 1
+        #Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
+        test: ${{ fromJson(needs.build-matrix.outputs.test) }}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          # The "upgrade" integration test needs the history to ensure
          # that the version number in the source code has been bumped as
@ -316,18 +332,18 @@ jobs:
          # fetch depth of zero.
          fetch-depth: 0
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
@ -364,23 +380,23 @@ jobs:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@ddf331adaebd714795f1042345e6ca57bd66cea8 # v2.24.1
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -407,13 +423,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Setup dep cache
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@ -433,23 +449,23 @@ jobs:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Setup build tool cache
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@ddf331adaebd714795f1042345e6ca57bd66cea8 # v2.24.1
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -475,18 +491,18 @@ jobs:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@ddf331adaebd714795f1042345e6ca57bd66cea8 # v2.24.1
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -508,23 +524,23 @@ jobs:
        shell: msys2 {0}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version-file: 'go.mod'
      - name: Load cached deps
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
      - name: Load cached build tools
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: .build
          key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
      - name: Install msys2
-        uses: msys2/setup-msys2@ddf331adaebd714795f1042345e6ca57bd66cea8 # v2.24.1
+        uses: msys2/setup-msys2@d44ca8e88d8b43d56cf5670f91747359d5537f97 # v2.26.0
        with:
          msystem: MINGW64
          update: true
@ -535,25 +551,25 @@ jobs:
      - name: Build artifacts
        run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
      - name: Setup executables cache
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ./bin/
-          key: ${{ runner.os }}-executables-${{ hashFiles('**/*.exe') }}
+          key: ${{ runner.os }}-executables-${{ github.sha }}
      - name: Archive artifacts
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
        with:
          name: binaries-windows
          path: ./artifacts/

  publish-artifacts:
    runs-on: ubuntu-22.04
-    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
+    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, integration-k8s, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
    permissions:
      contents: write

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Download archived Linux artifacts
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
@ -568,7 +584,7 @@ jobs:
      - name: Create Release
        env:
          # GH_REPO is required for older releases of `gh`. Until we're
-          # reasonably confident that that the gh release is new enough,
+          # reasonably confident that the gh release is new enough,
          # set GH_REPO to the repository to create the release in.
          #
          # See https://github.com/cli/cli/issues/3556
@ -579,7 +595,7 @@ jobs:

  publish-images:
    runs-on: ubuntu-22.04
-    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
+    needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, integration-k8s, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
    permissions:
      contents: read
      id-token: write
@ -587,13 +603,13 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Install cosign
-        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
        with:
          cosign-release: v2.2.3
      - name: Install regctl
-        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+        uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main
      - name: Download archived images
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
--- a/.github/workflows/scripts/find_k8s.sh
+++ b/.github/workflows/scripts/find_k8s.sh
@ -23,6 +23,13 @@
          
          declare -A tags_map
          for element in "${tags_sorted[@]}"; do
+            # Skip 1.32.1 until either a new version of kind is released the problem
+            # with the kindest/node:1.32.1 image is fixed. See upstream kind issue:
+            # https://github.com/kubernetes-sigs/kind/issues/3853
+            if [[ "$element" == "v1.32.1" ]]; then
+              continue
+            fi
+
            # Element is in this form: "X.XX.YY"
            # If not, continue
            num_dots=$(echo "$element" | grep -o '\.' | wc -l)
--- a/.github/workflows/stalebot.yaml
+++ b/.github/workflows/stalebot.yaml
@ -16,7 +16,24 @@ jobs:
        days-before-issue-stale: 365 # 1 year
        days-before-issue-close: 30
        stale-issue-label: "stale"
+        exempt-issue-labels: "blocked" # Ignore blocked issues
        stale-issue-message: "This issue is stale because it has been open for 365 days with no activity."
        close-issue-message: "This issue was closed because it has been inactive for 30 days since being marked as stale."
        days-before-pr-stale: -1 # Don't handle PRs
        days-before-pr-close: -1 # Don't handle PRs
+
+  process-stale-blocked-issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+    - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
+      with:
+        only-labels: "blocked"
+        days-before-issue-stale: 30
+        days-before-issue-close: -1 # Don't close blocked issues
+        stale-issue-label: "stale"
+        stale-issue-message: "This issue has been in the blocked state for 30 days, marking as stale so the blocking issue is re-checked."
+        days-before-pr-stale: -1 # Don't handle PRs
+        days-before-pr-close: -1 # Don't handle PRs
--- a/.go-version
+++ b/.go-version
@ -1 +1 @@
-1.23.0
+1.24.4
--- a/.golangci.yml
+++ b/.golangci.yml
@ -1,34 +1,87 @@
+version: "2"
 run:
-  # timeout for analysis, e.g. 30s, 5m, default is 1m
  timeout: 12m
-
-issues:
-  exclude-dirs:
-    - testdata$
-    - test/mock
-  exclude-files:
-    - ".*\\.pb\\.go"
-
 linters:
  enable:
    - bodyclose
+    - copyloopvar
    - durationcheck
    - errorlint
-    - goimports
-    - revive
+    - exptostd
+    - gocritic
    - gosec
+    - intrange
+    - mirror
    - misspell
    - nakedret
+    - nilnesserr
+    - nolintlint
+    - predeclared
+    - reassign
+    - revive
    - unconvert
    - unparam
+    - wastedassign
    - whitespace
-    - gocritic
-    - nolintlint
-
-linters-settings:
-  revive:
-    # minimal confidence for issues, default is 0.8
-    confidence: 0.0
+  settings:
+    govet:
+      enable:
+        - sortslice
+        - unusedwrite
+    revive:
+      confidence: 0
+      rules:
+        - name: atomic
+        - name: bool-literal-in-expr
+        - name: constant-logical-expr
+        - name: context-as-argument
+        - name: datarace
+        - name: error-naming
+        - name: error-return
+        - name: errorf
+        - name: identical-branches
+        - name: if-return
+        - name: increment-decrement
+        - name: modifies-value-receiver
+        - name: optimize-operands-order
+        - name: range
+        - name: receiver-naming
+        - name: redundant-import-alias
+        - name: redundant-test-main-exit
+        - name: string-of-int
+        - name: time-equal
+        - name: unconditional-recursion
+        - name: unnecessary-stmt
+        - name: unreachable-code
+        - name: use-any
+        - name: use-errors-new
+        - name: useless-break
+        - name: var-declaration
+        - name: waitgroup-by-value
+    staticcheck:
+      checks:
+        - all
+        - -ST1003
+        - -QF1001
+        - -QF1008
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
    rules:
-      - name: unused-parameter
-        disabled: true
+      - linters:
+          - gosec
+        path: (.*_test\.go$)|(^test/.*)
+        text: integer overflow conversion
+      - linters:
+          - revive
+        text: Import alias "v1" is redundant
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
--- a/.spire-tool-versions
+++ b/.spire-tool-versions
@ -1,3 +1,3 @@
-golangci_lint v1.60.1
+golangci-lint v2.1.6
 markdown_lint v0.37.0
-protoc 24.4
+protoc 29.4
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,206 @@
 # Changelog

+## [1.12.4] - 2025-07-01
+
+### Added
+
+- `k8s_configmap` BundlePublisher plugin (#6105, #6139)
+- UpstreamAuthority.SubscribeToLocalBundle RPC to stream updates in the local trust bundle (#6090)
+- Integration tests running on ARM64 platform (#6059)
+- The OIDC Discovery Provider can now read the trust bundle from a file (#6025)
+
+### Changed
+
+- The "Container id not found" log message in the `k8s` WorkloadAttestor has been lowered to Debug level (#6128)
+- Improvements in lookup performance for entries (#6100, #6034)
+- Agent no longer pulls the bundle from `trust_bundle_url` if it is not required (#6065)
+
+### Fixed
+
+- The `subject_types_supported` value in the discovery document is now properly populated by the OIDC Discovery Provider (#6126)
+- SPIRE Server gRPC servers are now gracefully stopped (#6076)
+
+## [1.12.3] - 2025-06-17
+
+### Security
+
+- Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
+This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
+Thanks to Edoardo Geraci for reporting this issue.
+
+## [1.12.2] - 2025-05-19
+
+### Fixed
+
+- Regression where PolicyCredentials set by CredentialComposer plugins were not correctly applied to CA certificates. (#6074)
+
+## [1.12.1] - 2025-05-06
+
+### Added
+
+- Support for Unix sockets in trust bundle URLs (#5932)
+- Documentation improvements and additions (#5989, #6012)
+
+### Changed
+
+- `sql_transaction_timeout` replaced by `event_timeout` and value reduced to 15 minutes (#5966)
+- Experimental events-based cache performance improvements by batch fetching updated entries (#5970)
+- Improved error messages when retrieving CGroups (#6030).
+
+### Fixed
+
+- Corrected invalid `user-agent` value in OIDC Discovery Provider debug logs (#5981).
+
+## [1.12.0] - 2025-03-21
+
+### Added
+
+- Support for any S3 compatible object storage such as MinIO in the `aws_s3` BundlePublisher plugin (#5757)
+- Support for Rego V1 in the authorization policy engine (#5769)
+- Support for SAN-based selectors in the `x509pop` NodeAttestor plugin (#5775)
+
+### Changed
+
+- Agents now use the SyncAuthorizedEntries API for periodically synchronization of authorized entries by default (#5906)
+- Timestamps in logs are now formatted to include nanoseconds (#5798)
+- Improved entry lookup performance in NewJWTSVID and BatchNewX509SVID server RPCs (#5819)
+- Increased the maximum number of idle database connections to 100 (#5853)
+- The maximum idle time per database connection is now set to 30 seconds (#5853)
+- Small documentation improvements (#5873, #5876)
+- The experimental events-based cache now supports reading events from read-only replicas when data staleness is tolerated, enhancing read performance (#5911)
+- The `use_legacy_downstream_x509_ca_ttl` server setting is now set to false by default (#5917)
+
+### Deprecated
+
+- `use_sync_authorized_entries` experimental agent setting (#5906)
+- `use_legacy_downstream_x509_ca_ttl` server setting (#5917)
+
+### Removed
+
+- The deprecated `k8s_sat` NodeAttestor plugin (#5703)
+
+### Fixed
+
+- Issue where agents did not receive entry updates when new entries with the same entry ID were created while `use_sync_authorized_entries` was enabled (#5764)
+
+## [1.11.3] - 2025-06-17
+
+### Security
+
+- Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
+This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
+Thanks to Edoardo Geraci for reporting this issue.
+
+## [1.11.2] - 2025-02-13
+
+### Added
+
+- `gcp_secretmanager` SVIDStore plugin now supports specifying the regions where secrets are created (#5718)
+- Support for expanding environment variables in the OIDC Discovery Provider configuration (#5689)
+- Support for optionally enabling `trust_domain` label for all metrics (#5673)
+- The JWKS URI returned in the discovery document can now be configured in the OIDC Discovery Provider (#5690)
+- A server path prefix can now be specified in the OIDC Discovery Provider (#5690)
+
+### Changed
+
+- Small documentation improvements (#5809, #5720)
+
+### Fixed
+
+- Regression in the hydration of the experimental event-based cache that caused a delay in availability (#5842)
+- Do not log an error when the Envoy SDS v3 API connection has been closed cleanly (#5835)
+- SVIDStore plugins to properly parse metadata in entry selectors containing ':' characters (#5750)
+- Compatibility with deployments that use a server port other than 443 when the `jwt_issuer` configuration is set in the OIDC Discovery Provider (#5690)
+- Domain verification is now properly done when setting the `jwt_issuer` configuration in the OIDC Discovery Provider (#5690)
+
+### Security
+
+- Fixed to properly call the CompareObjectHandles function when it's available on Windows systems, as an extra security measure in the peertracker (#5749)
+
+## [1.11.1] - 2024-12-12
+
+### Added
+
+- The Go based text/template engine used in various plugins has been extended to include a set of functions from the SPRIG library (#5593, #5625)
+- The JWT-SVID cache in the agent is now configurable (#5633)
+- The JWT issuer is now configurable in the OIDC Discovery Provider (#5657)
+
+### Changed
+
+- CA journal now relies on the authority ID instead of the issued time when updating the status of keys (#5622)
+
+### Fixed
+
+- Spelling and grammar fixes (#5571)
+- Handling of IPv6 address consistently for the binding address of the server and health checks (#5623)
+- Link to Telemetry documentation in the Contributing guide (#5650)
+- Handling of registration entries with revision number 0 when the agent syncs entries with the server (#5680)
+
+### Known Issues
+
+- Setting the new `jwt_issuer` configuration property in oidc-discovery-provider is not compatible with deployments that use a server port other than 443 (#5696)
+- Domain verification is bypassed when setting the new `jwt_issuer` configuration property in oidc-discovery-provider (#5697)
+
+## [1.11.0] - 2024-10-24
+
+### Added
+
+- Support for forced rotation and revocation (<https://github.com/orgs/spiffe/projects/21>)
+- New EJBCA UpstreamAuthority plugin for SPIRE Server (#5378)
+- Support for variables in templates contained in the config file (#5576)
+- Support for the configuration validation RPC on all built-in plugins (#5303)
+- Improved logging when built-in plugins panic (#5476)
+- Improved CPU and memory resource usage for concurrent Kubernetes Workload attestation (#5408)
+- Documentation additions and improvements (#5589, #5588, #5499, #5433, #5430, #5269)
+
+### Changed
+
+- SPIRE Agent LRU identity cache is now unconditionally enabled. The LRU size can be controlled via the `x509_svid_cache_max_size` configuration option. (#5383, #5531)
+- Entry API RPCs return per-entry InvalidArgument status when creating/updating malformed entries (#5506)
+- Support for CGroups v2 in K8s and Docker workload attestors is now enabled by default (#5454)
+
+### Removed
+
+- Deprecated -ttl flag from the SPIRE Server `entry create` and `entry update` commands (#5483)
+- Official support for MySQL 5.X. While SPIRE may continue to work with this version, no explicit testing will be performed by the project (#5487)
+
+### Fixed
+
+- Missing TrustDomain field passed to x509pop path template (#5577)
+- Behavior in the experimental events-based cache causing duplicate entries/agents evaluation in the same cycle (#5509)
+
+## [1.10.4] - 2024-09-12
+
+### Fixed
+
+- Add missing commits to spire-plugin-sdk and spire-api-sdk releases (spiffe/spire-api-sdk#66, spiffe/spire-plugin-sdk#39)
+
+## [1.10.3] - 2024-09-03
+
+### Fixed
+
+- Regression in agent health check, requiring the agent to have an SVID on disk to be healthy (#5459)
+
+## [1.10.2] - 2024-09-03
+
+### Added
+
+- `http_challenge` NodeAttestor plugin (#4909)
+- Experimental support for validating container image signatures through Sigstore selectors in the docker Workload Attestor (#5272)
+- Metrics for monitoring the event-based cache (#5411)
+
+### Changed
+
+- Delegated Identity API to allow subscription by process ID (#5272)
+- Agent Debug endpoint to count SVIDs by type (#5352)
+- Agent health check to report an unhealthy status until the Agent SVID is attested (#5298)
+- Small documentation improvements (#5393)
+
+### Fixed
+
+- `aws_iid` NodeAttestor to properly handle multiple network interfaces (#5300)
+- Server configuration to correctly propagate the `sql_transaction_timeout` setting in the experimental events-based cache (#5345)
+
 ## [1.10.1] - 2024-08-01

 ### Added
@ -26,7 +227,7 @@

 ### Changed

- SPIRE Server and OIDC provider images to use non root users (#4967, #5227)
+- SPIRE Server and OIDC provider images to use non-root users (#4967, #5227)
 - `k8s_psat` NodeAttestor attestor to no longer fail when a cluster is not configured (#5216)
 - Agents are required to renew SVIDs through re-attestation when using a supporting Node Attestor (#5204)
 - Small documentation improvements (#5181, #5189)
@ -34,7 +235,7 @@

 ### Fixed

- PSAT node attestor to cross check the audience fields (#5142)
+- PSAT node attestor to cross-check the audience fields (#5142)
 - Events-based cache to handle out of order events (#5071)

 ### Deprecated
@ -1015,7 +1216,7 @@
 - Regression preventing agent selectors from showing in `spire-server agent show` command (#2133)
 - Issue in the token authentication method of the Vault Upstream Authority plugin (#2110)
 - Reporting of errors in server entry cache telemetry (#2091)
- Agent logs an error and automatically shuts down when its SVID has expired and it requires re-attestation (#2065)
+- Agent logs an error and automatically shuts down when its SVID has expired, and it requires re-attestation (#2065)

 ## [0.12.1] - 2021-03-04

@ -1101,7 +1302,7 @@

 - Fixed Kubernetes Workload Registrar issues (#1814, #1818, #1823)
 - Fixed BatchCreateEntry return value to match docs, returning the contents of an entry if it already exists (#1824)
- Fixed issue preventing brand new deployments from downgrading successfully (#1829)
+- Fixed issue preventing brand-new deployments from downgrading successfully (#1829)
 - Fixed a regression introduced in 0.11.0 that caused external node attestor plugins that rely on binary data to fail (#1863)

 ## [0.11.0] - 2020-08-28
@ -1205,7 +1406,7 @@

 ## [0.9.0] - 2019-11-14

- Users can now opt-out of workload executable hashing when enabling the workload path as a selector (#1078)
+- Users can now opt out of workload executable hashing when enabling the workload path as a selector (#1078)
 - Added M3 support to telemetry and other telemetry and logging improvements (#1059, #1085, #1086, #1094, #1102, #1122,#1138,#1160,#1186,#1208)
 - SQL auto-migration can be disabled (#1089)
 - SQL schema compatibility checks are aligned with upgrade compatibility guarantees (#1089)
--- a/14
+++ b/14
@ -1,27 +1,27 @@
-* @evan2645 @amartinezfayo @azdagron @MarcosDY @rturner3
+* @evan2645 @amartinezfayo @sorindumitru @MarcosDY @rturner3

 ##########################################
 # Maintainers
 ##########################################

 # Evan Gilman
-# VMware, Inc
+# SPIRL, Inc.
 # @evan2645

 # Agustin Martínez Fayó
 # Hewlett-Packard Enterprise	
 # @amartinezfayo

-# Andrew Harding
-# VMware, Inc
-# @azdagron
+# Sorin Dumitru
+# Bloomberg L.P.
+# @sorindumitru

 # Marcos Yacob
 # Hewlett-Packard Enterprise
 # @MarcosDY

 # Ryan Turner
-# Uber Technologies, Inc
+# Cielara AI
 # @rturner3

 ##########################################
@ -29,5 +29,5 @@
 ##########################################

 # Umair Khan
-# Hewlett-Packard Enterprise
+# Stacklet, Inc.
 # @umairmkhan
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -45,7 +45,7 @@ toolchain and other build related files are cached under the `.build` folder

 ### Development in Docker

-You can either build SPIRE on your host or in a Ubuntu docker container. In
+You can either build SPIRE on your host or in an Ubuntu docker container. In
 both cases you will use the same Makefile commands.

 To build SPIRE within a container, first build the development image:
@ -105,14 +105,14 @@ Packages should be exported through interfaces. Interaction with packages must b
 interfaces

 Interfaces should be defined in their own file, named (in lowercase) after the name of the
-interface. eg. `foodata.go` implements `type FooData any`
+interface. e.g. `foodata.go` implements `type FooData any`

 ### Metrics

 As much as possible, label names should be constants defined in the `telemetry` package. Additionally,
 specific metrics should be centrally defined in the `telemetry` package or its subpackages. Functions
 desiring metrics should delegate counter, gauge, timer, etc. creation to such packages.
-The metrics emitted by SPIRE are listed in the [telemetry document](doc/telemetry.md) and should be kept up to date.
+The metrics emitted by SPIRE are listed in the [telemetry document](doc/telemetry/telemetry.md) and should be kept up to date.

 In addition, metrics should be unit-tested where reasonable.

--- a/5
+++ b/5
@ -2,8 +2,7 @@

 # Build stage
 ARG goversion
-# Use alpine3.18 until go-sqlite works in 3.19
-FROM --platform=${BUILDPLATFORM} golang:${goversion}-alpine3.20 as base
+FROM --platform=${BUILDPLATFORM} golang:${goversion}-alpine3.22 as base
 WORKDIR /spire
 RUN apk --no-cache --update add file bash clang lld pkgconfig git make
 COPY go.* ./
@ -15,7 +14,7 @@ COPY . .
 # when bumping to a new version analyze the new version for security issues
 # then use crane to lookup the digest of that version so we are immutable
 # crane digest tonistiigi/xx:1.3.0
-FROM --platform=$BUILDPLATFORM tonistiigi/xx@sha256:904fe94f236d36d65aeb5a2462f88f2c537b8360475f6342e7599194f291fb7e AS xx
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.5.0@sha256:0c6a569797744e45955f39d4f7538ac344bfb7ebf0a54006a0a4297b153ccf0f AS xx

 FROM --platform=${BUILDPLATFORM} base as builder
 ARG TAG
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@ -1,4 +1,4 @@
-FROM ubuntu:xenial
+FROM ubuntu:24.04
 WORKDIR /spire
 RUN apt-get update && apt-get -y install \
    curl unzip git build-essential ca-certificates libssl-dev
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@ -31,9 +31,9 @@ This section of the document can and should be updated as the above consideratio

 ### Changes in Maintainership

-SPIRE maintainers are appointed according to the [process described in the governance document][2]. Maintainers may voluntarily step down at any time. Unseating a maintainer against their will requires a unanimous vote with the exception of the unseated.
+SPIRE maintainers are appointed according to the [process described in the governance document][2]. Maintainers may voluntarily step down at any time. Unseating a maintainer against their will requires a unanimous vote except the unseated.

-Unseating a maintainer is an extraordinary circumstance. A process to do so is necessary, but its use is not intended. Careful consideration should be made when voting in a new maintainer, particularly in validating that they pledge to uphold the terms of this document. To ensure that these decisions are not taken lightly, and to maintain long term project stability and foresight, no more than one maintainer can be involuntarily unseated in any given nine month period.
+Unseating a maintainer is an extraordinary circumstance. A process to do so is necessary, but its use is not intended. Careful consideration should be made when voting in a new maintainer, particularly in validating that they pledge to uphold the terms of this document. To ensure that these decisions are not taken lightly, and to maintain long term project stability and foresight, no more than one maintainer can be involuntarily unseated in any given nine-month period.

 The CNCF MUST be notified of any changes in maintainership via the CNCF Service Desk.

@ -103,7 +103,7 @@ This is a very important aspect of SPIRE maintainership. Adoption and contributi

 ## Product Management and Roadmap Curation

-In addition to the maintainer seats, the SPIRE project designates one product manager seat. While maintainers strive to ensure that project development and direction is a function of community needs, and interact with end users and contributors on a daily basis, the product manager works to clarify user needs by gathering additional information and context. This includes, but is not limited to, conducting user research and field testing to better inform maintainers, and communicating project development information to the community.
+In addition to the maintainer seats, the SPIRE project designates one product manager seat. While maintainers strive to ensure that project development and direction is a function of community needs, and interact with end users and contributors on a daily basis, the product manager works to clarify user needs by gathering additional information and context. This includes, but is not limited to, conducting user research and field-testing to better inform maintainers, and communicating project development information to the community.

 Maintainers are expected to have heavy participation in the community, but it may be impractical to dedicate themselves to gathering and analyzing community feedback and end-user pain points. Based on data collection, the role of the product manager is intended to aid maintainers to validate the desirability, feasibility, and viability of efforts to help drive project direction and priorities in long term planning.

--- a/28
+++ b/28
@ -32,6 +32,7 @@ help:
 	@echo "  $(cyan)race-test$(reset)                             - run unit tests with race detection"
 	@echo "  $(cyan)integration$(reset)                           - run integration tests (requires Docker images)"
 	@echo "                                          support 'SUITES' variable for executing specific tests"
+	@echo "                                          and 'IGNORE_SUITES' variable for ignoring tests"
 	@echo "                                          e.g. SUITES='suites/join-token suites/k8s' make integration"
 	@echo "  $(cyan)integration-windows$(reset)                   - run integration tests for windows (requires Docker images)"
 	@echo "                                          support 'SUITES' variable for executing specific tests"
@ -103,6 +104,8 @@ else
 $(error unsupported ARCH: $(arch1))
 endif

+ignore_suites := $(IGNORE_SUITES)
+
 ############################################################################
 # Docker TLS detection for buildx
 ############################################################################
@ -136,9 +139,8 @@ endif

 go_path := PATH="$(go_bin_dir):$(PATH)"

-golangci_lint_version := $(shell awk '/golangci_lint/{print $$2}' .spire-tool-versions)
+golangci_lint_version := $(shell awk '/golangci-lint/{print $$2}' .spire-tool-versions)
 golangci_lint_dir = $(build_dir)/golangci_lint/$(golangci_lint_version)
-golangci_lint_bin = $(golangci_lint_dir)/golangci-lint
 golangci_lint_cache = $(golangci_lint_dir)/cache

 markdown_lint_version := $(shell awk '/markdown_lint/{print $$2}' .spire-tool-versions)
@ -310,11 +312,11 @@ integration:
 ifeq ($(os1), windows)
 	$(error Integration tests are not supported on windows)
 else
-	$(E)$(go_path) ./test/integration/test.sh $(SUITES)
+	$(E)$(go_path) IGNORE_SUITES='$(ignore_suites)' ./test/integration/test.sh $(SUITES)
 endif

 integration-windows:
-	$(E)$(go_path) ./test/integration/test-windows.sh $(SUITES)
+	$(E)$(go_path) IGNORE_SUITES='$(ignore_suites)' ./test/integration/test-windows.sh $(SUITES)

 #############################################################################
 # Docker Images
@ -402,8 +404,11 @@ endif

 lint: lint-code lint-md

-lint-code: $(golangci_lint_bin)
-	$(E)PATH="$(go_bin_dir):$(PATH)" GOLANGCI_LINT_CACHE="$(golangci_lint_cache)" $(golangci_lint_bin) run ./...
+lint-code: | go-check
+	$(E)mkdir -p $(golangci_lint_cache)
+	$(E)$(go_path) GOLANGCI_LINT_CACHE="$(golangci_lint_cache)" \
+		go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$(golangci_lint_version) \
+		run --max-issues-per-linter=0 --max-same-issues=0 ./...

 lint-md:
 	$(E)docker run --rm -v "$(DIR):/workdir" $(markdown_lint_image) "**/*.md"
@ -507,7 +512,7 @@ endif
 go-bin-path: go-check
 	@echo "$(go_bin_dir):${PATH}"

-install-toolchain: install-protoc install-golangci-lint install-protoc-gen-go install-protoc-gen-doc | go-check
+install-toolchain: install-protoc install-protoc-gen-go | go-check

 install-protoc: $(protoc_bin)

@ -517,15 +522,6 @@ $(protoc_bin):
 	$(E)mkdir -p $(protoc_dir)
 	$(E)curl -sSfL $(protoc_url) -o $(build_dir)/tmp.zip; unzip -q -d $(protoc_dir) $(build_dir)/tmp.zip; rm $(build_dir)/tmp.zip

-install-golangci-lint: $(golangci_lint_bin)
-
-$(golangci_lint_bin): | go-check
-	@echo "Installing golangci-lint $(golangci_lint_version)..."
-	$(E)rm -rf $(dir $(golangci_lint_dir))
-	$(E)mkdir -p $(golangci_lint_dir)
-	$(E)mkdir -p $(golangci_lint_cache)
-	$(E)GOBIN=$(golangci_lint_dir) $(go_path) go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(golangci_lint_version)
-
 install-protoc-gen-go: $(protoc_gen_go_bin)

 $(protoc_gen_go_bin): | go-check
--- a/README.md
+++ b/README.md
@ -61,8 +61,8 @@ The SPIFFE community maintains the SPIRE project. Information on the various SIG
 A third party security firm ([Cure53](https://cure53.de/)) completed a security audit of SPIFFE and SPIRE in February of 2021. Additionally, the [CNCF Technical Advisory Group for Security](https://github.com/cncf/tag-security) conducted two assessments on SPIFFE and SPIRE in 2018 and 2020. Please find the reports and supporting material, including the threat model exercise results, below.

 - [Cure53 Security Audit Report](doc/cure53-report.pdf)
- [SIG-Security SPIFFE/SPIRE Security Assessment: summary](https://github.com/cncf/sig-security/tree/main/assessments/projects/spiffe-spire)
- [SIG-Security SPIFFE/SPIRE Security Assessment: full assessment](https://github.com/cncf/sig-security/blob/main/assessments/projects/spiffe-spire/self-assessment.md)
+- [SIG-Security SPIFFE/SPIRE Security Assessment: summary](https://github.com/cncf/sig-security/tree/main/community/assessments/projects/spiffe-spire)
+- [SIG-Security SPIFFE/SPIRE Security Assessment: full assessment](https://github.com/cncf/sig-security/blob/main/community/assessments/projects/spiffe-spire/self-assessment.md)
 - [Scrutinizing SPIRE to Sensibly Strengthen SPIFFE Security](https://blog.spiffe.io/scrutinizing-spire-security-9c82ba542019)

 ### Reporting Security Vulnerabilities
--- a/RELEASING.md
+++ b/RELEASING.md
@ -1,6 +1,6 @@
 # Release and Branch Management

-The SPIRE project maintains active support for both the current and the previous major versions. All active development occurs in the `main` branch. Version branches are used for minor releases of the previous major version when necessary.
+The SPIRE project maintains active support for both the current and the previous minor versions. All active development occurs in the `main` branch. Version branches are used for patch releases of the previous minor version when necessary.

 ## Version Branches

@ -14,7 +14,7 @@ The base commit of the release branch is based on the type of release being gene

 When a bug is discovered in the latest release that also affects releases of the prior minor version, it is necessary to backport the fix.

-Once the version branch is created, the patch is either cherry picked or backported into a PR against the version branch. The version branch is maintained via the same process as the main branch, including PR approval process etc.
+Once the version branch is created, the patch is either cherry-picked or backported into a PR against the version branch. The version branch is maintained via the same process as the main branch, including PR approval process etc.

 Ensure that the CHANGELOG is updated in both `main` and the version branch to reflect the new release.

--- a/cmd/spire-agent/cli/api/api_test.go
+++ b/cmd/spire-agent/cli/api/api_test.go
@ -15,9 +15,9 @@ import (
 	"github.com/mitchellh/cli"
 	"github.com/spiffe/go-spiffe/v2/proto/spiffe/workload"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/x509util"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/fakes/fakeworkloadapi"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/spiffe/spire/test/testca"
@ -416,9 +416,10 @@ func TestValidateJWTCommand(t *testing.T) {
 						Claims: &structpb.Struct{
 							Fields: map[string]*structpb.Value{
 								"aud": {
-									Kind: &structpb.Value_ListValue{ListValue: &structpb.ListValue{
-										Values: []*structpb.Value{{Kind: &structpb.Value_StringValue{StringValue: "foo"}}},
-									},
+									Kind: &structpb.Value_ListValue{
+										ListValue: &structpb.ListValue{
+											Values: []*structpb.Value{{Kind: &structpb.Value_StringValue{StringValue: "foo"}}},
+										},
 									},
 								},
 							},
@ -504,7 +505,7 @@ func setupTest(t *testing.T, newCmd func(env *commoncli.Env, clientMaker workloa
 	}, newWorkloadClient)

 	test := &apiTest{
-		addr:        common.GetAddr(addr),
+		addr:        clitest.GetAddr(addr),
 		stdin:       stdin,
 		stdout:      stdout,
 		stderr:      stderr,
@ -538,7 +539,7 @@ func (s *apiTest) afterTest(t *testing.T) {
 }

 func (s *apiTest) args(extra ...string) []string {
-	return append([]string{common.AddrArg, s.addr}, extra...)
+	return append([]string{clitest.AddrArg, s.addr}, extra...)
 }

 func assertOutputBasedOnFormat(t *testing.T, format, stdoutString, expectedStdoutJSON string, expectedStdoutPretty ...string) {
--- a/cmd/spire-agent/cli/api/common.go
+++ b/cmd/spire-agent/cli/api/common.go
@ -28,7 +28,7 @@ func newWorkloadClient(ctx context.Context, addr net.Addr, timeout time.Duration
 	if err != nil {
 		return nil, err
 	}
-	conn, err := util.GRPCDialContext(ctx, target)
+	conn, err := util.NewGRPCClient(target)
 	if err != nil {
 		return nil, err
 	}
--- a/cmd/spire-agent/cli/healthcheck/healthcheck.go
+++ b/cmd/spire-agent/cli/healthcheck/healthcheck.go
@ -79,7 +79,7 @@ func (c *healthCheckCommand) run() error {
 	if err != nil {
 		return err
 	}
-	conn, err := util.GRPCDialContext(context.Background(), target)
+	conn, err := util.NewGRPCClient(target)
 	if err != nil {
 		return err
 	}
--- a/cmd/spire-agent/cli/run/run.go
+++ b/cmd/spire-agent/cli/run/run.go
@ -2,13 +2,11 @@ package run

 import (
 	"context"
-	"crypto/x509"
 	"errors"
 	"flag"
 	"fmt"
 	"io"
 	"net"
-	"net/http"
 	"net/url"
 	"os"
 	"os/signal"
@ -26,18 +24,18 @@ import (
 	"github.com/imdario/mergo"
 	"github.com/mitchellh/cli"
 	"github.com/sirupsen/logrus"
-	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire/pkg/agent"
+	"github.com/spiffe/spire/pkg/agent/trustbundlesources"
 	"github.com/spiffe/spire/pkg/agent/workloadkey"
-	"github.com/spiffe/spire/pkg/common/bundleutil"
 	"github.com/spiffe/spire/pkg/common/catalog"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/config"
 	"github.com/spiffe/spire/pkg/common/fflag"
 	"github.com/spiffe/spire/pkg/common/health"
 	"github.com/spiffe/spire/pkg/common/idutil"
 	"github.com/spiffe/spire/pkg/common/log"
-	"github.com/spiffe/spire/pkg/common/pemutil"
 	"github.com/spiffe/spire/pkg/common/telemetry"
+	"github.com/spiffe/spire/pkg/common/tlspolicy"
 )

 const (
@ -53,9 +51,6 @@ const (
 	defaultDefaultAllBundlesName       = "ALL"
 	defaultDisableSPIFFECertValidation = false

-	bundleFormatPEM    = "pem"
-	bundleFormatSPIFFE = "spiffe"
-
 	minimumAvailabilityTarget = 24 * time.Hour
 )

@ -72,7 +67,7 @@ type agentConfig struct {
 	DataDir                       string    `hcl:"data_dir"`
 	AdminSocketPath               string    `hcl:"admin_socket_path"`
 	InsecureBootstrap             bool      `hcl:"insecure_bootstrap"`
-	RetryBootstrap                bool      `hcl:"retry_bootstrap"`
+	RetryBootstrap                *bool     `hcl:"retry_bootstrap"`
 	JoinToken                     string    `hcl:"join_token"`
 	LogFile                       string    `hcl:"log_file"`
 	LogFormat                     string    `hcl:"log_format"`
@ -85,11 +80,14 @@ type agentConfig struct {
 	WorkloadX509SVIDKeyType       string    `hcl:"workload_x509_svid_key_type"`
 	TrustBundleFormat             string    `hcl:"trust_bundle_format"`
 	TrustBundlePath               string    `hcl:"trust_bundle_path"`
+	TrustBundleUnixSocket         string    `hcl:"trust_bundle_unix_socket"`
 	TrustBundleURL                string    `hcl:"trust_bundle_url"`
 	TrustDomain                   string    `hcl:"trust_domain"`
 	AllowUnauthenticatedVerifiers bool      `hcl:"allow_unauthenticated_verifiers"`
 	AllowedForeignJWTClaims       []string  `hcl:"allowed_foreign_jwt_claims"`
 	AvailabilityTarget            string    `hcl:"availability_target"`
+	X509SVIDCacheMaxSize          int       `hcl:"x509_svid_cache_max_size"`
+	JWTSVIDCacheMaxSize           int       `hcl:"jwt_svid_cache_max_size"`

 	AuthorizedDelegates []string `hcl:"authorized_delegates"`

@ -117,13 +115,10 @@ type experimentalConfig struct {
 	SyncInterval             string `hcl:"sync_interval"`
 	NamedPipeName            string `hcl:"named_pipe_name"`
 	AdminNamedPipeName       string `hcl:"admin_named_pipe_name"`
-	UseSyncAuthorizedEntries bool   `hcl:"use_sync_authorized_entries"`
+	UseSyncAuthorizedEntries *bool  `hcl:"use_sync_authorized_entries"`
+	RequirePQKEM             bool   `hcl:"require_pq_kem"`

 	Flags fflag.RawConfig `hcl:"feature_flags"`
-
-	UnusedKeyPositions   map[string][]token.Pos `hcl:",unusedKeyPositions"`
-	X509SVIDCacheMaxSize int                    `hcl:"x509_svid_cache_max_size"`
-	DisableLRUCache      bool                   `hcl:"disable_lru_cache"`
 }

 type Command struct {
@ -261,16 +256,32 @@ func (c *agentConfig) validate() error {
 		return errors.New("only one of trust_bundle_url or trust_bundle_path can be specified, not both")
 	}

-	if c.TrustBundleFormat != bundleFormatPEM && c.TrustBundleFormat != bundleFormatSPIFFE {
-		return fmt.Errorf("invalid value for trust_bundle_format, expected %q or %q", bundleFormatPEM, bundleFormatSPIFFE)
+	if c.TrustBundleFormat != trustbundlesources.BundleFormatPEM && c.TrustBundleFormat != trustbundlesources.BundleFormatSPIFFE {
+		return fmt.Errorf("invalid value for trust_bundle_format, expected %q or %q", trustbundlesources.BundleFormatPEM, trustbundlesources.BundleFormatSPIFFE)
 	}

+	if c.TrustBundleUnixSocket != "" && c.TrustBundleURL == "" {
+		return errors.New("if trust_bundle_unix_socket is specified, so must be trust_bundle_url")
+	}
 	if c.TrustBundleURL != "" {
 		u, err := url.Parse(c.TrustBundleURL)
 		if err != nil {
 			return fmt.Errorf("unable to parse trust bundle URL: %w", err)
 		}
-		if u.Scheme != "https" {
+		if c.TrustBundleUnixSocket != "" {
+			if u.Scheme != "http" {
+				return errors.New("trust bundle URL must start with http:// when used with trust bundle unix socket")
+			}
+			params := u.Query()
+			for key := range params {
+				if strings.HasPrefix(key, "spiffe-") {
+					return errors.New("trust_bundle_url query params can not start with spiffe-")
+				}
+				if strings.HasPrefix(key, "spire-") {
+					return errors.New("trust_bundle_url query params can not start with spire-")
+				}
+			}
+		} else if u.Scheme != "https" {
 			return errors.New("trust bundle URL must start with https://")
 		}
 	}
@ -304,7 +315,7 @@ func ParseFile(path string, expandEnv bool) (*Config, error) {

 	// If envTemplate flag is passed, substitute $VARIABLES in configuration file
 	if expandEnv {
-		data = os.ExpandEnv(data)
+		data = config.ExpandEnv(data)
 	}

 	if err := hcl.Decode(&c, data); err != nil {
@ -318,6 +329,7 @@ func parseFlags(name string, args []string, output io.Writer) (*agentConfig, err
 	flags := flag.NewFlagSet(name, flag.ContinueOnError)
 	flags.SetOutput(output)
 	c := &agentConfig{}
+	retryBootstrap := false

 	flags.StringVar(&c.ConfigPath, "config", defaultConfigPath, "Path to a SPIRE config file")
 	flags.StringVar(&c.DataDir, "dataDir", "", "A directory the agent can use for its runtime data")
@ -331,10 +343,10 @@ func parseFlags(name string, args []string, output io.Writer) (*agentConfig, err
 	flags.StringVar(&c.TrustDomain, "trustDomain", "", "The trust domain that this agent belongs to")
 	flags.StringVar(&c.TrustBundlePath, "trustBundle", "", "Path to the SPIRE server CA bundle")
 	flags.StringVar(&c.TrustBundleURL, "trustBundleUrl", "", "URL to download the SPIRE server CA bundle")
-	flags.StringVar(&c.TrustBundleFormat, "trustBundleFormat", "", fmt.Sprintf("Format of the bootstrap trust bundle, %q or %q", bundleFormatPEM, bundleFormatSPIFFE))
+	flags.StringVar(&c.TrustBundleFormat, "trustBundleFormat", "", fmt.Sprintf("Format of the bootstrap trust bundle, %q or %q", trustbundlesources.BundleFormatPEM, trustbundlesources.BundleFormatSPIFFE))
 	flags.BoolVar(&c.AllowUnauthenticatedVerifiers, "allowUnauthenticatedVerifiers", false, "If true, the agent permits the retrieval of X509 certificate bundles by unregistered clients")
 	flags.BoolVar(&c.InsecureBootstrap, "insecureBootstrap", false, "If true, the agent bootstraps without verifying the server's identity")
-	flags.BoolVar(&c.RetryBootstrap, "retryBootstrap", false, "If true, the agent retries bootstrap with backoff")
+	flags.BoolVar(&retryBootstrap, "retryBootstrap", true, "If true, the agent retries bootstrap with backoff")
 	flags.BoolVar(&c.ExpandEnv, "expandEnv", false, "Expand environment variables in SPIRE config file")

 	c.addOSFlags(flags)
@ -344,6 +356,12 @@ func parseFlags(name string, args []string, output io.Writer) (*agentConfig, err
 		return nil, err
 	}

+	flags.Visit(func(f *flag.Flag) {
+		if f.Name == "retryBootstrap" {
+			c.RetryBootstrap = &retryBootstrap
+		}
+	})
+
 	return c, nil
 }

@ -369,87 +387,6 @@ func mergeInput(fileInput *Config, cliInput *agentConfig) (*Config, error) {
 	return c, nil
 }

-func parseTrustBundle(bundleBytes []byte, trustBundleContentType string) ([]*x509.Certificate, error) {
-	switch trustBundleContentType {
-	case bundleFormatPEM:
-		bundle, err := pemutil.ParseCertificates(bundleBytes)
-		if err != nil {
-			return nil, err
-		}
-		return bundle, nil
-	case bundleFormatSPIFFE:
-		bundle, err := bundleutil.Unmarshal(spiffeid.TrustDomain{}, bundleBytes)
-		if err != nil {
-			return nil, fmt.Errorf("unable to parse SPIFFE trust bundle: %w", err)
-		}
-		return bundle.X509Authorities(), nil
-	}
-
-	return nil, fmt.Errorf("unknown trust bundle format: %s", trustBundleContentType)
-}
-
-func downloadTrustBundle(trustBundleURL string) ([]byte, error) {
-	// Download the trust bundle URL from the user specified URL
-	// We use gosec -- the annotation below will disable a security check that URLs are not tainted
-	/* #nosec G107 */
-	resp, err := http.Get(trustBundleURL)
-	if err != nil {
-		return nil, fmt.Errorf("unable to fetch trust bundle URL %s: %w", trustBundleURL, err)
-	}
-
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("error downloading trust bundle: %s", resp.Status)
-	}
-	pemBytes, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, fmt.Errorf("unable to read from trust bundle URL %s: %w", trustBundleURL, err)
-	}
-
-	return pemBytes, nil
-}
-
-func setupTrustBundle(ac *agent.Config, c *Config) error {
-	// Either download the trust bundle if TrustBundleURL is set, or read it
-	// from disk if TrustBundlePath is set
-	ac.InsecureBootstrap = c.Agent.InsecureBootstrap
-
-	var bundleBytes []byte
-	var err error
-
-	switch {
-	case c.Agent.TrustBundleURL != "":
-		bundleBytes, err = downloadTrustBundle(c.Agent.TrustBundleURL)
-		if err != nil {
-			return err
-		}
-	case c.Agent.TrustBundlePath != "":
-		bundleBytes, err = loadTrustBundle(c.Agent.TrustBundlePath)
-		if err != nil {
-			return fmt.Errorf("could not parse trust bundle: %w", err)
-		}
-	default:
-		// If InsecureBootstrap is configured, the bundle is not required
-		if ac.InsecureBootstrap {
-			return nil
-		}
-	}
-
-	bundle, err := parseTrustBundle(bundleBytes, c.Agent.TrustBundleFormat)
-	if err != nil {
-		return err
-	}
-
-	if len(bundle) == 0 {
-		return errors.New("no certificates found in trust bundle")
-	}
-
-	ac.TrustBundle = bundle
-
-	return nil
-}
-
 func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool) (*agent.Config, error) {
 	ac := &agent.Config{}

@ -457,8 +394,6 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 		return nil, err
 	}

-	ac.RetryBootstrap = c.Agent.RetryBootstrap
-
 	if c.Agent.Experimental.SyncInterval != "" {
 		var err error
 		ac.SyncInterval, err = time.ParseDuration(c.Agent.Experimental.SyncInterval)
@ -467,8 +402,6 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 		}
 	}

-	ac.UseSyncAuthorizedEntries = c.Agent.Experimental.UseSyncAuthorizedEntries
-
 	serverHostPort := net.JoinHostPort(c.Agent.ServerAddress, strconv.Itoa(c.Agent.ServerPort))
 	ac.ServerAddress = fmt.Sprintf("dns:///%s", serverHostPort)

@ -498,18 +431,27 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 		ac.LogReopener = log.ReopenOnSignal(logger, reopenableFile)
 	}

-	if c.Agent.Experimental.X509SVIDCacheMaxSize < 0 {
+	ac.RetryBootstrap = true
+	if c.Agent.RetryBootstrap != nil {
+		ac.Log.Warn("The 'retry_bootstrap' configuration is deprecated. It will be removed in SPIRE 1.14. Please test without the flag before upgrading.")
+		ac.RetryBootstrap = *c.Agent.RetryBootstrap
+	}
+
+	ac.UseSyncAuthorizedEntries = true
+	if c.Agent.Experimental.UseSyncAuthorizedEntries != nil {
+		ac.Log.Warn("The 'use_sync_authorized_entries' configuration is deprecated. The option to disable it will be removed in SPIRE 1.13.")
+		ac.UseSyncAuthorizedEntries = *c.Agent.Experimental.UseSyncAuthorizedEntries
+	}
+
+	if c.Agent.X509SVIDCacheMaxSize < 0 {
 		return nil, errors.New("x509_svid_cache_max_size should not be negative")
 	}
-	if c.Agent.Experimental.X509SVIDCacheMaxSize > 0 || c.Agent.Experimental.DisableLRUCache {
-		logger.Warn("The `x509_svid_cache_max_size` and `disable_lru_cache` configurations are deprecated. They will be removed in a future release.")
-	}
-	ac.X509SVIDCacheMaxSize = c.Agent.Experimental.X509SVIDCacheMaxSize
+	ac.X509SVIDCacheMaxSize = c.Agent.X509SVIDCacheMaxSize

-	if c.Agent.Experimental.DisableLRUCache && ac.X509SVIDCacheMaxSize != 0 {
-		return nil, errors.New("x509_svid_cache_max_size should not be set when disable_lru_cache is set")
+	if c.Agent.JWTSVIDCacheMaxSize < 0 {
+		return nil, errors.New("jwt_svid_cache_max_size should not be negative")
 	}
-	ac.DisableLRUCache = c.Agent.Experimental.DisableLRUCache
+	ac.JWTSVIDCacheMaxSize = c.Agent.JWTSVIDCacheMaxSize

 	td, err := common_cli.ParseTrustDomain(c.Agent.TrustDomain, logger)
 	if err != nil {
@ -540,11 +482,16 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 	}
 	ac.DisableSPIFFECertValidation = c.Agent.SDS.DisableSPIFFECertValidation

-	err = setupTrustBundle(ac, c)
-	if err != nil {
-		return nil, err
+	ts := &trustbundlesources.Config{
+		InsecureBootstrap:     c.Agent.InsecureBootstrap,
+		TrustBundleFormat:     c.Agent.TrustBundleFormat,
+		TrustBundlePath:       c.Agent.TrustBundlePath,
+		TrustBundleURL:        c.Agent.TrustBundleURL,
+		TrustBundleUnixSocket: c.Agent.TrustBundleUnixSocket,
 	}

+	ac.TrustBundleSources = trustbundlesources.New(ts, ac.Log.WithField("Logger", "TrustBundleSources"))
+
 	ac.WorkloadKeyType = workloadkey.ECP256
 	if c.Agent.WorkloadX509SVIDKeyType != "" {
 		ac.WorkloadKeyType, err = workloadkey.KeyTypeFromString(c.Agent.WorkloadX509SVIDKeyType)
@ -595,6 +542,12 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 		ac.AvailabilityTarget = t
 	}

+	ac.TLSPolicy = tlspolicy.Policy{
+		RequirePQKEM: c.Agent.Experimental.RequirePQKEM,
+	}
+
+	tlspolicy.LogPolicy(ac.TLSPolicy, log.NewHCLogAdapter(logger, "tlspolicy"))
+
 	if cmp.Diff(experimentalConfig{}, c.Agent.Experimental) != "" {
 		logger.Warn("Experimental features have been enabled. Please see doc/upgrading.md for upgrade and compatibility considerations for experimental features.")
 	}
@ -683,7 +636,7 @@ func defaultConfig() *Config {
 			DataDir:           defaultDataDir,
 			LogLevel:          defaultLogLevel,
 			LogFormat:         log.DefaultFormat,
-			TrustBundleFormat: bundleFormatPEM,
+			TrustBundleFormat: trustbundlesources.BundleFormatPEM,
 			SDS: sdsConfig{
 				DefaultBundleName:           defaultDefaultBundleName,
 				DefaultSVIDName:             defaultDefaultSVIDName,
@ -696,12 +649,3 @@ func defaultConfig() *Config {

 	return c
 }
-
-func loadTrustBundle(path string) ([]byte, error) {
-	bundleBytes, err := os.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-
-	return bundleBytes, nil
-}
--- a/cmd/spire-agent/cli/run/run_posix_test.go
+++ b/cmd/spire-agent/cli/run/run_posix_test.go
@ -238,7 +238,7 @@ func mergeInputCasesOS() []mergeInputCase {
 			},
 		},
 		{
-			msg:       "socket_path should be configuable by CLI flag",
+			msg:       "socket_path should be configurable by CLI flag",
 			fileInput: func(c *Config) {},
 			cliInput: func(c *agentConfig) {
 				c.SocketPath = "foo"
--- a/cmd/spire-agent/cli/run/run_test.go
+++ b/cmd/spire-agent/cli/run/run_test.go
@ -2,8 +2,6 @@ package run

 import (
 	"io"
-	"net/http"
-	"net/http/httptest"
 	"os"
 	"path"
 	"path/filepath"
@ -39,119 +37,6 @@ type newAgentConfigCase struct {
 	test               func(*testing.T, *agent.Config)
 }

-func TestDownloadTrustBundle(t *testing.T) {
-	testTB, _ := os.ReadFile(path.Join(util.ProjectRoot(), "conf/agent/dummy_root_ca.crt"))
-	testTBSPIFFE := `{
-    "keys": [
-        {
-            "use": "x509-svid",
-            "kty": "EC",
-            "crv": "P-384",
-            "x": "WjB-nSGSxIYiznb84xu5WGDZj80nL7W1c3zf48Why0ma7Y7mCBKzfQkrgDguI4j0",
-            "y": "Z-0_tDH_r8gtOtLLrIpuMwWHoe4vbVBFte1vj6Xt6WeE8lXwcCvLs_mcmvPqVK9j",
-            "x5c": [
-                "MIIBzDCCAVOgAwIBAgIJAJM4DhRH0vmuMAoGCCqGSM49BAMEMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQKDAZTUElGRkUwHhcNMTgwNTEzMTkzMzQ3WhcNMjMwNTEyMTkzMzQ3WjAeMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGU1BJRkZFMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEWjB+nSGSxIYiznb84xu5WGDZj80nL7W1c3zf48Why0ma7Y7mCBKzfQkrgDguI4j0Z+0/tDH/r8gtOtLLrIpuMwWHoe4vbVBFte1vj6Xt6WeE8lXwcCvLs/mcmvPqVK9jo10wWzAdBgNVHQ4EFgQUh6XzV6LwNazA+GTEVOdu07o5yOgwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwGQYDVR0RBBIwEIYOc3BpZmZlOi8vbG9jYWwwCgYIKoZIzj0EAwQDZwAwZAIwE4Me13qMC9i6Fkx0h26y09QZIbuRqA9puLg9AeeAAyo5tBzRl1YL0KNEp02VKSYJAjBdeJvqjJ9wW55OGj1JQwDFD7kWeEB6oMlwPbI/5hEY3azJi16I0uN1JSYTSWGSqWc="
-            ]
-        }
-    ]
-}`
-
-	cases := []struct {
-		msg                 string
-		status              int
-		fileContents        string
-		format              string
-		expectDownloadError bool
-		expectParseError    bool
-	}{
-		{
-			msg:                 "if URL is not found, should be an error",
-			status:              http.StatusNotFound,
-			fileContents:        "",
-			format:              bundleFormatPEM,
-			expectDownloadError: true,
-			expectParseError:    false,
-		},
-		{
-			msg:                 "if URL returns error 500, should be an error",
-			status:              http.StatusInternalServerError,
-			fileContents:        "",
-			format:              bundleFormatPEM,
-			expectDownloadError: true,
-			expectParseError:    false,
-		},
-		{
-			msg:                 "if file is not parseable, should be an error",
-			status:              http.StatusOK,
-			fileContents:        "NON PEM PARSEABLE TEXT HERE",
-			format:              bundleFormatPEM,
-			expectDownloadError: false,
-			expectParseError:    true,
-		},
-		{
-			msg:                 "if file is empty, should be an error",
-			status:              http.StatusOK,
-			fileContents:        "",
-			format:              bundleFormatPEM,
-			expectDownloadError: false,
-			expectParseError:    true,
-		},
-		{
-			msg:                 "if file is valid, should not be an error",
-			status:              http.StatusOK,
-			fileContents:        string(testTB),
-			format:              bundleFormatPEM,
-			expectDownloadError: false,
-			expectParseError:    false,
-		},
-		{
-			msg:                 "if file is not parseable, format is SPIFFE, should not be an error",
-			status:              http.StatusOK,
-			fileContents:        "[}",
-			format:              bundleFormatSPIFFE,
-			expectDownloadError: false,
-			expectParseError:    true,
-		},
-		{
-			msg:                 "if file is valid, format is SPIFFE, should not be an error",
-			status:              http.StatusOK,
-			fileContents:        testTBSPIFFE,
-			format:              bundleFormatSPIFFE,
-			expectDownloadError: false,
-			expectParseError:    false,
-		},
-	}
-
-	for _, testCase := range cases {
-		testCase := testCase
-
-		t.Run(testCase.msg, func(t *testing.T) {
-			testServer := httptest.NewServer(http.HandlerFunc(
-				func(w http.ResponseWriter, r *http.Request) {
-					w.WriteHeader(testCase.status)
-					_, _ = io.WriteString(w, testCase.fileContents)
-					// if err != nil {
-					// 	return
-					// }
-				}))
-			defer testServer.Close()
-			bundleBytes, err := downloadTrustBundle(testServer.URL)
-			if testCase.expectDownloadError {
-				require.Error(t, err)
-			} else {
-				require.NoError(t, err)
-
-				_, err := parseTrustBundle(bundleBytes, testCase.format)
-				if testCase.expectParseError {
-					require.Error(t, err)
-				} else {
-					require.NoError(t, err)
-				}
-			}
-		})
-	}
-}
-
 func TestMergeInput(t *testing.T) {
 	cases := []mergeInputCase{
 		{
@ -615,12 +500,20 @@ func TestMergeInput(t *testing.T) {
 				require.Equal(t, "bar", c.Agent.TrustDomain)
 			},
 		},
+		{
+			msg: "require_pq_kem should be configurable by file",
+			fileInput: func(c *Config) {
+				c.Agent.Experimental.RequirePQKEM = true
+			},
+			cliInput: func(c *agentConfig) {},
+			test: func(t *testing.T, c *Config) {
+				require.True(t, c.Agent.Experimental.RequirePQKEM)
+			},
+		},
 	}
 	cases = append(cases, mergeInputCasesOS()...)

 	for _, testCase := range cases {
-		testCase := testCase
-
 		fileInput := &Config{Agent: &agentConfig{}}
 		cliInput := &agentConfig{}

@ -673,7 +566,7 @@ func TestNewAgentConfig(t *testing.T) {
 				c.Agent.InsecureBootstrap = false
 			},
 			test: func(t *testing.T, c *agent.Config) {
-				require.False(t, c.InsecureBootstrap)
+				require.False(t, c.TrustBundleSources.GetInsecureBootstrap())
 			},
 		},
 		{
@ -685,13 +578,14 @@ func TestNewAgentConfig(t *testing.T) {
 				c.Agent.InsecureBootstrap = true
 			},
 			test: func(t *testing.T, c *agent.Config) {
-				require.True(t, c.InsecureBootstrap)
+				require.True(t, c.TrustBundleSources.GetInsecureBootstrap())
 			},
 		},
 		{
 			msg: "retry_bootstrap should be correctly set to false",
 			input: func(c *Config) {
-				c.Agent.RetryBootstrap = false
+				rb := false
+				c.Agent.RetryBootstrap = &rb
 			},
 			test: func(t *testing.T, c *agent.Config) {
 				require.False(t, c.RetryBootstrap)
@ -700,7 +594,8 @@ func TestNewAgentConfig(t *testing.T) {
 		{
 			msg: "retry_bootstrap should be correctly set to true",
 			input: func(c *Config) {
-				c.Agent.RetryBootstrap = true
+				rb := true
+				c.Agent.RetryBootstrap = &rb
 			},
 			test: func(t *testing.T, c *agent.Config) {
 				require.True(t, c.RetryBootstrap)
@ -831,6 +726,51 @@ func TestNewAgentConfig(t *testing.T) {
 				require.Nil(t, c)
 			},
 		},
+		{
+			msg:                "trust_bundle_url must start with http:// when unix socket",
+			expectError:        true,
+			requireErrorPrefix: "trust bundle URL must start with http://",
+			input: func(c *Config) {
+				// remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
+				c.Agent.TrustBundleURL = "foo.bar"
+				c.Agent.TrustBundleUnixSocket = "foo.bar"
+				c.Agent.InsecureBootstrap = false
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "trust_bundle_url query params can not start with spiffe- when unix socket",
+			expectError:        true,
+			requireErrorPrefix: "trust_bundle_url query params can not start with spiffe-",
+			input: func(c *Config) {
+				// remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
+				c.Agent.TrustBundleURL = "http://localhost/trustbundle?spiffe-test=foo"
+				c.Agent.TrustBundleUnixSocket = "foo.bar"
+				c.Agent.InsecureBootstrap = false
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
+		{
+			msg:                "trust_bundle_url query params can not start with spire- when unix socket",
+			expectError:        true,
+			requireErrorPrefix: "trust_bundle_url query params can not start with spire-",
+			input: func(c *Config) {
+				// remove trust_bundle_path provided by defaultValidConfig()
+				c.Agent.TrustBundlePath = ""
+				c.Agent.TrustBundleURL = "http://localhost/trustbundle?spire-test=foo"
+				c.Agent.TrustBundleUnixSocket = "foo.bar"
+				c.Agent.InsecureBootstrap = false
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Nil(t, c)
+			},
+		},
 		{
 			msg: "workload_key_type is not set",
 			input: func(c *Config) {
@ -900,25 +840,7 @@ func TestNewAgentConfig(t *testing.T) {
 		{
 			msg: "x509_svid_cache_max_size is set",
 			input: func(c *Config) {
-				c.Agent.Experimental.X509SVIDCacheMaxSize = 100
-			},
-			logOptions: func(t *testing.T) []log.Option {
-				return []log.Option{
-					func(logger *log.Logger) error {
-						logger.SetOutput(io.Discard)
-						hook := test.NewLocal(logger.Logger)
-						t.Cleanup(func() {
-							spiretest.AssertLogsContainEntries(t, hook.AllEntries(), []spiretest.LogEntry{
-								{
-									Level: logrus.WarnLevel,
-									Message: "The `x509_svid_cache_max_size` and `disable_lru_cache` " +
-										"configurations are deprecated. They will be removed in a future release.",
-								},
-							})
-						})
-						return nil
-					},
-				}
+				c.Agent.X509SVIDCacheMaxSize = 100
 			},
 			test: func(t *testing.T, c *agent.Config) {
 				require.EqualValues(t, 100, c.X509SVIDCacheMaxSize)
@ -935,7 +857,7 @@ func TestNewAgentConfig(t *testing.T) {
 		{
 			msg: "x509_svid_cache_max_size is zero",
 			input: func(c *Config) {
-				c.Agent.Experimental.X509SVIDCacheMaxSize = 0
+				c.Agent.X509SVIDCacheMaxSize = 0
 			},
 			test: func(t *testing.T, c *agent.Config) {
 				require.EqualValues(t, 0, c.X509SVIDCacheMaxSize)
@ -945,58 +867,12 @@ func TestNewAgentConfig(t *testing.T) {
 			msg:         "x509_svid_cache_max_size is negative",
 			expectError: true,
 			input: func(c *Config) {
-				c.Agent.Experimental.X509SVIDCacheMaxSize = -10
+				c.Agent.X509SVIDCacheMaxSize = -10
 			},
 			test: func(t *testing.T, c *agent.Config) {
 				require.Nil(t, c)
 			},
 		},
-		{
-			msg: "disable_lru_cache is set",
-			input: func(c *Config) {
-				c.Agent.Experimental.DisableLRUCache = true
-			},
-			logOptions: func(t *testing.T) []log.Option {
-				return []log.Option{
-					func(logger *log.Logger) error {
-						logger.SetOutput(io.Discard)
-						hook := test.NewLocal(logger.Logger)
-						t.Cleanup(func() {
-							spiretest.AssertLogsContainEntries(t, hook.AllEntries(), []spiretest.LogEntry{
-								{
-									Level: logrus.WarnLevel,
-									Message: "The `x509_svid_cache_max_size` and `disable_lru_cache` " +
-										"configurations are deprecated. They will be removed in a future release.",
-								},
-							})
-						})
-						return nil
-					},
-				}
-			},
-			test: func(t *testing.T, c *agent.Config) {
-				require.True(t, c.DisableLRUCache)
-			},
-		},
-		{
-			msg:         "both disable_lru_cache and x509_svid_cache_max_size are set",
-			expectError: true,
-			input: func(c *Config) {
-				c.Agent.Experimental.DisableLRUCache = true
-				c.Agent.Experimental.X509SVIDCacheMaxSize = 100
-			},
-			test: func(t *testing.T, c *agent.Config) {
-				require.Nil(t, c)
-			},
-		},
-		{
-			msg: "disable_lru_cache is not set",
-			input: func(c *Config) {
-			},
-			test: func(t *testing.T, c *agent.Config) {
-				require.False(t, c.DisableLRUCache)
-			},
-		},
 		{
 			msg: "allowed_foreign_jwt_claims provided",
 			input: func(c *Config) {
@ -1076,11 +952,26 @@ func TestNewAgentConfig(t *testing.T) {
 				require.Nil(t, c)
 			},
 		},
+
+		{
+			msg:   "require PQ KEM is disabled (default)",
+			input: func(c *Config) {},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Equal(t, false, c.TLSPolicy.RequirePQKEM)
+			},
+		},
+		{
+			msg: "require PQ KEM is enabled",
+			input: func(c *Config) {
+				c.Agent.Experimental.RequirePQKEM = true
+			},
+			test: func(t *testing.T, c *agent.Config) {
+				require.Equal(t, true, c.TLSPolicy.RequirePQKEM)
+			},
+		},
 	}
 	cases = append(cases, newAgentConfigCasesOS(t)...)
 	for _, testCase := range cases {
-		testCase := testCase
-
 		input := defaultValidConfig()

 		testCase.input(input)
@ -1243,8 +1134,6 @@ func TestWarnOnUnknownConfig(t *testing.T) {
 	}

 	for _, testCase := range cases {
-		testCase := testCase
-
 		c, err := ParseFile(filepath.Join(testFileDir, testCase.confFile), false)
 		require.NoError(t, err)

--- a/cmd/spire-agent/cli/run/run_windows_test.go
+++ b/cmd/spire-agent/cli/run/run_windows_test.go
@ -224,7 +224,7 @@ func mergeInputCasesOS() []mergeInputCase {
 			},
 		},
 		{
-			msg:       "named_pipe_name should be configuable by CLI flag",
+			msg:       "named_pipe_name should be configurable by CLI flag",
 			fileInput: func(c *Config) {},
 			cliInput: func(c *agentConfig) {
 				c.Experimental.NamedPipeName = "foo"
--- a/cmd/spire-server/cli/agent/agent_test.go
+++ b/cmd/spire-server/cli/agent/agent_test.go
@ -12,8 +12,8 @@ import (
 	agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/cli/agent"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
@ -92,10 +92,13 @@ func TestBan(t *testing.T) {
 			expectStderr:     "Error: a SPIFFE ID is required\n",
 		},
 		{
-			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-spiffeID", "spiffe://example.org/spire/agent/agent1",
+			},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
@ -152,10 +155,13 @@ func TestEvict(t *testing.T) {
 			expectedStderr:     "Error: a SPIFFE ID is required\n",
 		},
 		{
-			name:               "wrong UDS path",
-			args:               []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-spiffeID", "spiffe://example.org/spire/agent/agent1",
+			},
 			expectedReturnCode: 1,
-			expectedStderr:     common.AddrError,
+			expectedStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:               "server error",
@ -221,9 +227,9 @@ func TestCount(t *testing.T) {
 		},
 		{
 			name:               "wrong UDS path",
-			args:               []string{common.AddrArg, common.AddrValue},
+			args:               []string{clitest.AddrArg, clitest.AddrValue},
 			expectedReturnCode: 1,
-			expectedStderr:     common.AddrError,
+			expectedStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:               "Count by expiresBefore: month out of range",
@ -448,9 +454,9 @@ func TestList(t *testing.T) {
 		},
 		{
 			name:               "wrong UDS path",
-			args:               []string{common.AddrArg, common.AddrValue},
+			args:               []string{clitest.AddrArg, clitest.AddrValue},
 			expectedReturnCode: 1,
-			expectedStderr:     common.AddrError,
+			expectedStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:               "List by expiresBefore: month out of range",
@ -740,10 +746,13 @@ func TestShow(t *testing.T) {
 			expectedStderr:     "Error: rpc error: code = Internal desc = internal server error\n",
 		},
 		{
-			name:               "wrong UDS path",
-			args:               []string{common.AddrArg, common.AddrValue},
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-spiffeID", "spiffe://example.org/spire/agent/agent1",
+			},
 			expectedReturnCode: 1,
-			expectedStderr:     common.AddrError,
+			expectedStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:                 "show selectors",
@ -801,7 +810,7 @@ func setupTest(t *testing.T, newClient func(*commoncli.Env) cli.Command) *agentT
 		stdin:  stdin,
 		stdout: stdout,
 		stderr: stderr,
-		args:   []string{common.AddrArg, common.GetAddr(addr)},
+		args:   []string{clitest.AddrArg, clitest.GetAddr(addr)},
 		server: server,
 		client: client,
 	}
--- a/cmd/spire-server/cli/agent/count.go
+++ b/cmd/spire-server/cli/agent/count.go
@ -27,7 +27,7 @@ type countCommand struct {
 	// Filters agents to those that are banned.
 	banned commoncli.BoolFlag

-	// Filters agents by those expires before.
+	// Filters agents by those that expire before this value.
 	expiresBefore string

 	// Filters agents to those matching the attestation type.
--- a/cmd/spire-server/cli/agent/list.go
+++ b/cmd/spire-server/cli/agent/list.go
@ -28,7 +28,7 @@ type listCommand struct {
 	// Filters agents to those that are banned.
 	banned commoncli.BoolFlag

-	// Filters agents by those expires before.
+	// Filters agents by those that expire before this value.
 	expiresBefore string

 	// Filters agents to those matching the attestation type.
--- a/cmd/spire-server/cli/agent/show.go
+++ b/cmd/spire-server/cli/agent/show.go
@ -17,7 +17,7 @@ import (

 type showCommand struct {
 	env *commoncli.Env
-	// SPIFFE ID of the agent being showed
+	// SPIFFE ID of the agent being shown
 	spiffeID string
 	printer  cliprinter.Printer
 }
--- a/cmd/spire-server/cli/authoritycommon/authoritycommon.go
+++ b/cmd/spire-server/cli/authoritycommon/authoritycommon.go
@ -1,170 +1,31 @@
-package authoritycommon_test
+package authoritycommon

 import (
-	"bytes"
-	"context"
-	"testing"
+	"time"

-	"github.com/mitchellh/cli"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
-	"github.com/spiffe/spire/test/spiretest"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc"
 )

-var (
-	AvailableFormats = []string{"pretty", "json"}
-)
-
-type localAuthorityTest struct {
-	Stdin  *bytes.Buffer
-	Stdout *bytes.Buffer
-	Stderr *bytes.Buffer
-	Args   []string
-	Server *fakeLocalAuthorityServer
-	Client cli.Command
+func PrettyPrintJWTAuthorityState(env *commoncli.Env, authorityState *localauthorityv1.AuthorityState) {
+	prettyPrintAuthorityState(env, authorityState, false)
 }

-func (s *localAuthorityTest) afterTest(t *testing.T) {
-	t.Logf("TEST:%s", t.Name())
-	t.Logf("STDOUT:\n%s", s.Stdout.String())
-	t.Logf("STDIN:\n%s", s.Stdin.String())
-	t.Logf("STDERR:\n%s", s.Stderr.String())
+func PrettyPrintX509AuthorityState(env *commoncli.Env, authorityState *localauthorityv1.AuthorityState) {
+	prettyPrintAuthorityState(env, authorityState, true)
 }

-func SetupTest(t *testing.T, newClient func(*commoncli.Env) cli.Command) *localAuthorityTest {
-	server := &fakeLocalAuthorityServer{}
-
-	addr := spiretest.StartGRPCServer(t, func(s *grpc.Server) {
-		localauthorityv1.RegisterLocalAuthorityServer(s, server)
-	})
-
-	stdin := new(bytes.Buffer)
-	stdout := new(bytes.Buffer)
-	stderr := new(bytes.Buffer)
-
-	client := newClient(&commoncli.Env{
-		Stdin:  stdin,
-		Stdout: stdout,
-		Stderr: stderr,
-	})
-
-	test := &localAuthorityTest{
-		Stdin:  stdin,
-		Stdout: stdout,
-		Stderr: stderr,
-		Args:   []string{common.AddrArg, common.GetAddr(addr)},
-		Server: server,
-		Client: client,
+func prettyPrintAuthorityState(env *commoncli.Env, authorityState *localauthorityv1.AuthorityState, includeUpstreamAuthority bool) {
+	env.Printf("  Authority ID: %s\n", authorityState.AuthorityId)
+	env.Printf("  Expires at: %s\n", time.Unix(authorityState.ExpiresAt, 0).UTC())
+	if !includeUpstreamAuthority {
+		return
 	}

-	t.Cleanup(func() {
-		test.afterTest(t)
-	})
-
-	return test
-}
-
-type fakeLocalAuthorityServer struct {
-	localauthorityv1.UnsafeLocalAuthorityServer
-
-	ActiveJWT,
-	PreparedJWT,
-	OldJWT,
-	ActiveX509,
-	PreparedX509,
-	OldX509,
-	TaintedX509,
-	RevokedX509,
-	TaintedJWT,
-	RevokedJWT *localauthorityv1.AuthorityState
-
-	Err error
-}
-
-func (s *fakeLocalAuthorityServer) GetJWTAuthorityState(context.Context, *localauthorityv1.GetJWTAuthorityStateRequest) (*localauthorityv1.GetJWTAuthorityStateResponse, error) {
-	return &localauthorityv1.GetJWTAuthorityStateResponse{
-		Active:   s.ActiveJWT,
-		Prepared: s.PreparedJWT,
-		Old:      s.OldJWT,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) PrepareJWTAuthority(context.Context, *localauthorityv1.PrepareJWTAuthorityRequest) (*localauthorityv1.PrepareJWTAuthorityResponse, error) {
-	return &localauthorityv1.PrepareJWTAuthorityResponse{
-		PreparedAuthority: s.PreparedJWT,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) ActivateJWTAuthority(context.Context, *localauthorityv1.ActivateJWTAuthorityRequest) (*localauthorityv1.ActivateJWTAuthorityResponse, error) {
-	return &localauthorityv1.ActivateJWTAuthorityResponse{
-		ActivatedAuthority: s.ActiveJWT,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) TaintJWTAuthority(context.Context, *localauthorityv1.TaintJWTAuthorityRequest) (*localauthorityv1.TaintJWTAuthorityResponse, error) {
-	return &localauthorityv1.TaintJWTAuthorityResponse{
-		TaintedAuthority: s.TaintedJWT,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) RevokeJWTAuthority(context.Context, *localauthorityv1.RevokeJWTAuthorityRequest) (*localauthorityv1.RevokeJWTAuthorityResponse, error) {
-	return &localauthorityv1.RevokeJWTAuthorityResponse{
-		RevokedAuthority: s.RevokedJWT,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) GetX509AuthorityState(context.Context, *localauthorityv1.GetX509AuthorityStateRequest) (*localauthorityv1.GetX509AuthorityStateResponse, error) {
-	return &localauthorityv1.GetX509AuthorityStateResponse{
-		Active:   s.ActiveX509,
-		Prepared: s.PreparedX509,
-		Old:      s.OldX509,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) PrepareX509Authority(context.Context, *localauthorityv1.PrepareX509AuthorityRequest) (*localauthorityv1.PrepareX509AuthorityResponse, error) {
-	return &localauthorityv1.PrepareX509AuthorityResponse{
-		PreparedAuthority: s.PreparedX509,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) ActivateX509Authority(context.Context, *localauthorityv1.ActivateX509AuthorityRequest) (*localauthorityv1.ActivateX509AuthorityResponse, error) {
-	return &localauthorityv1.ActivateX509AuthorityResponse{
-		ActivatedAuthority: s.ActiveX509,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) TaintX509Authority(context.Context, *localauthorityv1.TaintX509AuthorityRequest) (*localauthorityv1.TaintX509AuthorityResponse, error) {
-	return &localauthorityv1.TaintX509AuthorityResponse{
-		TaintedAuthority: s.TaintedX509,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) TaintX509UpstreamAuthority(context.Context, *localauthorityv1.TaintX509UpstreamAuthorityRequest) (*localauthorityv1.TaintX509UpstreamAuthorityResponse, error) {
-	return &localauthorityv1.TaintX509UpstreamAuthorityResponse{}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) RevokeX509Authority(context.Context, *localauthorityv1.RevokeX509AuthorityRequest) (*localauthorityv1.RevokeX509AuthorityResponse, error) {
-	return &localauthorityv1.RevokeX509AuthorityResponse{
-		RevokedAuthority: s.RevokedX509,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) RevokeX509UpstreamAuthority(context.Context, *localauthorityv1.RevokeX509UpstreamAuthorityRequest) (*localauthorityv1.RevokeX509UpstreamAuthorityResponse, error) {
-	return &localauthorityv1.RevokeX509UpstreamAuthorityResponse{}, s.Err
-}
-
-func RequireOutputBasedOnFormat(t *testing.T, format, stdoutString string, expectedStdoutPretty, expectedStdoutJSON string) {
-	switch format {
-	case "pretty":
-		require.Contains(t, stdoutString, expectedStdoutPretty)
-	case "json":
-		if expectedStdoutJSON != "" {
-			require.JSONEq(t, expectedStdoutJSON, stdoutString)
-		} else {
-			require.Empty(t, stdoutString)
-		}
+	if authorityState.UpstreamAuthoritySubjectKeyId != "" {
+		env.Printf("  Upstream authority Subject Key ID: %s\n", authorityState.UpstreamAuthoritySubjectKeyId)
+		return
 	}
+
+	env.Println("  Upstream authority ID: No upstream authority")
 }
--- a/cmd/spire-server/cli/authoritycommon/test/authoritycommontest.go
+++ b/cmd/spire-server/cli/authoritycommon/test/authoritycommontest.go
@ -0,0 +1,174 @@
+package authoritycommontest
+
+import (
+	"bytes"
+	"context"
+	"testing"
+
+	"github.com/mitchellh/cli"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/test/clitest"
+	"github.com/spiffe/spire/test/spiretest"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+)
+
+var AvailableFormats = []string{"pretty", "json"}
+
+type localAuthorityTest struct {
+	Stdin  *bytes.Buffer
+	Stdout *bytes.Buffer
+	Stderr *bytes.Buffer
+	Args   []string
+	Server *fakeLocalAuthorityServer
+	Client cli.Command
+}
+
+func (s *localAuthorityTest) afterTest(t *testing.T) {
+	t.Logf("TEST:%s", t.Name())
+	t.Logf("STDOUT:\n%s", s.Stdout.String())
+	t.Logf("STDIN:\n%s", s.Stdin.String())
+	t.Logf("STDERR:\n%s", s.Stderr.String())
+}
+
+func SetupTest(t *testing.T, newClient func(*commoncli.Env) cli.Command) *localAuthorityTest {
+	server := &fakeLocalAuthorityServer{}
+
+	addr := spiretest.StartGRPCServer(t, func(s *grpc.Server) {
+		localauthorityv1.RegisterLocalAuthorityServer(s, server)
+	})
+
+	stdin := new(bytes.Buffer)
+	stdout := new(bytes.Buffer)
+	stderr := new(bytes.Buffer)
+
+	client := newClient(&commoncli.Env{
+		Stdin:  stdin,
+		Stdout: stdout,
+		Stderr: stderr,
+	})
+
+	test := &localAuthorityTest{
+		Stdin:  stdin,
+		Stdout: stdout,
+		Stderr: stderr,
+		Args:   []string{clitest.AddrArg, clitest.GetAddr(addr)},
+		Server: server,
+		Client: client,
+	}
+
+	t.Cleanup(func() {
+		test.afterTest(t)
+	})
+
+	return test
+}
+
+type fakeLocalAuthorityServer struct {
+	localauthorityv1.UnsafeLocalAuthorityServer
+
+	ActiveJWT,
+	PreparedJWT,
+	OldJWT,
+	ActiveX509,
+	PreparedX509,
+	OldX509,
+	TaintedX509,
+	RevokedX509,
+	TaintedJWT,
+	RevokedJWT *localauthorityv1.AuthorityState
+
+	TaintedUpstreamAuthoritySubjectKeyId,
+	RevokedUpstreamAuthoritySubjectKeyId string
+	Err error
+}
+
+func (s *fakeLocalAuthorityServer) GetJWTAuthorityState(context.Context, *localauthorityv1.GetJWTAuthorityStateRequest) (*localauthorityv1.GetJWTAuthorityStateResponse, error) {
+	return &localauthorityv1.GetJWTAuthorityStateResponse{
+		Active:   s.ActiveJWT,
+		Prepared: s.PreparedJWT,
+		Old:      s.OldJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) PrepareJWTAuthority(context.Context, *localauthorityv1.PrepareJWTAuthorityRequest) (*localauthorityv1.PrepareJWTAuthorityResponse, error) {
+	return &localauthorityv1.PrepareJWTAuthorityResponse{
+		PreparedAuthority: s.PreparedJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) ActivateJWTAuthority(context.Context, *localauthorityv1.ActivateJWTAuthorityRequest) (*localauthorityv1.ActivateJWTAuthorityResponse, error) {
+	return &localauthorityv1.ActivateJWTAuthorityResponse{
+		ActivatedAuthority: s.ActiveJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) TaintJWTAuthority(context.Context, *localauthorityv1.TaintJWTAuthorityRequest) (*localauthorityv1.TaintJWTAuthorityResponse, error) {
+	return &localauthorityv1.TaintJWTAuthorityResponse{
+		TaintedAuthority: s.TaintedJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) RevokeJWTAuthority(context.Context, *localauthorityv1.RevokeJWTAuthorityRequest) (*localauthorityv1.RevokeJWTAuthorityResponse, error) {
+	return &localauthorityv1.RevokeJWTAuthorityResponse{
+		RevokedAuthority: s.RevokedJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) GetX509AuthorityState(context.Context, *localauthorityv1.GetX509AuthorityStateRequest) (*localauthorityv1.GetX509AuthorityStateResponse, error) {
+	return &localauthorityv1.GetX509AuthorityStateResponse{
+		Active:   s.ActiveX509,
+		Prepared: s.PreparedX509,
+		Old:      s.OldX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) PrepareX509Authority(context.Context, *localauthorityv1.PrepareX509AuthorityRequest) (*localauthorityv1.PrepareX509AuthorityResponse, error) {
+	return &localauthorityv1.PrepareX509AuthorityResponse{
+		PreparedAuthority: s.PreparedX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) ActivateX509Authority(context.Context, *localauthorityv1.ActivateX509AuthorityRequest) (*localauthorityv1.ActivateX509AuthorityResponse, error) {
+	return &localauthorityv1.ActivateX509AuthorityResponse{
+		ActivatedAuthority: s.ActiveX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) TaintX509Authority(context.Context, *localauthorityv1.TaintX509AuthorityRequest) (*localauthorityv1.TaintX509AuthorityResponse, error) {
+	return &localauthorityv1.TaintX509AuthorityResponse{
+		TaintedAuthority: s.TaintedX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) TaintX509UpstreamAuthority(context.Context, *localauthorityv1.TaintX509UpstreamAuthorityRequest) (*localauthorityv1.TaintX509UpstreamAuthorityResponse, error) {
+	return &localauthorityv1.TaintX509UpstreamAuthorityResponse{
+		UpstreamAuthoritySubjectKeyId: s.TaintedUpstreamAuthoritySubjectKeyId,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) RevokeX509Authority(context.Context, *localauthorityv1.RevokeX509AuthorityRequest) (*localauthorityv1.RevokeX509AuthorityResponse, error) {
+	return &localauthorityv1.RevokeX509AuthorityResponse{
+		RevokedAuthority: s.RevokedX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) RevokeX509UpstreamAuthority(context.Context, *localauthorityv1.RevokeX509UpstreamAuthorityRequest) (*localauthorityv1.RevokeX509UpstreamAuthorityResponse, error) {
+	return &localauthorityv1.RevokeX509UpstreamAuthorityResponse{
+		UpstreamAuthoritySubjectKeyId: s.RevokedUpstreamAuthoritySubjectKeyId,
+	}, s.Err
+}
+
+func RequireOutputBasedOnFormat(t *testing.T, format, stdoutString string, expectedStdoutPretty, expectedStdoutJSON string) {
+	switch format {
+	case "pretty":
+		require.Contains(t, stdoutString, expectedStdoutPretty)
+	case "json":
+		if expectedStdoutJSON != "" {
+			require.JSONEq(t, expectedStdoutJSON, stdoutString)
+		} else {
+			require.Empty(t, stdoutString)
+		}
+	}
+}
--- a/cmd/spire-server/cli/bundle/common.go
+++ b/cmd/spire-server/cli/bundle/common.go
@ -2,7 +2,6 @@ package bundle

 import (
 	"bytes"
-	"crypto"
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
@ -17,7 +16,7 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/util"
-	"github.com/zeebo/errs"
+	"github.com/spiffe/spire/pkg/common/jwtutil"
 )

 const (
@ -78,7 +77,7 @@ func printBundle(out io.Writer, bundle *types.Bundle) error {

 	docBytes, err := b.Marshal()
 	if err != nil {
-		return errs.Wrap(err)
+		return err
 	}

 	var o bytes.Buffer
@ -86,11 +85,8 @@ func printBundle(out io.Writer, bundle *types.Bundle) error {
 		return err
 	}

-	if _, err := fmt.Fprintln(out, o.String()); err != nil {
-		return errs.Wrap(err)
-	}
-
-	return nil
+	_, err = fmt.Fprintln(out, o.String())
+	return err
 }

 // bundleFromProto converts a bundle from the given *types.Bundle to *spiffebundle.Bundle
@ -103,7 +99,7 @@ func bundleFromProto(bundleProto *types.Bundle) (*spiffebundle.Bundle, error) {
 	if err != nil {
 		return nil, err
 	}
-	jwtAuthorities, err := jwtKeysFromProto(bundleProto.JwtAuthorities)
+	jwtAuthorities, err := jwtutil.JWTKeysFromProto(bundleProto.JwtAuthorities)
 	if err != nil {
 		return nil, err
 	}
@ -132,20 +128,6 @@ func x509CertificatesFromProto(proto []*types.X509Certificate) ([]*x509.Certific
 	return certs, nil
 }

-// jwtKeysFromProto converts JWT keys from the given []*types.JWTKey to map[string]crypto.PublicKey.
-// The key ID of the public key is used as the key in the returned map.
-func jwtKeysFromProto(proto []*types.JWTKey) (map[string]crypto.PublicKey, error) {
-	keys := make(map[string]crypto.PublicKey)
-	for i, publicKey := range proto {
-		jwtSigningKey, err := x509.ParsePKIXPublicKey(publicKey.PublicKey)
-		if err != nil {
-			return nil, fmt.Errorf("unable to parse JWT signing key %d: %w", i, err)
-		}
-		keys[publicKey.KeyId] = jwtSigningKey
-	}
-	return keys, nil
-}
-
 func printBundleWithFormat(out io.Writer, bundle *types.Bundle, format string, header bool) error {
 	if bundle == nil {
 		return errors.New("no bundle provided")
--- a/cmd/spire-server/cli/bundle/common_test.go
+++ b/cmd/spire-server/cli/bundle/common_test.go
@ -9,9 +9,9 @@ import (
 	"github.com/mitchellh/cli"
 	bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/pemutil"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
@ -203,7 +203,7 @@ func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *bundl
 		cert1:    cert1,
 		cert2:    cert2,
 		key1Pkix: key1Pkix,
-		addr:     common.GetAddr(addr),
+		addr:     clitest.GetAddr(addr),
 		stdin:    stdin,
 		stdout:   stdout,
 		stderr:   stderr,
@ -241,7 +241,7 @@ func (s *bundleTest) afterTest(t *testing.T) {
 }

 func (s *bundleTest) args(extra ...string) []string {
-	return append([]string{common.AddrArg, s.addr}, extra...)
+	return append([]string{clitest.AddrArg, s.addr}, extra...)
 }

 type fakeBundleServer struct {
--- a/cmd/spire-server/cli/cli.go
+++ b/cmd/spire-server/cli/cli.go
@ -3,8 +3,6 @@ package cli
 import (
 	"context"
 	stdlog "log"
-	"os"
-	"strings"

 	"github.com/mitchellh/cli"
 	"github.com/spiffe/spire/cmd/spire-server/cli/agent"
@ -18,9 +16,9 @@ import (
 	"github.com/spiffe/spire/cmd/spire-server/cli/logger"
 	"github.com/spiffe/spire/cmd/spire-server/cli/run"
 	"github.com/spiffe/spire/cmd/spire-server/cli/token"
+	"github.com/spiffe/spire/cmd/spire-server/cli/upstreamauthority"
 	"github.com/spiffe/spire/cmd/spire-server/cli/validate"
 	"github.com/spiffe/spire/cmd/spire-server/cli/x509"
-	"github.com/spiffe/spire/pkg/common/fflag"
 	"github.com/spiffe/spire/pkg/common/log"
 	"github.com/spiffe/spire/pkg/common/version"
 )
@ -129,45 +127,47 @@ func (cc *CLI) Run(ctx context.Context, args []string) int {
 		"validate": func() (cli.Command, error) {
 			return validate.NewValidateCommand(), nil
 		},
+		"localauthority x509 show": func() (cli.Command, error) {
+			return localauthority_x509.NewX509ShowCommand(), nil
+		},
+		"localauthority x509 prepare": func() (cli.Command, error) {
+			return localauthority_x509.NewX509PrepareCommand(), nil
+		},
+		"localauthority x509 activate": func() (cli.Command, error) {
+			return localauthority_x509.NewX509ActivateCommand(), nil
+		},
+		"localauthority x509 taint": func() (cli.Command, error) {
+			return localauthority_x509.NewX509TaintCommand(), nil
+		},
+		"localauthority x509 revoke": func() (cli.Command, error) {
+			return localauthority_x509.NewX509RevokeCommand(), nil
+		},
+		"localauthority jwt show": func() (cli.Command, error) {
+			return localauthority_jwt.NewJWTShowCommand(), nil
+		},
+		"localauthority jwt prepare": func() (cli.Command, error) {
+			return localauthority_jwt.NewJWTPrepareCommand(), nil
+		},
+		"localauthority jwt activate": func() (cli.Command, error) {
+			return localauthority_jwt.NewJWTActivateCommand(), nil
+		},
+		"localauthority jwt taint": func() (cli.Command, error) {
+			return localauthority_jwt.NewJWTTaintCommand(), nil
+		},
+		"localauthority jwt revoke": func() (cli.Command, error) {
+			return localauthority_jwt.NewJWTRevokeCommand(), nil
+		},
+		"upstreamauthority taint": func() (cli.Command, error) {
+			return upstreamauthority.NewTaintCommand(), nil
+		},
+		"upstreamauthority revoke": func() (cli.Command, error) {
+			return upstreamauthority.NewRevokeCommand(), nil
+		},
 	}

-	// TODO: Remove this when the forced_rotation feature flag is no longer
-	// needed. Refer to https://github.com/spiffe/spire/issues/5398.
-	addCommandsEnabledByFFlags(c.Commands)
-
 	exitStatus, err := c.Run()
 	if err != nil {
 		stdlog.Println(err)
 	}
 	return exitStatus
 }
-
-// addCommandsEnabledByFFlags adds commands that are currently available only
-// through a feature flag.
-// Feature flags support through the fflag package in SPIRE Server is
-// designed to work only with the run command and the config file.
-// Since feature flags are intended to be used by developers of a specific
-// feature only, exposing them through command line arguments is not
-// convenient. Instead, we use the SPIRE_SERVER_FFLAGS environment variable
-// to read the configured SPIRE Server feature flags from the environment
-// when other commands may be enabled through feature flags.
-func addCommandsEnabledByFFlags(commands map[string]cli.CommandFactory) {
-	fflagsEnv := os.Getenv("SPIRE_SERVER_FFLAGS")
-	fflags := strings.Split(fflagsEnv, " ")
-	flagForcedRotationFound := false
-	for _, ff := range fflags {
-		if ff == string(fflag.FlagForcedRotation) {
-			flagForcedRotationFound = true
-			break
-		}
-	}
-
-	if flagForcedRotationFound {
-		commands["localauthority x509 show"] = func() (cli.Command, error) {
-			return localauthority_x509.NewX509ShowCommand(), nil
-		}
-		commands["localauthority jwt show"] = func() (cli.Command, error) {
-			return localauthority_jwt.NewJWTShowCommand(), nil
-		}
-	}
-}
--- a/cmd/spire-server/cli/common/common_windows.go
+++ b/cmd/spire-server/cli/common/common_windows.go
@ -1,25 +0,0 @@
-//go:build windows
-
-package common
-
-import (
-	"net"
-
-	"github.com/spiffe/spire/pkg/common/namedpipe"
-)
-
-var (
-	AddrArg         = "-namedPipeName"
-	AddrError       = "Error: connection error: desc = \"transport: error while dialing: open \\\\\\\\.\\\\pipe\\\\does-not-exist: The system cannot find the file specified.\"\n"
-	AddrOutputUsage = `
-  -namedPipeName string
-    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
-  -output value
-    	Desired output format (pretty, json); default: pretty.
-`
-	AddrValue = "\\does-not-exist"
-)
-
-func GetAddr(addr net.Addr) string {
-	return namedpipe.GetPipeName(addr.String())
-}
--- a/cmd/spire-server/cli/entry/count.go
+++ b/cmd/spire-server/cli/entry/count.go
@ -31,7 +31,7 @@ type countCommand struct {
 	// List of SPIFFE IDs of trust domains the registration entry is federated with
 	federatesWith StringsFlag

-	// Whether or not the entry is for a downstream SPIRE server
+	// Whether the entry is for a downstream SPIRE server
 	downstream bool

 	// Match used when filtering by federates with
--- a/cmd/spire-server/cli/entry/create.go
+++ b/cmd/spire-server/cli/entry/create.go
@ -4,14 +4,16 @@ import (
 	"context"
 	"errors"
 	"flag"
+	"fmt"

 	"github.com/mitchellh/cli"
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"github.com/spiffe/spire/pkg/common/idutil"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
 )

@ -21,7 +23,7 @@ func NewCreateCommand() cli.Command {
 }

 func newCreateCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &createCommand{env: env})
+	return serverutil.AdaptCommand(env, &createCommand{env: env})
 }

 type createCommand struct {
@ -45,11 +47,6 @@ type createCommand struct {
 	// Entry hint, used to disambiguate entries with the same SPIFFE ID
 	hint string

-	// TTL for x509 and JWT SVIDs issued to this workload, unless type specific TTLs are set.
-	// This field is deprecated in favor of the x509SVIDTTL and jwtSVIDTTL fields and will be
-	// removed in a future release.
-	ttl int
-
 	// TTL for x509 SVIDs issued to this workload
 	x509SVIDTTL int

@ -59,13 +56,13 @@ type createCommand struct {
 	// List of SPIFFE IDs of trust domains the registration entry is federated with
 	federatesWith StringsFlag

-	// Whether or not the registration entry is for an "admin" workload
+	// whether the registration entry is for an "admin" workload
 	admin bool

-	// Whether or not the entry is for a downstream SPIRE server
+	// whether the entry is for a downstream SPIRE server
 	downstream bool

-	// Whether or not the entry represents a node or group of nodes
+	// whether the entry represents a node or group of nodes
 	node bool

 	// Expiry of entry
@ -94,9 +91,8 @@ func (c *createCommand) AppendFlags(f *flag.FlagSet) {
 	f.StringVar(&c.entryID, "entryID", "", "A custom ID for this registration entry (optional). If not set, a new entry ID will be generated")
 	f.StringVar(&c.parentID, "parentID", "", "The SPIFFE ID of this record's parent")
 	f.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID that this record represents")
-	f.IntVar(&c.ttl, "ttl", 0, "The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version")
-	f.IntVar(&c.x509SVIDTTL, "x509SVIDTTL", 0, "The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag")
-	f.IntVar(&c.jwtSVIDTTL, "jwtSVIDTTL", 0, "The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag")
+	f.IntVar(&c.x509SVIDTTL, "x509SVIDTTL", 0, "The lifetime, in seconds, for x509-SVIDs issued based on this registration entry.")
+	f.IntVar(&c.jwtSVIDTTL, "jwtSVIDTTL", 0, "The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.")
 	f.StringVar(&c.path, "data", "", "Path to a file containing registration JSON (optional). If set to '-', read the JSON from stdin.")
 	f.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once")
 	f.Var(&c.federatesWith, "federatesWith", "SPIFFE ID of a trust domain to federate with. Can be used more than once")
@ -110,7 +106,7 @@ func (c *createCommand) AppendFlags(f *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintCreate)
 }

-func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	if err := c.validate(); err != nil {
 		return err
 	}
@ -158,10 +154,6 @@ func (c *createCommand) validate() (err error) {
 		return errors.New("a SPIFFE ID is required")
 	}

-	if c.ttl < 0 {
-		return errors.New("a positive TTL is required")
-	}
-
 	if c.x509SVIDTTL < 0 {
 		return errors.New("a positive x509-SVID TTL is required")
 	}
@ -170,10 +162,6 @@ func (c *createCommand) validate() (err error) {
 		return errors.New("a positive JWT-SVID TTL is required")
 	}

-	if c.ttl > 0 && (c.x509SVIDTTL > 0 || c.jwtSVIDTTL > 0) {
-		return errors.New("use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag")
-	}
-
 	return nil
 }

@ -189,6 +177,16 @@ func (c *createCommand) parseConfig() ([]*types.Entry, error) {
 		return nil, err
 	}

+	x509SvidTTL, err := util.CheckedCast[int32](c.x509SVIDTTL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid value for X509 SVID TTL: %w", err)
+	}
+
+	jwtSvidTTL, err := util.CheckedCast[int32](c.jwtSVIDTTL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid value for JWT SVID TTL: %w", err)
+	}
+
 	e := &types.Entry{
 		Id:          c.entryID,
 		ParentId:    parentID,
@ -197,26 +195,14 @@ func (c *createCommand) parseConfig() ([]*types.Entry, error) {
 		ExpiresAt:   c.entryExpiry,
 		DnsNames:    c.dnsNames,
 		StoreSvid:   c.storeSVID,
-		X509SvidTtl: int32(c.x509SVIDTTL),
-		JwtSvidTtl:  int32(c.jwtSVIDTTL),
+		X509SvidTtl: x509SvidTTL,
+		JwtSvidTtl:  jwtSvidTTL,
 		Hint:        c.hint,
 	}

-	// c.ttl is deprecated but usable if the new c.x509Svid field is not used.
-	// c.ttl should not be used to set the jwtSVIDTTL value because the previous
-	// behavior was to have a hard-coded 5 minute JWT TTL no matter what the value
-	// of ttl was set to.
-	// validate(...) ensures that either the new fields or the deprecated field is
-	// used, but never a mixture.
-	//
-	// https://github.com/spiffe/spire/issues/2700
-	if e.X509SvidTtl == 0 {
-		e.X509SvidTtl = int32(c.ttl)
-	}
-
 	selectors := []*types.Selector{}
 	for _, s := range c.selectors {
-		cs, err := util.ParseSelector(s)
+		cs, err := serverutil.ParseSelector(s)
 		if err != nil {
 			return nil, err
 		}
@ -280,7 +266,7 @@ func prettyPrintCreate(env *commoncli.Env, results ...any) error {

 	for _, r := range failed {
 		env.ErrPrintf("Failed to create the following entry (code: %s, msg: %q):\n",
-			codes.Code(r.Status.Code),
+			util.MustCast[codes.Code](r.Status.Code),
 			r.Status.Message)
 		printEntry(r.Entry, env.ErrPrintf)
 	}
--- a/cmd/spire-server/cli/entry/create_test.go
+++ b/cmd/spire-server/cli/entry/create_test.go
@ -54,7 +54,7 @@ func TestCreate(t *testing.T) {
 		},
 	}

-	fakeRespOKFromCmd2 := &entryv1.BatchCreateEntryResponse{
+	fakeRespOKFromCmdWithoutJwtTtl := &entryv1.BatchCreateEntryResponse{
 		Results: []*entryv1.BatchCreateEntryResponse_Result{
 			{
 				Entry: &types.Entry{
@ -186,28 +186,16 @@ func TestCreate(t *testing.T) {
 			expErrJSON:   "Error: selector \"unix\" must be formatted as type:value\n",
 		},
 		{
-			name:         "Negative TTL",
-			args:         []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "-10"},
-			expErrPretty: "Error: a positive TTL is required\n",
-			expErrJSON:   "Error: a positive TTL is required\n",
+			name:         "Negative X509SvidTtl",
+			args:         []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-x509SVIDTTL", "-10"},
+			expErrPretty: "Error: a positive x509-SVID TTL is required\n",
+			expErrJSON:   "Error: a positive x509-SVID TTL is required\n",
 		},
 		{
-			name:         "Invalid TTL and X509SvidTtl",
-			args:         []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20"},
-			expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-			expErrJSON:   "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-		},
-		{
-			name:         "Invalid TTL and JwtSvidTtl",
-			args:         []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-jwtSVIDTTL", "20"},
-			expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-			expErrJSON:   "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-		},
-		{
-			name:         "Invalid TTL and both X509SvidTtl and JwtSvidTtl",
-			args:         []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20", "-jwtSVIDTTL", "30"},
-			expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-			expErrJSON:   "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
+			name:         "Negative jwtSVIDTTL",
+			args:         []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-jwtSVIDTTL", "-10"},
+			expErrPretty: "Error: a positive JWT-SVID TTL is required\n",
+			expErrJSON:   "Error: a positive JWT-SVID TTL is required\n",
 		},
 		{
 			name:         "Federated node entries",
@ -346,7 +334,7 @@ StoreSvid        : true
 				"-parentID", "spiffe://example.org/parent",
 				"-selector", "zebra:zebra:2000",
 				"-selector", "alpha:alpha:2000",
-				"-ttl", "60",
+				"-x509SVIDTTL", "60",
 				"-federatesWith", "spiffe://domaina.test",
 				"-federatesWith", "spiffe://domainb.test",
 				"-admin",
@ -376,111 +364,7 @@ StoreSvid        : true
 					},
 				},
 			},
-			fakeResp: fakeRespOKFromCmd2,
-			expOutPretty: fmt.Sprintf(`Entry ID         : entry-id
-SPIFFE ID        : spiffe://example.org/workload
-Parent ID        : spiffe://example.org/parent
-Revision         : 0
-Downstream       : true
-X509-SVID TTL    : 60
-JWT-SVID TTL     : default
-Expiration time  : %s
-Selector         : zebra:zebra:2000
-Selector         : alpha:alpha:2000
-FederatesWith    : spiffe://domaina.test
-FederatesWith    : spiffe://domainb.test
-DNS name         : unu1000
-DNS name         : ung1000
-Admin            : true
-StoreSvid        : true
-
-`, time.Unix(1552410266, 0).UTC()),
-			expOutJSON: `{
-  "results": [
-    {
-      "status": {
-        "code": 0,
-        "message": "OK"
-      },
-      "entry": {
-        "id": "entry-id",
-        "spiffe_id": {
-          "trust_domain": "example.org",
-          "path": "/workload"
-        },
-        "parent_id": {
-          "trust_domain": "example.org",
-          "path": "/parent"
-        },
-        "selectors": [
-          {
-            "type": "zebra",
-            "value": "zebra:2000"
-          },
-          {
-            "type": "alpha",
-            "value": "alpha:2000"
-          }
-        ],
-        "x509_svid_ttl": 60,
-        "federates_with": [
-          "spiffe://domaina.test",
-          "spiffe://domainb.test"
-        ],
-        "hint": "",
-        "admin": true,
-        "created_at": "1547583197",
-        "downstream": true,
-        "expires_at": "1552410266",
-        "dns_names": [
-          "unu1000",
-          "ung1000"
-        ],
-        "revision_number": "0",
-        "store_svid": true,
-        "jwt_svid_ttl": 0
-      }
-    }
-  ]
-}`,
-		},
-		{
-			name: "Create succeeds using deprecated command line arguments",
-			args: []string{
-				"-spiffeID", "spiffe://example.org/workload",
-				"-parentID", "spiffe://example.org/parent",
-				"-selector", "zebra:zebra:2000",
-				"-selector", "alpha:alpha:2000",
-				"-ttl", "60",
-				"-federatesWith", "spiffe://domaina.test",
-				"-federatesWith", "spiffe://domainb.test",
-				"-admin",
-				"-entryExpiry", "1552410266",
-				"-dns", "unu1000",
-				"-dns", "ung1000",
-				"-downstream",
-				"-storeSVID",
-			},
-			expReq: &entryv1.BatchCreateEntryRequest{
-				Entries: []*types.Entry{
-					{
-						SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/workload"},
-						ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/parent"},
-						Selectors: []*types.Selector{
-							{Type: "zebra", Value: "zebra:2000"},
-							{Type: "alpha", Value: "alpha:2000"},
-						},
-						X509SvidTtl:   60,
-						FederatesWith: []string{"spiffe://domaina.test", "spiffe://domainb.test"},
-						Admin:         true,
-						ExpiresAt:     1552410266,
-						DnsNames:      []string{"unu1000", "ung1000"},
-						Downstream:    true,
-						StoreSvid:     true,
-					},
-				},
-			},
-			fakeResp: fakeRespOKFromCmd2,
+			fakeResp: fakeRespOKFromCmdWithoutJwtTtl,
 			expOutPretty: fmt.Sprintf(`Entry ID         : entry-id
 SPIFFE ID        : spiffe://example.org/workload
 Parent ID        : spiffe://example.org/parent
--- a/cmd/spire-server/cli/entry/delete.go
+++ b/cmd/spire-server/cli/entry/delete.go
@ -10,9 +10,10 @@ import (

 	"github.com/mitchellh/cli"
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
 )

@ -22,7 +23,7 @@ func NewDeleteCommand() cli.Command {
 }

 func newDeleteCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &deleteCommand{env: env})
+	return serverutil.AdaptCommand(env, &deleteCommand{env: env})
 }

 type deleteCommand struct {
@ -70,7 +71,7 @@ func parseEntryDeleteJSON(path string) ([]string, error) {
 	return batchDeleteEntryRequest.Ids, nil
 }

-func (c *deleteCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func (c *deleteCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	if err := c.validate(); err != nil {
 		return err
 	}
@ -135,7 +136,7 @@ func (c *deleteCommand) prettyPrintDelete(env *commoncli.Env, results ...any) er
 	for _, result := range failed {
 		env.ErrPrintf("Failed to delete entry with ID %s (code: %s, msg: %q)\n",
 			result.Id,
-			codes.Code(result.Status.Code),
+			util.MustCast[codes.Code](result.Status.Code),
 			result.Status.Message)
 	}

--- a/cmd/spire-server/cli/entry/show.go
+++ b/cmd/spire-server/cli/entry/show.go
@ -47,7 +47,7 @@ type showCommand struct {
 	// List of SPIFFE IDs of trust domains the registration entry is federated with
 	federatesWith StringsFlag

-	// Whether or not the entry is for a downstream SPIRE server
+	// whether the entry is for a downstream SPIRE server
 	downstream bool

 	// Match used when filtering by federates with
--- a/cmd/spire-server/cli/entry/show_test.go
+++ b/cmd/spire-server/cli/entry/show_test.go
@ -445,7 +445,7 @@ func getEntries(count int) []*types.Entry {
 	}

 	e := []*types.Entry{}
-	for i := 0; i < count; i++ {
+	for i := range count {
 		e = append(e, entries[i])
 	}

--- a/cmd/spire-server/cli/entry/update.go
+++ b/cmd/spire-server/cli/entry/update.go
@ -4,13 +4,15 @@ import (
 	"context"
 	"errors"
 	"flag"
+	"fmt"

 	"github.com/mitchellh/cli"
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
 )

@ -20,7 +22,7 @@ func NewUpdateCommand() cli.Command {
 }

 func newUpdateCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &updateCommand{env: env})
+	return serverutil.AdaptCommand(env, &updateCommand{env: env})
 }

 type updateCommand struct {
@ -41,12 +43,9 @@ type updateCommand struct {
 	// Workload spiffeID
 	spiffeID string

-	// Whether or not the entry is for a downstream SPIRE server
+	// whether the entry is for a downstream SPIRE server
 	downstream bool

-	// TTL for certificates issued to this workload
-	ttl int
-
 	// TTL for x509 SVIDs issued to this workload
 	x509SvidTTL int

@ -56,7 +55,7 @@ type updateCommand struct {
 	// List of SPIFFE IDs of trust domains the registration entry is federated with
 	federatesWith StringsFlag

-	// Whether or not the registration entry is for an "admin" workload
+	// whether the registration entry is for an "admin" workload
 	admin bool

 	// Expiry of entry
@ -88,9 +87,8 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) {
 	f.StringVar(&c.entryID, "entryID", "", "The Registration Entry ID of the record to update")
 	f.StringVar(&c.parentID, "parentID", "", "The SPIFFE ID of this record's parent")
 	f.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID that this record represents")
-	f.IntVar(&c.ttl, "ttl", 0, "The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version")
-	f.IntVar(&c.x509SvidTTL, "x509SVIDTTL", 0, "The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag")
-	f.IntVar(&c.jwtSvidTTL, "jwtSVIDTTL", 0, "The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag")
+	f.IntVar(&c.x509SvidTTL, "x509SVIDTTL", 0, "The lifetime, in seconds, for x509-SVIDs issued based on this registration entry.")
+	f.IntVar(&c.jwtSvidTTL, "jwtSVIDTTL", 0, "The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.")
 	f.StringVar(&c.path, "data", "", "Path to a file containing registration JSON (optional). If set to '-', read the JSON from stdin.")
 	f.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once")
 	f.Var(&c.federatesWith, "federatesWith", "SPIFFE ID of a trust domain to federate with. Can be used more than once")
@ -103,7 +101,7 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintUpdate)
 }

-func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	if err := c.validate(); err != nil {
 		return err
 	}
@ -151,10 +149,6 @@ func (c *updateCommand) validate() (err error) {
 		return errors.New("a SPIFFE ID is required")
 	}

-	if c.ttl < 0 {
-		return errors.New("a positive TTL is required")
-	}
-
 	if c.x509SvidTTL < 0 {
 		return errors.New("a positive x509-SVID TTL is required")
 	}
@ -163,10 +157,6 @@ func (c *updateCommand) validate() (err error) {
 		return errors.New("a positive JWT-SVID TTL is required")
 	}

-	if c.ttl > 0 && (c.x509SvidTTL > 0 || c.jwtSvidTTL > 0) {
-		return errors.New("use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag")
-	}
-
 	return nil
 }

@ -181,6 +171,16 @@ func (c *updateCommand) parseConfig() ([]*types.Entry, error) {
 		return nil, err
 	}

+	x509SvidTTL, err := util.CheckedCast[int32](c.x509SvidTTL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid value for X509 SVID TTL: %w", err)
+	}
+
+	jwtSvidTTL, err := util.CheckedCast[int32](c.jwtSvidTTL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid value for JWT SVID TTL: %w", err)
+	}
+
 	e := &types.Entry{
 		Id:          c.entryID,
 		ParentId:    parentID,
@ -188,26 +188,14 @@ func (c *updateCommand) parseConfig() ([]*types.Entry, error) {
 		Downstream:  c.downstream,
 		ExpiresAt:   c.entryExpiry,
 		DnsNames:    c.dnsNames,
-		X509SvidTtl: int32(c.x509SvidTTL),
-		JwtSvidTtl:  int32(c.jwtSvidTTL),
+		X509SvidTtl: x509SvidTTL,
+		JwtSvidTtl:  jwtSvidTTL,
 		Hint:        c.hint,
 	}

-	// c.ttl is deprecated but usable if the new c.x509Svid field is not used.
-	// c.ttl should not be used to set the jwtSVIDTTL value because the previous
-	// behavior was to have a hard-coded 5 minute JWT TTL no matter what the value
-	// of ttl was set to.
-	// validate(...) ensures that either the new fields or the deprecated field is
-	// used, but never a mixture.
-	//
-	// https://github.com/spiffe/spire/issues/2700
-	if e.X509SvidTtl == 0 {
-		e.X509SvidTtl = int32(c.ttl)
-	}
-
 	selectors := []*types.Selector{}
 	for _, s := range c.selectors {
-		cs, err := util.ParseSelector(s)
+		cs, err := serverutil.ParseSelector(s)
 		if err != nil {
 			return nil, err
 		}
@ -264,7 +252,7 @@ func prettyPrintUpdate(env *commoncli.Env, results ...any) error {
 	// Print entries that failed to be updated
 	for _, r := range failed {
 		env.ErrPrintf("Failed to update the following entry (code: %s, msg: %q):\n",
-			codes.Code(r.Status.Code),
+			util.MustCast[codes.Code](r.Status.Code),
 			r.Status.Message)
 		printEntry(r.Entry, env.ErrPrintf)
 	}
--- a/cmd/spire-server/cli/entry/update_test.go
+++ b/cmd/spire-server/cli/entry/update_test.go
@ -321,24 +321,6 @@ func TestUpdate(t *testing.T) {
 		JwtSvidTtl:  300,
 	}

-	entry5 := &types.Entry{
-		Id:       "entry-id",
-		SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/workload"},
-		ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/parent"},
-		Selectors: []*types.Selector{
-			{Type: "zebra", Value: "zebra:2000"},
-			{Type: "alpha", Value: "alpha:2000"},
-		},
-		X509SvidTtl:   60,
-		JwtSvidTtl:    0,
-		FederatesWith: []string{"spiffe://domaina.test", "spiffe://domainb.test"},
-		Admin:         true,
-		ExpiresAt:     1552410266,
-		DnsNames:      []string{"unu1000", "ung1000"},
-		Downstream:    true,
-		Hint:          "external",
-	}
-
 	entry2Resp := proto.Clone(entry2).(*types.Entry)
 	entry2Resp.CreatedAt = 1547583197
 	entry3Resp := proto.Clone(entry3).(*types.Entry)
@ -416,30 +398,6 @@ func TestUpdate(t *testing.T) {
 			expErrPretty: "Error: selector \"unix\" must be formatted as type:value\n",
 			expErrJSON:   "Error: selector \"unix\" must be formatted as type:value\n",
 		},
-		{
-			name:         "Negative TTL",
-			args:         []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "-10"},
-			expErrPretty: "Error: a positive TTL is required\n",
-			expErrJSON:   "Error: a positive TTL is required\n",
-		},
-		{
-			name:         "Invalid TTL and X509SvidTtl",
-			args:         []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20"},
-			expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-			expErrJSON:   "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-		},
-		{
-			name:         "Invalid TTL and JwtSvidTtl",
-			args:         []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-jwtSVIDTTL", "20"},
-			expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-			expErrJSON:   "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-		},
-		{
-			name:         "Invalid TTL and both X509SvidTtl and JwtSvidTtl",
-			args:         []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20", "-jwtSVIDTTL", "30"},
-			expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-			expErrJSON:   "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n",
-		},
 		{
 			name: "Server error",
 			args: []string{"-entryID", "entry-id", "-spiffeID", "spiffe://example.org/workload", "-parentID", "spiffe://example.org/parent", "-selector", "unix:uid:1"},
@ -495,58 +453,6 @@ DNS name         : ung1000
 Admin            : true
 Hint             : external

-`, time.Unix(1552410266, 0).UTC()),
-			expOutJSON: fmt.Sprintf(`{
-  "results": [
-    {
-      "status": {
-        "code": 0,
-        "message": "OK"
-      },
-      "entry": %s
-    }
-  ]
-}`, entry0AdminJSON),
-		},
-		{
-			name: "Update succeeds using deprecated command line arguments",
-			args: []string{
-				"-entryID", "entry-id",
-				"-spiffeID", "spiffe://example.org/workload",
-				"-parentID", "spiffe://example.org/parent",
-				"-selector", "zebra:zebra:2000",
-				"-selector", "alpha:alpha:2000",
-				"-ttl", "60",
-				"-federatesWith", "spiffe://domaina.test",
-				"-federatesWith", "spiffe://domainb.test",
-				"-admin",
-				"-entryExpiry", "1552410266",
-				"-dns", "unu1000",
-				"-dns", "ung1000",
-				"-downstream",
-				"-hint", "external",
-			},
-			expReq: &entryv1.BatchUpdateEntryRequest{
-				Entries: []*types.Entry{entry5},
-			},
-			fakeResp: fakeRespOKFromCmd,
-			expOutPretty: fmt.Sprintf(`Entry ID         : entry-id
-SPIFFE ID        : spiffe://example.org/workload
-Parent ID        : spiffe://example.org/parent
-Revision         : 0
-Downstream       : true
-X509-SVID TTL    : 60
-JWT-SVID TTL     : 30
-Expiration time  : %s
-Selector         : zebra:zebra:2000
-Selector         : alpha:alpha:2000
-FederatesWith    : spiffe://domaina.test
-FederatesWith    : spiffe://domainb.test
-DNS name         : unu1000
-DNS name         : ung1000
-Admin            : true
-Hint             : external
-
 `, time.Unix(1552410266, 0).UTC()),
 			expOutJSON: fmt.Sprintf(`{
  "results": [
--- a/cmd/spire-server/cli/entry/util_posix_test.go
+++ b/cmd/spire-server/cli/entry/util_posix_test.go
@ -21,7 +21,7 @@ const (
  -hint string
    	The entry hint, used to disambiguate entries with the same SPIFFE ID
  -jwtSVIDTTL int
-    	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag
+    	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.
  -node
    	If set, this entry will be applied to matching nodes rather than workloads
  -output value
@ -36,10 +36,8 @@ const (
    	The SPIFFE ID that this record represents
  -storeSVID
    	A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin
-  -ttl int
-    	The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version
  -x509SVIDTTL int
-    	The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag
+    	The lifetime, in seconds, for x509-SVIDs issued based on this registration entry.
 `
 	showUsage = `Usage of entry show:
  -downstream
@ -83,7 +81,7 @@ const (
  -hint string
    	The entry hint, used to disambiguate entries with the same SPIFFE ID
  -jwtSVIDTTL int
-    	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag
+    	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.
  -output value
    	Desired output format (pretty, json); default: pretty.
  -parentID string
@ -96,10 +94,8 @@ const (
    	The SPIFFE ID that this record represents
  -storeSVID
    	A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin
-  -ttl int
-    	The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version
  -x509SVIDTTL int
-    	The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag
+    	The lifetime, in seconds, for x509-SVIDs issued based on this registration entry.
 `
 	deleteUsage = `Usage of entry delete:
  -entryID string
--- a/cmd/spire-server/cli/entry/util_test.go
+++ b/cmd/spire-server/cli/entry/util_test.go
@ -10,8 +10,8 @@ import (
 	"github.com/mitchellh/cli"
 	entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/spiffe/spire/test/util"
 	"github.com/stretchr/testify/assert"
@ -45,7 +45,6 @@ func TestParseEntryJSON(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			p := testCase.testDataPath

@ -155,7 +154,7 @@ func (e *entryTest) afterTest(t *testing.T) {
 }

 func (e *entryTest) args(extra ...string) []string {
-	return append([]string{common.AddrArg, e.addr}, extra...)
+	return append([]string{clitest.AddrArg, e.addr}, extra...)
 }

 type fakeEntryServer struct {
@ -242,7 +241,7 @@ func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *entry
 	})

 	test := &entryTest{
-		addr:   common.GetAddr(addr),
+		addr:   clitest.GetAddr(addr),
 		stdin:  stdin,
 		stdout: stdout,
 		stderr: stderr,
--- a/cmd/spire-server/cli/entry/util_windows_test.go
+++ b/cmd/spire-server/cli/entry/util_windows_test.go
@ -21,7 +21,7 @@ const (
  -hint string
    	The entry hint, used to disambiguate entries with the same SPIFFE ID
  -jwtSVIDTTL int
-    	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag
+    	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.
  -namedPipeName string
    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
  -node
@ -36,10 +36,8 @@ const (
    	The SPIFFE ID that this record represents
  -storeSVID
    	A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin
-  -ttl int
-    	The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version
  -x509SVIDTTL int
-    	The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag
+    	The lifetime, in seconds, for x509-SVIDs issued based on this registration entry.
 `
 	showUsage = `Usage of entry show:
  -downstream
@ -83,7 +81,7 @@ const (
  -hint string
    	The entry hint, used to disambiguate entries with the same SPIFFE ID
  -jwtSVIDTTL int
-    	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag
+    	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.
  -namedPipeName string
    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
  -output value
@ -96,10 +94,8 @@ const (
    	The SPIFFE ID that this record represents
  -storeSVID
    	A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin
-  -ttl int
-    	The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version
  -x509SVIDTTL int
-    	The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag
+    	The lifetime, in seconds, for x509-SVIDs issued based on this registration entry.
 `
 	deleteUsage = `Usage of entry delete:
  -entryID string
--- a/cmd/spire-server/cli/federation/common_test.go
+++ b/cmd/spire-server/cli/federation/common_test.go
@ -11,9 +11,9 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/pemutil"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/fakes/fakeserverca"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/require"
@ -124,7 +124,7 @@ func (c *cmdTest) afterTest(t *testing.T) {
 }

 func (c *cmdTest) args(extra ...string) []string {
-	return append([]string{common.AddrArg, c.addr}, extra...)
+	return append([]string{clitest.AddrArg, c.addr}, extra...)
 }

 type fakeServer struct {
@ -222,7 +222,7 @@ func setupTest(t *testing.T, newClient func(*common_cli.Env) cli.Command) *cmdTe
 	})

 	test := &cmdTest{
-		addr:   common.GetAddr(addr),
+		addr:   clitest.GetAddr(addr),
 		stdin:  stdin,
 		stdout: stdout,
 		stderr: stderr,
@ -241,7 +241,7 @@ func createBundle(t *testing.T, trustDomain string) (*types.Bundle, string) {
 	td := spiffeid.RequireTrustDomainFromString(trustDomain)
 	bundlePath := path.Join(t.TempDir(), "bundle.pem")
 	ca := fakeserverca.New(t, td, &fakeserverca.Options{})
-	require.NoError(t, os.WriteFile(bundlePath, pemutil.EncodeCertificates(ca.Bundle()), 0600))
+	require.NoError(t, os.WriteFile(bundlePath, pemutil.EncodeCertificates(ca.Bundle()), 0o600))

 	return &types.Bundle{
 		TrustDomain: td.Name(),
@ -253,13 +253,13 @@ func createBundle(t *testing.T, trustDomain string) (*types.Bundle, string) {

 func createCorruptedBundle(t *testing.T) string {
 	bundlePath := path.Join(t.TempDir(), "bundle.pem")
-	require.NoError(t, os.WriteFile(bundlePath, []byte("corrupted-bundle"), 0600))
+	require.NoError(t, os.WriteFile(bundlePath, []byte("corrupted-bundle"), 0o600))
 	return bundlePath
 }

 func createJSONDataFile(t *testing.T, data string) string {
 	jsonDataFilePath := path.Join(t.TempDir(), "bundle.pem")
-	require.NoError(t, os.WriteFile(jsonDataFilePath, []byte(data), 0600))
+	require.NoError(t, os.WriteFile(jsonDataFilePath, []byte(data), 0o600))
 	return jsonDataFilePath
 }

--- a/cmd/spire-server/cli/federation/create.go
+++ b/cmd/spire-server/cli/federation/create.go
@ -9,9 +9,10 @@ import (
 	"github.com/mitchellh/cli"
 	trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
 )

@ -26,7 +27,7 @@ func NewCreateCommand() cli.Command {
 }

 func newCreateCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &createCommand{env: env})
+	return serverutil.AdaptCommand(env, &createCommand{env: env})
 }

 type createCommand struct {
@ -52,7 +53,7 @@ func (c *createCommand) AppendFlags(f *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, c.prettyPrintCreate)
 }

-func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	federationRelationships, err := getRelationships(c.config, c.path)
 	if err != nil {
 		return err
@ -101,7 +102,7 @@ func (c *createCommand) prettyPrintCreate(env *commoncli.Env, results ...any) er
 	for _, r := range failed {
 		env.Println()
 		env.ErrPrintf("Failed to create the following federation relationship (code: %s, msg: %q):\n",
-			codes.Code(r.Status.Code),
+			util.MustCast[codes.Code](r.Status.Code),
 			r.Status.Message)
 		printFederationRelationship(r.FederationRelationship, env.ErrPrintf)
 	}
--- a/cmd/spire-server/cli/federation/update.go
+++ b/cmd/spire-server/cli/federation/update.go
@ -9,9 +9,10 @@ import (
 	"github.com/mitchellh/cli"
 	trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/util"
 	"google.golang.org/grpc/codes"
 )

@ -21,7 +22,7 @@ func NewUpdateCommand() cli.Command {
 }

 func newUpdateCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &updateCommand{env: env})
+	return serverutil.AdaptCommand(env, &updateCommand{env: env})
 }

 type updateCommand struct {
@ -47,7 +48,7 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, c.prettyPrintUpdate)
 }

-func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	federationRelationships, err := getRelationships(c.config, c.path)
 	if err != nil {
 		return err
@ -97,7 +98,7 @@ func (c *updateCommand) prettyPrintUpdate(env *commoncli.Env, results ...any) er
 	for _, r := range failed {
 		env.Println()
 		env.ErrPrintf("Failed to update the following federation relationship (code: %s, msg: %q):\n",
-			codes.Code(r.Status.Code),
+			util.MustCast[codes.Code](r.Status.Code),
 			r.Status.Message)
 		printFederationRelationship(r.FederationRelationship, env.ErrPrintf)
 	}
--- a/cmd/spire-server/cli/healthcheck/healthcheck_test.go
+++ b/cmd/spire-server/cli/healthcheck/healthcheck_test.go
@ -6,8 +6,8 @@ import (
 	"testing"

 	"github.com/mitchellh/cli"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/suite"
 	"google.golang.org/grpc"
@ -58,24 +58,24 @@ func (s *HealthCheckSuite) TestBadFlags() {
 }

 func (s *HealthCheckSuite) TestFailsIfEndpointDoesNotExist() {
-	code := s.cmd.Run([]string{common.AddrArg, common.AddrValue})
+	code := s.cmd.Run([]string{clitest.AddrArg, clitest.AddrValue})
 	s.NotEqual(0, code, "exit code")
 	s.Equal("", s.stdout.String(), "stdout")
-	spiretest.AssertHasPrefix(s.T(), s.stderr.String(), common.AddrError)
+	spiretest.AssertHasPrefix(s.T(), s.stderr.String(), "Error: server is unhealthy: unable to determine health\n")
 }

 func (s *HealthCheckSuite) TestFailsIfEndpointDoesNotExistVerbose() {
-	code := s.cmd.Run([]string{common.AddrArg, common.AddrValue, "-verbose"})
+	code := s.cmd.Run([]string{clitest.AddrArg, clitest.AddrValue, "-verbose"})
 	s.NotEqual(0, code, "exit code")
-	s.Equal("", s.stdout.String(), "stdout")
-	spiretest.AssertHasPrefix(s.T(), s.stderr.String(), common.AddrError)
+	s.Equal("Checking server health...\n", s.stdout.String(), "stdout")
+	spiretest.AssertHasPrefix(s.T(), s.stderr.String(), "Failed to check health: "+clitest.AddrError)
 }

 func (s *HealthCheckSuite) TestSucceedsIfServingStatusServing() {
 	addr := spiretest.StartGRPCServer(s.T(), func(srv *grpc.Server) {
 		grpc_health_v1.RegisterHealthServer(srv, withStatus(grpc_health_v1.HealthCheckResponse_SERVING))
 	})
-	code := s.cmd.Run([]string{common.AddrArg, common.GetAddr(addr)})
+	code := s.cmd.Run([]string{clitest.AddrArg, clitest.GetAddr(addr)})
 	s.Equal(0, code, "exit code")
 	s.Equal("Server is healthy.\n", s.stdout.String(), "stdout")
 	s.Equal("", s.stderr.String(), "stderr")
@ -85,7 +85,7 @@ func (s *HealthCheckSuite) TestSucceedsIfServingStatusServingVerbose() {
 	addr := spiretest.StartGRPCServer(s.T(), func(srv *grpc.Server) {
 		grpc_health_v1.RegisterHealthServer(srv, withStatus(grpc_health_v1.HealthCheckResponse_SERVING))
 	})
-	code := s.cmd.Run([]string{common.AddrArg, common.GetAddr(addr), "-verbose"})
+	code := s.cmd.Run([]string{clitest.AddrArg, clitest.GetAddr(addr), "-verbose"})
 	s.Equal(0, code, "exit code")
 	s.Equal(`Checking server health...
 Server is healthy.
@ -97,7 +97,7 @@ func (s *HealthCheckSuite) TestFailsIfServiceStatusOther() {
 	addr := spiretest.StartGRPCServer(s.T(), func(srv *grpc.Server) {
 		grpc_health_v1.RegisterHealthServer(srv, withStatus(grpc_health_v1.HealthCheckResponse_NOT_SERVING))
 	})
-	code := s.cmd.Run([]string{common.AddrArg, common.GetAddr(addr), "-verbose"})
+	code := s.cmd.Run([]string{clitest.AddrArg, clitest.GetAddr(addr), "-verbose"})
 	s.NotEqual(0, code, "exit code")
 	s.Equal(`Checking server health...
 `, s.stdout.String(), "stdout")
--- a/cmd/spire-server/cli/jwt/mint.go
+++ b/cmd/spire-server/cli/jwt/mint.go
@ -12,11 +12,12 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"github.com/spiffe/spire/pkg/common/diskutil"
 	"github.com/spiffe/spire/pkg/common/jwtsvid"
+	"github.com/spiffe/spire/pkg/common/util"
 )

 func NewMintCommand() cli.Command {
@ -24,7 +25,7 @@ func NewMintCommand() cli.Command {
 }

 func newMintCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &mintCommand{env: env})
+	return serverutil.AdaptCommand(env, &mintCommand{env: env})
 }

 type mintCommand struct {
@ -52,7 +53,7 @@ func (c *mintCommand) AppendFlags(fs *flag.FlagSet) {
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintMint)
 }

-func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error {
+func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient serverutil.ServerClient) error {
 	if c.spiffeID == "" {
 		return errors.New("spiffeID must be specified")
 	}
@ -63,6 +64,10 @@ func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient
 	if err != nil {
 		return err
 	}
+	ttl, err := ttlToSeconds(c.ttl)
+	if err != nil {
+		return fmt.Errorf("invalid value for TTL: %w", err)
+	}

 	client := serverClient.NewSVIDClient()
 	resp, err := client.MintJWTSVID(ctx, &svidv1.MintJWTSVIDRequest{
@ -70,7 +75,7 @@ func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient
 			TrustDomain: spiffeID.TrustDomain().Name(),
 			Path:        spiffeID.Path(),
 		},
-		Ttl:      ttlToSeconds(c.ttl),
+		Ttl:      ttl,
 		Audience: c.audience,
 	})
 	if err != nil {
@ -132,8 +137,8 @@ func getJWTSVIDEndOfLife(token string) (time.Time, error) {

 // ttlToSeconds returns the number of seconds in a duration, rounded up to
 // the nearest second
-func ttlToSeconds(ttl time.Duration) int32 {
-	return int32((ttl + time.Second - 1) / time.Second)
+func ttlToSeconds(ttl time.Duration) (int32, error) {
+	return util.CheckedCast[int32]((ttl + time.Second - 1) / time.Second)
 }

 func prettyPrintMint(env *commoncli.Env, results ...any) error {
--- a/cmd/spire-server/cli/jwt/mint_test.go
+++ b/cmd/spire-server/cli/jwt/mint_test.go
@ -16,9 +16,9 @@ import (
 	"github.com/go-jose/go-jose/v4/jwt"
 	svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/pemutil"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@ -35,7 +35,7 @@ qNV3lKIL59N7G2B4ojbhfSNneSIIpP448uPxUnaunaQZ+/m7+x9oobIp
 	availableFormats = []string{"pretty", "json"}
 	expectedUsage    = `Usage of jwt mint:
  -audience value
-    	Audience claim that will be included in the SVID. Can be used more than once.` + common.AddrOutputUsage +
+    	Audience claim that will be included in the SVID. Can be used more than once.` + clitest.AddrOutputUsage +
 		`  -spiffeID string
    	SPIFFE ID of the JWT-SVID
  -ttl duration
@ -325,7 +325,7 @@ func TestMintRun(t *testing.T) {
 					BaseDir: dir,
 				})

-				args := []string{common.AddrArg, common.GetAddr(addr)}
+				args := []string{clitest.AddrArg, clitest.GetAddr(addr)}
 				if tt.spiffeID != "" {
 					args = append(args, "-spiffeID", tt.spiffeID)
 				}
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_activate.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_activate.go
@ -0,0 +1,86 @@
+package jwt
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+
+	"github.com/mitchellh/cli"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	"github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon"
+	"github.com/spiffe/spire/cmd/spire-server/util"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
+)
+
+// NewJWTActivateCommand creates a new "jwt activate" subcommand for "localauthority" command.
+func NewJWTActivateCommand() cli.Command {
+	return NewJWTActivateCommandWithEnv(commoncli.DefaultEnv)
+}
+
+// NewJWTActivateCommandWithEnv creates a new "jwt activate" subcommand for "localauthority" command
+// using the environment specified
+func NewJWTActivateCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &jwtActivateCommand{env: env})
+}
+
+type jwtActivateCommand struct {
+	authorityID string
+	printer     cliprinter.Printer
+	env         *commoncli.Env
+}
+
+func (c *jwtActivateCommand) Name() string {
+	return "localauthority jwt activate"
+}
+
+func (*jwtActivateCommand) Synopsis() string {
+	return "Activates a prepared JWT authority for use, which will cause it to be used for all JWT signing operations serviced by this server going forward"
+}
+
+func (c *jwtActivateCommand) AppendFlags(f *flag.FlagSet) {
+	f.StringVar(&c.authorityID, "authorityID", "", "The authority ID of the JWT authority to activate")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintJWTActivate)
+}
+
+// Run executes all logic associated with a single invocation of the
+// `spire-server localauthority jwt activate` CLI command
+func (c *jwtActivateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+	if err := c.validate(); err != nil {
+		return err
+	}
+
+	client := serverClient.NewLocalAuthorityClient()
+	resp, err := client.ActivateJWTAuthority(ctx, &localauthorityv1.ActivateJWTAuthorityRequest{
+		AuthorityId: c.authorityID,
+	})
+	if err != nil {
+		return fmt.Errorf("could not activate JWT authority: %w", err)
+	}
+
+	return c.printer.PrintProto(resp)
+}
+
+func (c *jwtActivateCommand) validate() error {
+	if c.authorityID == "" {
+		return errors.New("an authority ID is required")
+	}
+
+	return nil
+}
+
+func prettyPrintJWTActivate(env *commoncli.Env, results ...any) error {
+	r, ok := results[0].(*localauthorityv1.ActivateJWTAuthorityResponse)
+	if !ok {
+		return errors.New("internal error: cli printer; please report this bug")
+	}
+
+	env.Println("Activated JWT authority:")
+	if r.ActivatedAuthority == nil {
+		return errors.New("internal error: expected to have activated JWT authority information")
+	}
+	authoritycommon.PrettyPrintJWTAuthorityState(env, r.ActivatedAuthority)
+
+	return nil
+}
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_activate_posix_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_activate_posix_test.go
@ -0,0 +1,14 @@
+//go:build !windows
+
+package jwt_test
+
+var (
+	jwtActivateUsage = `Usage of localauthority jwt activate:
+  -authorityID string
+    	The authority ID of the JWT authority to activate
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+`
+)
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_activate_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_activate_test.go
@ -0,0 +1,92 @@
+package jwt_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/gogo/status"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
+	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/jwt"
+	"github.com/spiffe/spire/test/clitest"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
+)
+
+func TestJWTActivateHelp(t *testing.T) {
+	test := authoritycommon_test.SetupTest(t, jwt.NewJWTActivateCommandWithEnv)
+
+	test.Client.Help()
+	require.Equal(t, jwtActivateUsage, test.Stderr.String())
+}
+
+func TestJWTActivateSynopsys(t *testing.T) {
+	test := authoritycommon_test.SetupTest(t, jwt.NewJWTActivateCommandWithEnv)
+	require.Equal(t, "Activates a prepared JWT authority for use, which will cause it to be used for all JWT signing operations serviced by this server going forward", test.Client.Synopsis())
+}
+
+func TestJWTActivate(t *testing.T) {
+	for _, tt := range []struct {
+		name               string
+		args               []string
+		expectReturnCode   int
+		expectStdoutPretty string
+		expectStdoutJSON   string
+		expectStderr       string
+		serverErr          error
+		active, prepared   *localauthorityv1.AuthorityState
+	}{
+		{
+			name:             "success",
+			expectReturnCode: 0,
+			args:             []string{"-authorityID", "prepared-id"},
+			active: &localauthorityv1.AuthorityState{
+				AuthorityId: "active-id",
+				ExpiresAt:   1001,
+			},
+			prepared: &localauthorityv1.AuthorityState{
+				AuthorityId: "prepared-id",
+				ExpiresAt:   1002,
+			},
+			expectStdoutPretty: "Activated JWT authority:\n  Authority ID: active-id\n  Expires at: 1970-01-01 00:16:41 +0000 UTC\n",
+			expectStdoutJSON:   `{"activated_authority":{"authority_id":"active-id","expires_at":"1001","upstream_authority_subject_key_id":""}}`,
+		},
+		{
+			name:             "no authority id",
+			expectReturnCode: 1,
+			expectStderr:     "Error: an authority ID is required\n",
+		},
+		{
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-authorityID", "prepared-id",
+			},
+			expectReturnCode: 1,
+			expectStderr:     "Error: could not activate JWT authority: " + clitest.AddrError,
+		},
+		{
+			name:             "server error",
+			args:             []string{"-authorityID", "prepared-id"},
+			serverErr:        status.Error(codes.Internal, "internal server error"),
+			expectReturnCode: 1,
+			expectStderr:     "Error: could not activate JWT authority: rpc error: code = Internal desc = internal server error\n",
+		},
+	} {
+		for _, format := range authoritycommon_test.AvailableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := authoritycommon_test.SetupTest(t, jwt.NewJWTActivateCommandWithEnv)
+				test.Server.ActiveJWT = tt.active
+				test.Server.Err = tt.serverErr
+				args := tt.args
+				args = append(args, "-output", format)
+
+				returnCode := test.Client.Run(append(test.Args, args...))
+
+				authoritycommon_test.RequireOutputBasedOnFormat(t, format, test.Stdout.String(), tt.expectStdoutPretty, tt.expectStdoutJSON)
+				require.Equal(t, tt.expectStderr, test.Stderr.String())
+				require.Equal(t, tt.expectReturnCode, returnCode)
+			})
+		}
+	}
+}
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_activate_windows_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_activate_windows_test.go
@ -0,0 +1,14 @@
+//go:build windows
+
+package jwt_test
+
+var (
+	jwtActivateUsage = `Usage of localauthority jwt activate:
+  -authorityID string
+    	The authority ID of the JWT authority to activate
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+`
+)
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_prepare.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_prepare.go
@ -0,0 +1,70 @@
+package jwt
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+
+	"github.com/mitchellh/cli"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	"github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon"
+	"github.com/spiffe/spire/cmd/spire-server/util"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
+)
+
+// NewJWTPrepareCommand creates a new "jwt prepare" subcommand for "localauthority" command.
+func NewJWTPrepareCommand() cli.Command {
+	return NewJWTPrepareCommandWithEnv(commoncli.DefaultEnv)
+}
+
+// NewJWTPrepareCommandWithEnv creates a new "jwt prepare" subcommand for "localauthority" command
+// using the environment specified
+func NewJWTPrepareCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &jwtPrepareCommand{env: env})
+}
+
+type jwtPrepareCommand struct {
+	printer cliprinter.Printer
+	env     *commoncli.Env
+}
+
+func (c *jwtPrepareCommand) Name() string {
+	return "localauthority jwt prepare"
+}
+
+func (*jwtPrepareCommand) Synopsis() string {
+	return "Prepares a new JWT authority for use by generating a new key and injecting it into the bundle"
+}
+
+func (c *jwtPrepareCommand) AppendFlags(f *flag.FlagSet) {
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintJWTPrepare)
+}
+
+// Run executes all logic associated with a single invocation of the
+// `spire-server localauthority jwt prepare` CLI command
+func (c *jwtPrepareCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+	client := serverClient.NewLocalAuthorityClient()
+	resp, err := client.PrepareJWTAuthority(ctx, &localauthorityv1.PrepareJWTAuthorityRequest{})
+	if err != nil {
+		return fmt.Errorf("could not prepare JWT authority: %w", err)
+	}
+
+	return c.printer.PrintProto(resp)
+}
+
+func prettyPrintJWTPrepare(env *commoncli.Env, results ...any) error {
+	r, ok := results[0].(*localauthorityv1.PrepareJWTAuthorityResponse)
+	if !ok {
+		return errors.New("internal error: cli printer; please report this bug")
+	}
+
+	env.Println("Prepared JWT authority:")
+	if r.PreparedAuthority == nil {
+		return errors.New("internal error: expected to have prepared JWT authority information")
+	}
+	authoritycommon.PrettyPrintJWTAuthorityState(env, r.PreparedAuthority)
+
+	return nil
+}
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_prepare_posix_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_prepare_posix_test.go
@ -0,0 +1,12 @@
+//go:build !windows
+
+package jwt_test
+
+var (
+	jwtPrepareUsage = `Usage of localauthority jwt prepare:
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+`
+)
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_prepare_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_prepare_test.go
@ -0,0 +1,78 @@
+package jwt_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/gogo/status"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
+	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/jwt"
+	"github.com/spiffe/spire/test/clitest"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
+)
+
+func TestJWTPrepareHelp(t *testing.T) {
+	test := authoritycommon_test.SetupTest(t, jwt.NewJWTPrepareCommandWithEnv)
+
+	test.Client.Help()
+	require.Equal(t, jwtPrepareUsage, test.Stderr.String())
+}
+
+func TestJWTPrepareSynopsys(t *testing.T) {
+	test := authoritycommon_test.SetupTest(t, jwt.NewJWTPrepareCommandWithEnv)
+	require.Equal(t, "Prepares a new JWT authority for use by generating a new key and injecting it into the bundle", test.Client.Synopsis())
+}
+
+func TestJWTPrepare(t *testing.T) {
+	for _, tt := range []struct {
+		name               string
+		args               []string
+		expectReturnCode   int
+		expectStdoutPretty string
+		expectStdoutJSON   string
+		expectStderr       string
+		serverErr          error
+		prepared           *localauthorityv1.AuthorityState
+	}{
+		{
+			name:               "success",
+			expectReturnCode:   0,
+			expectStdoutPretty: "Prepared JWT authority:\n  Authority ID: prepared-id\n  Expires at: 1970-01-01 00:16:42 +0000 UTC\n",
+			expectStdoutJSON:   `{"prepared_authority":{"authority_id":"prepared-id","expires_at":"1002","upstream_authority_subject_key_id":""}}`,
+			prepared: &localauthorityv1.AuthorityState{
+				AuthorityId: "prepared-id",
+				ExpiresAt:   1002,
+			},
+		},
+		{
+			name:             "wrong UDS path",
+			args:             []string{clitest.AddrArg, clitest.AddrValue},
+			expectReturnCode: 1,
+			expectStderr:     "Error: could not prepare JWT authority: " + clitest.AddrError,
+		},
+		{
+			name:             "server error",
+			serverErr:        status.Error(codes.Internal, "internal server error"),
+			expectReturnCode: 1,
+			expectStderr:     "Error: could not prepare JWT authority: rpc error: code = Internal desc = internal server error\n",
+		},
+	} {
+		for _, format := range authoritycommon_test.AvailableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := authoritycommon_test.SetupTest(t, jwt.NewJWTPrepareCommandWithEnv)
+				test.Server.PreparedJWT = tt.prepared
+				test.Server.Err = tt.serverErr
+				args := tt.args
+				args = append(args, "-output", format)
+
+				returnCode := test.Client.Run(append(test.Args, args...))
+
+				authoritycommon_test.RequireOutputBasedOnFormat(t, format, test.Stdout.String(), tt.expectStdoutPretty, tt.expectStdoutJSON)
+				require.Equal(t, tt.expectStderr, test.Stderr.String())
+				require.Equal(t, tt.expectReturnCode, returnCode)
+			})
+		}
+	}
+}
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_prepare_windows_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_prepare_windows_test.go
@ -0,0 +1,12 @@
+//go:build windows
+
+package jwt_test
+
+var (
+	jwtPrepareUsage = `Usage of localauthority jwt prepare:
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+`
+)
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_revoke.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_revoke.go
@ -0,0 +1,86 @@
+package jwt
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+
+	"github.com/mitchellh/cli"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	"github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon"
+	"github.com/spiffe/spire/cmd/spire-server/util"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
+)
+
+// NewJWTActivateCommand creates a new "jwt revoke" subcommand for "localauthority" command.
+func NewJWTRevokeCommand() cli.Command {
+	return NewJWTRevokeCommandWithEnv(commoncli.DefaultEnv)
+}
+
+// NewJWTActivateCommandWithEnv creates a new "jwt revoke" subcommand for "localauthority" command
+// using the environment specified
+func NewJWTRevokeCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &jwtRevokeCommand{env: env})
+}
+
+type jwtRevokeCommand struct {
+	authorityID string
+	printer     cliprinter.Printer
+	env         *commoncli.Env
+}
+
+func (c *jwtRevokeCommand) Name() string {
+	return "localauthority jwt revoke"
+}
+
+func (*jwtRevokeCommand) Synopsis() string {
+	return "Revokes the previously active JWT authority by removing it from the bundle and propagating this update throughout the cluster"
+}
+
+func (c *jwtRevokeCommand) AppendFlags(f *flag.FlagSet) {
+	f.StringVar(&c.authorityID, "authorityID", "", "The authority ID of the JWT authority to revoke")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintJWTRevoke)
+}
+
+// Run executes all logic associated with a single invocation of the
+// `spire-server localauthority jwt revoke` CLI command
+func (c *jwtRevokeCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+	if err := c.validate(); err != nil {
+		return err
+	}
+
+	client := serverClient.NewLocalAuthorityClient()
+	resp, err := client.RevokeJWTAuthority(ctx, &localauthorityv1.RevokeJWTAuthorityRequest{
+		AuthorityId: c.authorityID,
+	})
+	if err != nil {
+		return fmt.Errorf("could not revoke JWT authority: %w", err)
+	}
+
+	return c.printer.PrintProto(resp)
+}
+
+func (c *jwtRevokeCommand) validate() error {
+	if c.authorityID == "" {
+		return errors.New("an authority ID is required")
+	}
+
+	return nil
+}
+
+func prettyPrintJWTRevoke(env *commoncli.Env, results ...any) error {
+	r, ok := results[0].(*localauthorityv1.RevokeJWTAuthorityResponse)
+	if !ok {
+		return errors.New("internal error: cli printer; please report this bug")
+	}
+
+	env.Println("Revoked JWT authority:")
+	if r.RevokedAuthority == nil {
+		return errors.New("internal error: expected to have revoked JWT authority information")
+	}
+	authoritycommon.PrettyPrintJWTAuthorityState(env, r.RevokedAuthority)
+
+	return nil
+}
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_revoke_posix_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_revoke_posix_test.go
@ -0,0 +1,14 @@
+//go:build !windows
+
+package jwt_test
+
+var (
+	jwtRevokeUsage = `Usage of localauthority jwt revoke:
+  -authorityID string
+    	The authority ID of the JWT authority to revoke
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+`
+)
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_revoke_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_revoke_test.go
@ -0,0 +1,88 @@
+package jwt_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/gogo/status"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
+	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/jwt"
+	"github.com/spiffe/spire/test/clitest"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
+)
+
+func TestJWTRevokeHelp(t *testing.T) {
+	test := authoritycommon_test.SetupTest(t, jwt.NewJWTRevokeCommandWithEnv)
+
+	test.Client.Help()
+	require.Equal(t, jwtRevokeUsage, test.Stderr.String())
+}
+
+func TestJWTRevokeSynopsys(t *testing.T) {
+	test := authoritycommon_test.SetupTest(t, jwt.NewJWTRevokeCommandWithEnv)
+	require.Equal(t, "Revokes the previously active JWT authority by removing it from the bundle and propagating this update throughout the cluster", test.Client.Synopsis())
+}
+
+func TestJWTRevoke(t *testing.T) {
+	for _, tt := range []struct {
+		name               string
+		args               []string
+		expectReturnCode   int
+		expectStdoutPretty string
+		expectStdoutJSON   string
+		expectStderr       string
+		serverErr          error
+		revoked            *localauthorityv1.AuthorityState
+	}{
+		{
+			name:             "success",
+			expectReturnCode: 0,
+			args:             []string{"-authorityID", "prepared-id"},
+			revoked: &localauthorityv1.AuthorityState{
+				AuthorityId: "revoked-id",
+				ExpiresAt:   1001,
+			},
+			expectStdoutPretty: "Revoked JWT authority:\n  Authority ID: revoked-id\n  Expires at: 1970-01-01 00:16:41 +0000 UTC\n",
+			expectStdoutJSON:   `{"revoked_authority":{"authority_id":"revoked-id","expires_at":"1001","upstream_authority_subject_key_id":""}}`,
+		},
+		{
+			name:             "no authority id",
+			expectReturnCode: 1,
+			expectStderr:     "Error: an authority ID is required\n",
+		},
+		{
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-authorityID", "prepared-id",
+			},
+			expectReturnCode: 1,
+			expectStderr:     "Error: could not revoke JWT authority: " + clitest.AddrError,
+		},
+		{
+			name:             "server error",
+			args:             []string{"-authorityID", "tainted-id"},
+			serverErr:        status.Error(codes.Internal, "internal server error"),
+			expectReturnCode: 1,
+			expectStderr:     "Error: could not revoke JWT authority: rpc error: code = Internal desc = internal server error\n",
+		},
+	} {
+		for _, format := range authoritycommon_test.AvailableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := authoritycommon_test.SetupTest(t, jwt.NewJWTRevokeCommandWithEnv)
+				test.Server.RevokedJWT = tt.revoked
+				test.Server.Err = tt.serverErr
+				args := tt.args
+				args = append(args, "-output", format)
+
+				returnCode := test.Client.Run(append(test.Args, args...))
+
+				authoritycommon_test.RequireOutputBasedOnFormat(t, format, test.Stdout.String(), tt.expectStdoutPretty, tt.expectStdoutJSON)
+				require.Equal(t, tt.expectStderr, test.Stderr.String())
+				require.Equal(t, tt.expectReturnCode, returnCode)
+			})
+		}
+	}
+}
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_revoke_windows_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_revoke_windows_test.go
@ -0,0 +1,14 @@
+//go:build windows
+
+package jwt_test
+
+var (
+	jwtRevokeUsage = `Usage of localauthority jwt revoke:
+  -authorityID string
+    	The authority ID of the JWT authority to revoke
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+`
+)
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_show.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_show.go
@ -4,10 +4,10 @@ import (
 	"context"
 	"errors"
 	"flag"
-	"time"

 	"github.com/mitchellh/cli"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	"github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon"
 	"github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
@ -62,24 +62,21 @@ func prettyPrintJWTShow(env *commoncli.Env, results ...any) error {

 	env.Println("Active JWT authority:")
 	if r.Active != nil {
-		env.Printf("  Authority ID: %s\n", r.Active.AuthorityId)
-		env.Printf("  Expires at: %s\n", time.Unix(r.Active.ExpiresAt, 0).UTC())
+		authoritycommon.PrettyPrintJWTAuthorityState(env, r.Active)
 	} else {
 		env.Println("  No active JWT authority found")
 	}
 	env.Println()
 	env.Println("Prepared JWT authority:")
 	if r.Prepared != nil {
-		env.Printf("  Authority ID: %s\n", r.Prepared.AuthorityId)
-		env.Printf("  Expires at: %s\n", time.Unix(r.Prepared.ExpiresAt, 0).UTC())
+		authoritycommon.PrettyPrintJWTAuthorityState(env, r.Prepared)
 	} else {
 		env.Println("  No prepared JWT authority found")
 	}
 	env.Println()
 	env.Println("Old JWT authority:")
 	if r.Old != nil {
-		env.Printf("  Authority ID: %s\n", r.Old.AuthorityId)
-		env.Printf("  Expires at: %s\n", time.Unix(r.Old.ExpiresAt, 0).UTC())
+		authoritycommon.PrettyPrintJWTAuthorityState(env, r.Old)
 	} else {
 		env.Println("  No old JWT authority found")
 	}
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_show_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_show_test.go
@ -6,22 +6,22 @@ import (

 	"github.com/gogo/status"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
-	authority_common "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
+	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
 	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/jwt"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 )

 func TestJWTShowHelp(t *testing.T) {
-	test := authority_common.SetupTest(t, jwt.NewJWTShowCommandWithEnv)
+	test := authoritycommon_test.SetupTest(t, jwt.NewJWTShowCommandWithEnv)

 	test.Client.Help()
 	require.Equal(t, jwtShowUsage, test.Stderr.String())
 }

 func TestJWTShowSynopsys(t *testing.T) {
-	test := authority_common.SetupTest(t, jwt.NewJWTShowCommandWithEnv)
+	test := authoritycommon_test.SetupTest(t, jwt.NewJWTShowCommandWithEnv)
 	require.Equal(t, "Shows the local JWT authorities", test.Client.Synopsis())
 }

@ -55,7 +55,7 @@ func TestJWTShow(t *testing.T) {
 				ExpiresAt:   1003,
 			},
 			expectStdoutPretty: "Active JWT authority:\n  Authority ID: active-id\n  Expires at: 1970-01-01 00:16:41 +0000 UTC\n\nPrepared JWT authority:\n  Authority ID: prepared-id\n  Expires at: 1970-01-01 00:16:42 +0000 UTC\n\nOld JWT authority:\n  Authority ID: old-id\n  Expires at: 1970-01-01 00:16:43 +0000 UTC\n",
-			expectStdoutJSON:   `{"active":{"authority_id":"active-id","expires_at":"1001"},"prepared":{"authority_id":"prepared-id","expires_at":"1002"},"old":{"authority_id":"old-id","expires_at":"1003"}}`,
+			expectStdoutJSON:   `{"active":{"authority_id":"active-id","expires_at":"1001","upstream_authority_subject_key_id":""},"prepared":{"authority_id":"prepared-id","expires_at":"1002","upstream_authority_subject_key_id":""},"old":{"authority_id":"old-id","expires_at":"1003","upstream_authority_subject_key_id":""}}`,
 		},
 		{
 			name:             "success - no active",
@ -69,7 +69,7 @@ func TestJWTShow(t *testing.T) {
 				ExpiresAt:   1003,
 			},
 			expectStdoutPretty: "Active JWT authority:\n  No active JWT authority found\n\nPrepared JWT authority:\n  Authority ID: prepared-id\n  Expires at: 1970-01-01 00:16:42 +0000 UTC\n\nOld JWT authority:\n  Authority ID: old-id\n  Expires at: 1970-01-01 00:16:43 +0000 UTC\n",
-			expectStdoutJSON:   `{"prepared":{"authority_id":"prepared-id","expires_at":"1002"},"old":{"authority_id":"old-id","expires_at":"1003"}}`,
+			expectStdoutJSON:   `{"prepared":{"authority_id":"prepared-id","expires_at":"1002","upstream_authority_subject_key_id":""},"old":{"authority_id":"old-id","expires_at":"1003","upstream_authority_subject_key_id":""}}`,
 		},
 		{
 			name:             "success - no prepared",
@ -83,7 +83,7 @@ func TestJWTShow(t *testing.T) {
 				ExpiresAt:   1003,
 			},
 			expectStdoutPretty: "Active JWT authority:\n  Authority ID: active-id\n  Expires at: 1970-01-01 00:16:41 +0000 UTC\n\nPrepared JWT authority:\n  No prepared JWT authority found\n\nOld JWT authority:\n  Authority ID: old-id\n  Expires at: 1970-01-01 00:16:43 +0000 UTC\n",
-			expectStdoutJSON:   `{"active":{"authority_id":"active-id","expires_at":"1001"},"old":{"authority_id":"old-id","expires_at":"1003"}}`,
+			expectStdoutJSON:   `{"active":{"authority_id":"active-id","expires_at":"1001","upstream_authority_subject_key_id":""},"old":{"authority_id":"old-id","expires_at":"1003","upstream_authority_subject_key_id":""}}`,
 		},
 		{
 			name:             "success - no old",
@ -97,13 +97,13 @@ func TestJWTShow(t *testing.T) {
 				ExpiresAt:   1002,
 			},
 			expectStdoutPretty: "Active JWT authority:\n  Authority ID: active-id\n  Expires at: 1970-01-01 00:16:41 +0000 UTC\n\nPrepared JWT authority:\n  Authority ID: prepared-id\n  Expires at: 1970-01-01 00:16:42 +0000 UTC\n\nOld JWT authority:\n  No old JWT authority found\n",
-			expectStdoutJSON:   `{"active":{"authority_id":"active-id","expires_at":"1001"},"prepared":{"authority_id":"prepared-id","expires_at":"1002"}}`,
+			expectStdoutJSON:   `{"active":{"authority_id":"active-id","expires_at":"1001","upstream_authority_subject_key_id":""},"prepared":{"authority_id":"prepared-id","expires_at":"1002","upstream_authority_subject_key_id":""}}`,
 		},
 		{
 			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			args:             []string{clitest.AddrArg, clitest.AddrValue},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
@ -112,9 +112,9 @@ func TestJWTShow(t *testing.T) {
 			expectStderr:     "Error: rpc error: code = Internal desc = internal server error\n",
 		},
 	} {
-		for _, format := range authority_common.AvailableFormats {
+		for _, format := range authoritycommon_test.AvailableFormats {
 			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
-				test := authority_common.SetupTest(t, jwt.NewJWTShowCommandWithEnv)
+				test := authoritycommon_test.SetupTest(t, jwt.NewJWTShowCommandWithEnv)
 				test.Server.ActiveJWT = tt.active
 				test.Server.PreparedJWT = tt.prepared
 				test.Server.OldJWT = tt.old
@ -124,7 +124,7 @@ func TestJWTShow(t *testing.T) {

 				returnCode := test.Client.Run(append(test.Args, args...))

-				authority_common.RequireOutputBasedOnFormat(t, format, test.Stdout.String(), tt.expectStdoutPretty, tt.expectStdoutJSON)
+				authoritycommon_test.RequireOutputBasedOnFormat(t, format, test.Stdout.String(), tt.expectStdoutPretty, tt.expectStdoutJSON)
 				require.Equal(t, tt.expectStderr, test.Stderr.String())
 				require.Equal(t, tt.expectReturnCode, returnCode)
 			})
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_taint.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_taint.go
@ -0,0 +1,90 @@
+package jwt
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+
+	"github.com/mitchellh/cli"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	"github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon"
+	"github.com/spiffe/spire/cmd/spire-server/util"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
+)
+
+// NewJWTTaintCommand creates a new "jwt taint" subcommand for "localauthority" command.
+func NewJWTTaintCommand() cli.Command {
+	return newJWTTaintCommand(commoncli.DefaultEnv)
+}
+
+// NewJWTTaintCommandWithEnv creates a new "jwt taint" subcommand for "localauthority" command
+// using the environment specified
+func NewJWTTaintCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &jwtTaintCommand{env: env})
+}
+
+func newJWTTaintCommand(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &jwtTaintCommand{env: env})
+}
+
+type jwtTaintCommand struct {
+	authorityID string
+	printer     cliprinter.Printer
+	env         *commoncli.Env
+}
+
+func (c *jwtTaintCommand) Name() string {
+	return "localauthority jwt taint"
+}
+
+func (*jwtTaintCommand) Synopsis() string {
+	return "Marks the previously active JWT authority as being tainted"
+}
+
+func (c *jwtTaintCommand) AppendFlags(f *flag.FlagSet) {
+	f.StringVar(&c.authorityID, "authorityID", "", "The authority ID of the JWT authority to taint")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintJWTTaint)
+}
+
+// Run executes all logic associated with a single invocation of the
+// `spire-server localauthority jwt taint` CLI command
+func (c *jwtTaintCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+	if err := c.validate(); err != nil {
+		return err
+	}
+
+	client := serverClient.NewLocalAuthorityClient()
+	resp, err := client.TaintJWTAuthority(ctx, &localauthorityv1.TaintJWTAuthorityRequest{
+		AuthorityId: c.authorityID,
+	})
+	if err != nil {
+		return fmt.Errorf("could not taint JWT authority: %w", err)
+	}
+
+	return c.printer.PrintProto(resp)
+}
+
+func prettyPrintJWTTaint(env *commoncli.Env, results ...any) error {
+	r, ok := results[0].(*localauthorityv1.TaintJWTAuthorityResponse)
+	if !ok {
+		return errors.New("internal error: cli printer; please report this bug")
+	}
+
+	env.Println("Tainted JWT authority:")
+	if r.TaintedAuthority == nil {
+		return errors.New("internal error: expected to have tainted JWT authority information")
+	}
+	authoritycommon.PrettyPrintJWTAuthorityState(env, r.TaintedAuthority)
+
+	return nil
+}
+
+func (c *jwtTaintCommand) validate() error {
+	if c.authorityID == "" {
+		return errors.New("an authority ID is required")
+	}
+
+	return nil
+}
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_taint_posix_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_taint_posix_test.go
@ -0,0 +1,14 @@
+//go:build !windows
+
+package jwt_test
+
+var (
+	jwtTaintUsage = `Usage of localauthority jwt taint:
+  -authorityID string
+    	The authority ID of the JWT authority to taint
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+`
+)
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_taint_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_taint_test.go
@ -0,0 +1,88 @@
+package jwt_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/gogo/status"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
+	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/jwt"
+	"github.com/spiffe/spire/test/clitest"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
+)
+
+func TestJWTTaintHelp(t *testing.T) {
+	test := authoritycommon_test.SetupTest(t, jwt.NewJWTTaintCommandWithEnv)
+
+	test.Client.Help()
+	require.Equal(t, jwtTaintUsage, test.Stderr.String())
+}
+
+func TestJWTTaintSynopsys(t *testing.T) {
+	test := authoritycommon_test.SetupTest(t, jwt.NewJWTTaintCommandWithEnv)
+	require.Equal(t, "Marks the previously active JWT authority as being tainted", test.Client.Synopsis())
+}
+
+func TestJWTTaint(t *testing.T) {
+	for _, tt := range []struct {
+		name               string
+		args               []string
+		expectReturnCode   int
+		expectStdoutPretty string
+		expectStdoutJSON   string
+		expectStderr       string
+		serverErr          error
+		tainted            *localauthorityv1.AuthorityState
+	}{
+		{
+			name:             "success",
+			expectReturnCode: 0,
+			args:             []string{"-authorityID", "prepared-id"},
+			tainted: &localauthorityv1.AuthorityState{
+				AuthorityId: "tainted-id",
+				ExpiresAt:   1001,
+			},
+			expectStdoutPretty: "Tainted JWT authority:\n  Authority ID: tainted-id\n  Expires at: 1970-01-01 00:16:41 +0000 UTC\n",
+			expectStdoutJSON:   `{"tainted_authority":{"authority_id":"tainted-id","expires_at":"1001","upstream_authority_subject_key_id":""}}`,
+		},
+		{
+			name:             "no authority id",
+			expectReturnCode: 1,
+			expectStderr:     "Error: an authority ID is required\n",
+		},
+		{
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-authorityID", "prepared-id",
+			},
+			expectReturnCode: 1,
+			expectStderr:     "Error: could not taint JWT authority: " + clitest.AddrError,
+		},
+		{
+			name:             "server error",
+			args:             []string{"-authorityID", "old-id"},
+			serverErr:        status.Error(codes.Internal, "internal server error"),
+			expectReturnCode: 1,
+			expectStderr:     "Error: could not taint JWT authority: rpc error: code = Internal desc = internal server error\n",
+		},
+	} {
+		for _, format := range authoritycommon_test.AvailableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := authoritycommon_test.SetupTest(t, jwt.NewJWTTaintCommandWithEnv)
+				test.Server.TaintedJWT = tt.tainted
+				test.Server.Err = tt.serverErr
+				args := tt.args
+				args = append(args, "-output", format)
+
+				returnCode := test.Client.Run(append(test.Args, args...))
+
+				authoritycommon_test.RequireOutputBasedOnFormat(t, format, test.Stdout.String(), tt.expectStdoutPretty, tt.expectStdoutJSON)
+				require.Equal(t, tt.expectStderr, test.Stderr.String())
+				require.Equal(t, tt.expectReturnCode, returnCode)
+			})
+		}
+	}
+}
--- a/cmd/spire-server/cli/localauthority/jwt/jwt_taint_windows_test.go
+++ b/cmd/spire-server/cli/localauthority/jwt/jwt_taint_windows_test.go
@ -0,0 +1,14 @@
+//go:build windows
+
+package jwt_test
+
+var (
+	jwtTaintUsage = `Usage of localauthority jwt taint:
+  -authorityID string
+    	The authority ID of the JWT authority to taint
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+`
+)
--- a/cmd/spire-server/cli/localauthority/x509/x509_activate.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_activate.go
@ -0,0 +1,87 @@
+package x509
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+
+	"github.com/mitchellh/cli"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	"github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon"
+	"github.com/spiffe/spire/cmd/spire-server/util"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
+)
+
+// NewX509ActivateCommand creates a new "x509 activate" subcommand for "localauthority" command.
+func NewX509ActivateCommand() cli.Command {
+	return NewX509ActivateCommandWithEnv(commoncli.DefaultEnv)
+}
+
+// NewX509ActivateCommandWithEnv creates a new "x509 activate" subcommand for "localauthority" command
+// using the environment specified
+func NewX509ActivateCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &x509ActivateCommand{env: env})
+}
+
+type x509ActivateCommand struct {
+	authorityID string
+	printer     cliprinter.Printer
+	env         *commoncli.Env
+}
+
+func (c *x509ActivateCommand) Name() string {
+	return "localauthority x509 activate"
+}
+
+func (*x509ActivateCommand) Synopsis() string {
+	return "Activates a prepared X.509 authority for use, which will cause it to be used for all X.509 signing operations serviced by this server going forward"
+}
+
+func (c *x509ActivateCommand) AppendFlags(f *flag.FlagSet) {
+	f.StringVar(&c.authorityID, "authorityID", "", "The authority ID of the X.509 authority to activate")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintX509Activate)
+}
+
+// Run executes all logic associated with a single invocation of the
+// `spire-server localauthority x509 activate` CLI command
+func (c *x509ActivateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+	if err := c.validate(); err != nil {
+		return err
+	}
+
+	client := serverClient.NewLocalAuthorityClient()
+	resp, err := client.ActivateX509Authority(ctx, &localauthorityv1.ActivateX509AuthorityRequest{
+		AuthorityId: c.authorityID,
+	})
+	if err != nil {
+		return fmt.Errorf("could not activate X.509 authority: %w", err)
+	}
+
+	return c.printer.PrintProto(resp)
+}
+
+func (c *x509ActivateCommand) validate() error {
+	if c.authorityID == "" {
+		return errors.New("an authority ID is required")
+	}
+
+	return nil
+}
+
+func prettyPrintX509Activate(env *commoncli.Env, results ...any) error {
+	r, ok := results[0].(*localauthorityv1.ActivateX509AuthorityResponse)
+	if !ok {
+		return errors.New("internal error: cli printer; please report this bug")
+	}
+
+	env.Println("Activated X.509 authority:")
+	if r.ActivatedAuthority == nil {
+		return errors.New("internal error: expected to have activated X.509 authority information")
+	}
+
+	authoritycommon.PrettyPrintX509AuthorityState(env, r.ActivatedAuthority)
+
+	return nil
+}
--- a/cmd/spire-server/cli/localauthority/x509/x509_activate_posix_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_activate_posix_test.go
@ -0,0 +1,14 @@
+//go:build !windows
+
+package x509_test
+
+var (
+	x509ActivateUsage = `Usage of localauthority x509 activate:
+  -authorityID string
+    	The authority ID of the X.509 authority to activate
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+`
+)
--- a/cmd/spire-server/cli/localauthority/x509/x509_activate_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_activate_test.go
@ -0,0 +1,94 @@
+package x509_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/gogo/status"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
+	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/x509"
+	"github.com/spiffe/spire/test/clitest"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
+)
+
+func TestX509ActivateHelp(t *testing.T) {
+	test := authoritycommon_test.SetupTest(t, x509.NewX509ActivateCommandWithEnv)
+
+	test.Client.Help()
+	require.Equal(t, x509ActivateUsage, test.Stderr.String())
+}
+
+func TestX509ActivateSynopsys(t *testing.T) {
+	test := authoritycommon_test.SetupTest(t, x509.NewX509ActivateCommandWithEnv)
+	require.Equal(t, "Activates a prepared X.509 authority for use, which will cause it to be used for all X.509 signing operations serviced by this server going forward", test.Client.Synopsis())
+}
+
+func TestX509Activate(t *testing.T) {
+	for _, tt := range []struct {
+		name               string
+		args               []string
+		expectReturnCode   int
+		expectStdoutPretty string
+		expectStdoutJSON   string
+		expectStderr       string
+		serverErr          error
+		active, prepared   *localauthorityv1.AuthorityState
+	}{
+		{
+			name:             "success",
+			expectReturnCode: 0,
+			args:             []string{"-authorityID", "prepared-id"},
+			active: &localauthorityv1.AuthorityState{
+				AuthorityId:                   "active-id",
+				ExpiresAt:                     1001,
+				UpstreamAuthoritySubjectKeyId: "some-subject-key-id",
+			},
+			prepared: &localauthorityv1.AuthorityState{
+				AuthorityId:                   "prepared-id",
+				ExpiresAt:                     1002,
+				UpstreamAuthoritySubjectKeyId: "some-subject-key-id",
+			},
+			expectStdoutPretty: "Activated X.509 authority:\n  Authority ID: active-id\n  Expires at: 1970-01-01 00:16:41 +0000 UTC\n  Upstream authority Subject Key ID: some-subject-key-id",
+			expectStdoutJSON:   `{"activated_authority":{"authority_id":"active-id","expires_at":"1001","upstream_authority_subject_key_id":"some-subject-key-id"}}`,
+		},
+		{
+			name:             "no authority id",
+			expectReturnCode: 1,
+			expectStderr:     "Error: an authority ID is required\n",
+		},
+		{
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-authorityID", "prepared-id",
+			},
+			expectReturnCode: 1,
+			expectStderr:     "Error: could not activate X.509 authority: " + clitest.AddrError,
+		},
+		{
+			name:             "server error",
+			args:             []string{"-authorityID", "prepared-id"},
+			serverErr:        status.Error(codes.Internal, "internal server error"),
+			expectReturnCode: 1,
+			expectStderr:     "Error: could not activate X.509 authority: rpc error: code = Internal desc = internal server error\n",
+		},
+	} {
+		for _, format := range authoritycommon_test.AvailableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := authoritycommon_test.SetupTest(t, x509.NewX509ActivateCommandWithEnv)
+				test.Server.ActiveX509 = tt.active
+				test.Server.Err = tt.serverErr
+				args := tt.args
+				args = append(args, "-output", format)
+
+				returnCode := test.Client.Run(append(test.Args, args...))
+
+				authoritycommon_test.RequireOutputBasedOnFormat(t, format, test.Stdout.String(), tt.expectStdoutPretty, tt.expectStdoutJSON)
+				require.Equal(t, tt.expectStderr, test.Stderr.String())
+				require.Equal(t, tt.expectReturnCode, returnCode)
+			})
+		}
+	}
+}
--- a/cmd/spire-server/cli/localauthority/x509/x509_activate_windows_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_activate_windows_test.go
@ -0,0 +1,14 @@
+//go:build windows
+
+package x509_test
+
+var (
+	x509ActivateUsage = `Usage of localauthority x509 activate:
+  -authorityID string
+    	The authority ID of the X.509 authority to activate
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+`
+)
--- a/cmd/spire-server/cli/localauthority/x509/x509_prepare.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_prepare.go
@ -0,0 +1,71 @@
+package x509
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+
+	"github.com/mitchellh/cli"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	"github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon"
+	"github.com/spiffe/spire/cmd/spire-server/util"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
+)
+
+// NewX509PrepareCommand creates a new "x509 prepare" subcommand for "localauthority" command.
+func NewX509PrepareCommand() cli.Command {
+	return NewX509PrepareCommandWithEnv(commoncli.DefaultEnv)
+}
+
+// NewX509PrepareCommandWithEnv creates a new "x509 prepare" subcommand for "localauthority" command
+// using the environment specified
+func NewX509PrepareCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &x509PrepareCommand{env: env})
+}
+
+type x509PrepareCommand struct {
+	printer cliprinter.Printer
+	env     *commoncli.Env
+}
+
+func (c *x509PrepareCommand) Name() string {
+	return "localauthority x509 prepare"
+}
+
+func (*x509PrepareCommand) Synopsis() string {
+	return "Prepares a new X.509 authority for use by generating a new key and injecting the resulting CA certificate into the bundle"
+}
+
+func (c *x509PrepareCommand) AppendFlags(f *flag.FlagSet) {
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintX509Prepare)
+}
+
+// Run executes all logic associated with a single invocation of the
+// `spire-server localauthority x509 prepare` CLI command
+func (c *x509PrepareCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+	client := serverClient.NewLocalAuthorityClient()
+	resp, err := client.PrepareX509Authority(ctx, &localauthorityv1.PrepareX509AuthorityRequest{})
+	if err != nil {
+		return fmt.Errorf("could not prepare X.509 authority: %w", err)
+	}
+
+	return c.printer.PrintProto(resp)
+}
+
+func prettyPrintX509Prepare(env *commoncli.Env, results ...any) error {
+	r, ok := results[0].(*localauthorityv1.PrepareX509AuthorityResponse)
+	if !ok {
+		return errors.New("internal error: cli printer; please report this bug")
+	}
+
+	env.Println("Prepared X.509 authority:")
+	if r.PreparedAuthority == nil {
+		return errors.New("internal error: expected to have prepared X.509 authority information")
+	}
+
+	authoritycommon.PrettyPrintX509AuthorityState(env, r.PreparedAuthority)
+
+	return nil
+}
--- a/cmd/spire-server/cli/localauthority/x509/x509_prepare_posix_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_prepare_posix_test.go
@ -0,0 +1,12 @@
+//go:build !windows
+
+package x509_test
+
+var (
+	x509PrepareUsage = `Usage of localauthority x509 prepare:
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+`
+)
--- a/cmd/spire-server/cli/localauthority/x509/x509_prepare_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_prepare_test.go
@ -0,0 +1,79 @@
+package x509_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/gogo/status"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
+	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/x509"
+	"github.com/spiffe/spire/test/clitest"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
+)
+
+func TestX509PrepareHelp(t *testing.T) {
+	test := authoritycommon_test.SetupTest(t, x509.NewX509PrepareCommandWithEnv)
+
+	test.Client.Help()
+	require.Equal(t, x509PrepareUsage, test.Stderr.String())
+}
+
+func TestX509PrepareSynopsys(t *testing.T) {
+	test := authoritycommon_test.SetupTest(t, x509.NewX509PrepareCommandWithEnv)
+	require.Equal(t, "Prepares a new X.509 authority for use by generating a new key and injecting the resulting CA certificate into the bundle", test.Client.Synopsis())
+}
+
+func TestX509Prepare(t *testing.T) {
+	for _, tt := range []struct {
+		name               string
+		args               []string
+		expectReturnCode   int
+		expectStdoutPretty string
+		expectStdoutJSON   string
+		expectStderr       string
+		serverErr          error
+		prepared           *localauthorityv1.AuthorityState
+	}{
+		{
+			name:               "success",
+			expectReturnCode:   0,
+			expectStdoutPretty: "Prepared X.509 authority:\n  Authority ID: prepared-id\n  Expires at: 1970-01-01 00:16:42 +0000 UTC\n  Upstream authority Subject Key ID: some-subject-key-id",
+			expectStdoutJSON:   `{"prepared_authority":{"authority_id":"prepared-id","expires_at":"1002","upstream_authority_subject_key_id":"some-subject-key-id"}}`,
+			prepared: &localauthorityv1.AuthorityState{
+				AuthorityId:                   "prepared-id",
+				ExpiresAt:                     1002,
+				UpstreamAuthoritySubjectKeyId: "some-subject-key-id",
+			},
+		},
+		{
+			name:             "wrong UDS path",
+			args:             []string{clitest.AddrArg, clitest.AddrValue},
+			expectReturnCode: 1,
+			expectStderr:     "Error: could not prepare X.509 authority: " + clitest.AddrError,
+		},
+		{
+			name:             "server error",
+			serverErr:        status.Error(codes.Internal, "internal server error"),
+			expectReturnCode: 1,
+			expectStderr:     "Error: could not prepare X.509 authority: rpc error: code = Internal desc = internal server error\n",
+		},
+	} {
+		for _, format := range authoritycommon_test.AvailableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := authoritycommon_test.SetupTest(t, x509.NewX509PrepareCommandWithEnv)
+				test.Server.PreparedX509 = tt.prepared
+				test.Server.Err = tt.serverErr
+				args := tt.args
+				args = append(args, "-output", format)
+
+				returnCode := test.Client.Run(append(test.Args, args...))
+
+				authoritycommon_test.RequireOutputBasedOnFormat(t, format, test.Stdout.String(), tt.expectStdoutPretty, tt.expectStdoutJSON)
+				require.Equal(t, tt.expectStderr, test.Stderr.String())
+				require.Equal(t, tt.expectReturnCode, returnCode)
+			})
+		}
+	}
+}
--- a/cmd/spire-server/cli/localauthority/x509/x509_prepare_windows_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_prepare_windows_test.go
@ -0,0 +1,12 @@
+//go:build windows
+
+package x509_test
+
+var (
+	x509PrepareUsage = `Usage of localauthority x509 prepare:
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+`
+)
--- a/cmd/spire-server/cli/localauthority/x509/x509_revoke.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_revoke.go
@ -0,0 +1,87 @@
+package x509
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+
+	"github.com/mitchellh/cli"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	"github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon"
+	"github.com/spiffe/spire/cmd/spire-server/util"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
+)
+
+// NewX509ActivateCommand creates a new "x509 revoke" subcommand for "localauthority" command.
+func NewX509RevokeCommand() cli.Command {
+	return NewX509RevokeCommandWithEnv(commoncli.DefaultEnv)
+}
+
+// NewX509ActivateCommandWithEnv creates a new "x509 revoke" subcommand for "localauthority" command
+// using the environment specified
+func NewX509RevokeCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &x509RevokeCommand{env: env})
+}
+
+type x509RevokeCommand struct {
+	authorityID string
+	printer     cliprinter.Printer
+	env         *commoncli.Env
+}
+
+func (c *x509RevokeCommand) Name() string {
+	return "localauthority x509 revoke"
+}
+
+func (*x509RevokeCommand) Synopsis() string {
+	return "Revokes the previously active X.509 authority by removing it from the bundle and propagating this update throughout the cluster"
+}
+
+func (c *x509RevokeCommand) AppendFlags(f *flag.FlagSet) {
+	f.StringVar(&c.authorityID, "authorityID", "", "The authority ID of the X.509 authority to revoke")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintX509Revoke)
+}
+
+// Run executes all logic associated with a single invocation of the
+// `spire-server localauthority x509 revoke` CLI command
+func (c *x509RevokeCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+	if err := c.validate(); err != nil {
+		return err
+	}
+
+	client := serverClient.NewLocalAuthorityClient()
+	resp, err := client.RevokeX509Authority(ctx, &localauthorityv1.RevokeX509AuthorityRequest{
+		AuthorityId: c.authorityID,
+	})
+	if err != nil {
+		return fmt.Errorf("could not revoke X.509 authority: %w", err)
+	}
+
+	return c.printer.PrintProto(resp)
+}
+
+func (c *x509RevokeCommand) validate() error {
+	if c.authorityID == "" {
+		return errors.New("an authority ID is required")
+	}
+
+	return nil
+}
+
+func prettyPrintX509Revoke(env *commoncli.Env, results ...any) error {
+	r, ok := results[0].(*localauthorityv1.RevokeX509AuthorityResponse)
+	if !ok {
+		return errors.New("internal error: cli printer; please report this bug")
+	}
+
+	env.Println("Revoked X.509 authority:")
+	if r.RevokedAuthority == nil {
+		return errors.New("internal error: expected to have revoked X.509 authority information")
+	}
+
+	authoritycommon.PrettyPrintX509AuthorityState(env, r.RevokedAuthority)
+
+	return nil
+}
--- a/cmd/spire-server/cli/localauthority/x509/x509_revoke_posix_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_revoke_posix_test.go
@ -0,0 +1,14 @@
+//go:build !windows
+
+package x509_test
+
+var (
+	x509RevokeUsage = `Usage of localauthority x509 revoke:
+  -authorityID string
+    	The authority ID of the X.509 authority to revoke
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+`
+)
--- a/cmd/spire-server/cli/localauthority/x509/x509_revoke_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_revoke_test.go
@ -0,0 +1,89 @@
+package x509_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/gogo/status"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
+	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/x509"
+	"github.com/spiffe/spire/test/clitest"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
+)
+
+func TestX509RevokeHelp(t *testing.T) {
+	test := authoritycommon_test.SetupTest(t, x509.NewX509RevokeCommandWithEnv)
+
+	test.Client.Help()
+	require.Equal(t, x509RevokeUsage, test.Stderr.String())
+}
+
+func TestX509RevokeSynopsys(t *testing.T) {
+	test := authoritycommon_test.SetupTest(t, x509.NewX509RevokeCommandWithEnv)
+	require.Equal(t, "Revokes the previously active X.509 authority by removing it from the bundle and propagating this update throughout the cluster", test.Client.Synopsis())
+}
+
+func TestX509Revoke(t *testing.T) {
+	for _, tt := range []struct {
+		name               string
+		args               []string
+		expectReturnCode   int
+		expectStdoutPretty string
+		expectStdoutJSON   string
+		expectStderr       string
+		serverErr          error
+		revoked            *localauthorityv1.AuthorityState
+	}{
+		{
+			name:             "success",
+			expectReturnCode: 0,
+			args:             []string{"-authorityID", "prepared-id"},
+			revoked: &localauthorityv1.AuthorityState{
+				AuthorityId:                   "revoked-id",
+				ExpiresAt:                     1001,
+				UpstreamAuthoritySubjectKeyId: "some-subject-key-id",
+			},
+			expectStdoutPretty: "Revoked X.509 authority:\n  Authority ID: revoked-id\n  Expires at: 1970-01-01 00:16:41 +0000 UTC\n  Upstream authority Subject Key ID: some-subject-key-id",
+			expectStdoutJSON:   `{"revoked_authority":{"authority_id":"revoked-id","expires_at":"1001","upstream_authority_subject_key_id":"some-subject-key-id"}}`,
+		},
+		{
+			name:             "no authority id",
+			expectReturnCode: 1,
+			expectStderr:     "Error: an authority ID is required\n",
+		},
+		{
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-authorityID", "prepared-id",
+			},
+			expectReturnCode: 1,
+			expectStderr:     "Error: could not revoke X.509 authority: " + clitest.AddrError,
+		},
+		{
+			name:             "server error",
+			args:             []string{"-authorityID", "tainted-id"},
+			serverErr:        status.Error(codes.Internal, "internal server error"),
+			expectReturnCode: 1,
+			expectStderr:     "Error: could not revoke X.509 authority: rpc error: code = Internal desc = internal server error\n",
+		},
+	} {
+		for _, format := range authoritycommon_test.AvailableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := authoritycommon_test.SetupTest(t, x509.NewX509RevokeCommandWithEnv)
+				test.Server.RevokedX509 = tt.revoked
+				test.Server.Err = tt.serverErr
+				args := tt.args
+				args = append(args, "-output", format)
+
+				returnCode := test.Client.Run(append(test.Args, args...))
+
+				authoritycommon_test.RequireOutputBasedOnFormat(t, format, test.Stdout.String(), tt.expectStdoutPretty, tt.expectStdoutJSON)
+				require.Equal(t, tt.expectStderr, test.Stderr.String())
+				require.Equal(t, tt.expectReturnCode, returnCode)
+			})
+		}
+	}
+}
--- a/cmd/spire-server/cli/localauthority/x509/x509_revoke_windows_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_revoke_windows_test.go
@ -0,0 +1,14 @@
+//go:build windows
+
+package x509_test
+
+var (
+	x509RevokeUsage = `Usage of localauthority x509 revoke:
+  -authorityID string
+    	The authority ID of the X.509 authority to revoke
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+`
+)
--- a/cmd/spire-server/cli/localauthority/x509/x509_show.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_show.go
@ -5,10 +5,10 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"time"

 	"github.com/mitchellh/cli"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	"github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon"
 	"github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
@ -63,24 +63,21 @@ func prettyPrintX509Show(env *commoncli.Env, results ...any) error {

 	env.Println("Active X.509 authority:")
 	if r.Active != nil {
-		env.Printf("  Authority ID: %s\n", r.Active.AuthorityId)
-		env.Printf("  Expires at: %s\n", time.Unix(r.Active.ExpiresAt, 0).UTC())
+		authoritycommon.PrettyPrintX509AuthorityState(env, r.Active)
 	} else {
 		env.Println("  No active X.509 authority found")
 	}
 	env.Println()
 	env.Println("Prepared X.509 authority:")
 	if r.Prepared != nil {
-		env.Printf("  Authority ID: %s\n", r.Prepared.AuthorityId)
-		env.Printf("  Expires at: %s\n", time.Unix(r.Prepared.ExpiresAt, 0).UTC())
+		authoritycommon.PrettyPrintX509AuthorityState(env, r.Prepared)
 	} else {
 		env.Println("  No prepared X.509 authority found")
 	}
 	env.Println()
 	env.Println("Old X.509 authority:")
 	if r.Old != nil {
-		env.Printf("  Authority ID: %s\n", r.Old.AuthorityId)
-		env.Printf("  Expires at: %s\n", time.Unix(r.Old.ExpiresAt, 0).UTC())
+		authoritycommon.PrettyPrintX509AuthorityState(env, r.Old)
 	} else {
 		env.Println("  No old X.509 authority found")
 	}
--- a/cmd/spire-server/cli/localauthority/x509/x509_show_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_show_test.go
@ -6,22 +6,22 @@ import (

 	"github.com/gogo/status"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
-	authority_common "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
+	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
 	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/x509"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 )

 func TestX509ShowHelp(t *testing.T) {
-	test := authority_common.SetupTest(t, x509.NewX509ShowCommandWithEnv)
+	test := authoritycommon_test.SetupTest(t, x509.NewX509ShowCommandWithEnv)

 	test.Client.Help()
 	require.Equal(t, x509ShowUsage, test.Stderr.String())
 }

 func TestX509ShowSynopsys(t *testing.T) {
-	test := authority_common.SetupTest(t, x509.NewX509ShowCommandWithEnv)
+	test := authoritycommon_test.SetupTest(t, x509.NewX509ShowCommandWithEnv)
 	require.Equal(t, "Shows the local X.509 authorities", test.Client.Synopsis())
 }

@ -43,67 +43,76 @@ func TestX509Show(t *testing.T) {
 			name:             "success",
 			expectReturnCode: 0,
 			active: &localauthorityv1.AuthorityState{
-				AuthorityId: "active-id",
-				ExpiresAt:   1001,
+				AuthorityId:                   "active-id",
+				ExpiresAt:                     1001,
+				UpstreamAuthoritySubjectKeyId: "some-subject-key-id",
 			},
 			prepared: &localauthorityv1.AuthorityState{
-				AuthorityId: "prepared-id",
-				ExpiresAt:   1002,
+				AuthorityId:                   "prepared-id",
+				ExpiresAt:                     1002,
+				UpstreamAuthoritySubjectKeyId: "some-subject-key-id",
 			},
 			old: &localauthorityv1.AuthorityState{
-				AuthorityId: "old-id",
-				ExpiresAt:   1003,
+				AuthorityId:                   "old-id",
+				ExpiresAt:                     1003,
+				UpstreamAuthoritySubjectKeyId: "some-subject-key-id",
 			},
-			expectStdoutPretty: "Active X.509 authority:\n  Authority ID: active-id\n  Expires at: 1970-01-01 00:16:41 +0000 UTC\n\nPrepared X.509 authority:\n  Authority ID: prepared-id\n  Expires at: 1970-01-01 00:16:42 +0000 UTC\n\nOld X.509 authority:\n  Authority ID: old-id\n  Expires at: 1970-01-01 00:16:43 +0000 UTC\n",
-			expectStdoutJSON:   `{"active":{"authority_id":"active-id","expires_at":"1001"},"prepared":{"authority_id":"prepared-id","expires_at":"1002"},"old":{"authority_id":"old-id","expires_at":"1003"}}`,
+			expectStdoutPretty: "Active X.509 authority:\n  Authority ID: active-id\n  Expires at: 1970-01-01 00:16:41 +0000 UTC\n  Upstream authority Subject Key ID: some-subject-key-id\n\nPrepared X.509 authority:\n  Authority ID: prepared-id\n  Expires at: 1970-01-01 00:16:42 +0000 UTC\n  Upstream authority Subject Key ID: some-subject-key-id\n\nOld X.509 authority:\n  Authority ID: old-id\n  Expires at: 1970-01-01 00:16:43 +0000 UTC\n  Upstream authority Subject Key ID: some-subject-key-id\n",
+			expectStdoutJSON:   `{"active":{"authority_id":"active-id","expires_at":"1001","upstream_authority_subject_key_id":"some-subject-key-id"},"prepared":{"authority_id":"prepared-id","expires_at":"1002","upstream_authority_subject_key_id":"some-subject-key-id"},"old":{"authority_id":"old-id","expires_at":"1003","upstream_authority_subject_key_id":"some-subject-key-id"}}`,
 		},
 		{
 			name:             "success - no active",
 			expectReturnCode: 0,
 			prepared: &localauthorityv1.AuthorityState{
-				AuthorityId: "prepared-id",
-				ExpiresAt:   1002,
+				AuthorityId:                   "prepared-id",
+				ExpiresAt:                     1002,
+				UpstreamAuthoritySubjectKeyId: "some-subject-key-id",
 			},
 			old: &localauthorityv1.AuthorityState{
-				AuthorityId: "old-id",
-				ExpiresAt:   1003,
+				AuthorityId:                   "old-id",
+				ExpiresAt:                     1003,
+				UpstreamAuthoritySubjectKeyId: "some-subject-key-id",
 			},
-			expectStdoutPretty: "Active X.509 authority:\n  No active X.509 authority found\n\nPrepared X.509 authority:\n  Authority ID: prepared-id\n  Expires at: 1970-01-01 00:16:42 +0000 UTC\n\nOld X.509 authority:\n  Authority ID: old-id\n  Expires at: 1970-01-01 00:16:43 +0000 UTC\n",
-			expectStdoutJSON:   `{"prepared":{"authority_id":"prepared-id","expires_at":"1002"},"old":{"authority_id":"old-id","expires_at":"1003"}}`,
+			expectStdoutPretty: "Active X.509 authority:\n  No active X.509 authority found\n\nPrepared X.509 authority:\n  Authority ID: prepared-id\n  Expires at: 1970-01-01 00:16:42 +0000 UTC\n  Upstream authority Subject Key ID: some-subject-key-id\n\nOld X.509 authority:\n  Authority ID: old-id\n  Expires at: 1970-01-01 00:16:43 +0000 UTC\n  Upstream authority Subject Key ID: some-subject-key-id\n",
+			expectStdoutJSON:   `{"prepared":{"authority_id":"prepared-id","expires_at":"1002","upstream_authority_subject_key_id":"some-subject-key-id"},"old":{"authority_id":"old-id","expires_at":"1003","upstream_authority_subject_key_id":"some-subject-key-id"}}`,
 		},
 		{
 			name:             "success - no prepared",
 			expectReturnCode: 0,
 			active: &localauthorityv1.AuthorityState{
-				AuthorityId: "active-id",
-				ExpiresAt:   1001,
+				AuthorityId:                   "active-id",
+				ExpiresAt:                     1001,
+				UpstreamAuthoritySubjectKeyId: "some-subject-key-id",
 			},
 			old: &localauthorityv1.AuthorityState{
-				AuthorityId: "old-id",
-				ExpiresAt:   1003,
+				AuthorityId:                   "old-id",
+				ExpiresAt:                     1003,
+				UpstreamAuthoritySubjectKeyId: "some-subject-key-id",
 			},
-			expectStdoutPretty: "Active X.509 authority:\n  Authority ID: active-id\n  Expires at: 1970-01-01 00:16:41 +0000 UTC\n\nPrepared X.509 authority:\n  No prepared X.509 authority found\n\nOld X.509 authority:\n  Authority ID: old-id\n  Expires at: 1970-01-01 00:16:43 +0000 UTC\n",
-			expectStdoutJSON:   `{"active":{"authority_id":"active-id","expires_at":"1001"},"old":{"authority_id":"old-id","expires_at":"1003"}}`,
+			expectStdoutPretty: "Active X.509 authority:\n  Authority ID: active-id\n  Expires at: 1970-01-01 00:16:41 +0000 UTC\n  Upstream authority Subject Key ID: some-subject-key-id\n\nPrepared X.509 authority:\n  No prepared X.509 authority found\n\nOld X.509 authority:\n  Authority ID: old-id\n  Expires at: 1970-01-01 00:16:43 +0000 UTC\n  Upstream authority Subject Key ID: some-subject-key-id\n",
+			expectStdoutJSON:   `{"active":{"authority_id":"active-id","expires_at":"1001","upstream_authority_subject_key_id":"some-subject-key-id"},"old":{"authority_id":"old-id","expires_at":"1003","upstream_authority_subject_key_id":"some-subject-key-id"}}`,
 		},
 		{
 			name:             "success - no old",
 			expectReturnCode: 0,
 			active: &localauthorityv1.AuthorityState{
-				AuthorityId: "active-id",
-				ExpiresAt:   1001,
+				AuthorityId:                   "active-id",
+				ExpiresAt:                     1001,
+				UpstreamAuthoritySubjectKeyId: "some-subject-key-id",
 			},
 			prepared: &localauthorityv1.AuthorityState{
-				AuthorityId: "prepared-id",
-				ExpiresAt:   1002,
+				AuthorityId:                   "prepared-id",
+				ExpiresAt:                     1002,
+				UpstreamAuthoritySubjectKeyId: "some-subject-key-id",
 			},
-			expectStdoutPretty: "Active X.509 authority:\n  Authority ID: active-id\n  Expires at: 1970-01-01 00:16:41 +0000 UTC\n\nPrepared X.509 authority:\n  Authority ID: prepared-id\n  Expires at: 1970-01-01 00:16:42 +0000 UTC\n\nOld X.509 authority:\n  No old X.509 authority found\n",
-			expectStdoutJSON:   `{"active":{"authority_id":"active-id","expires_at":"1001"},"prepared":{"authority_id":"prepared-id","expires_at":"1002"}}`,
+			expectStdoutPretty: "Active X.509 authority:\n  Authority ID: active-id\n  Expires at: 1970-01-01 00:16:41 +0000 UTC\n  Upstream authority Subject Key ID: some-subject-key-id\n\nPrepared X.509 authority:\n  Authority ID: prepared-id\n  Expires at: 1970-01-01 00:16:42 +0000 UTC\n  Upstream authority Subject Key ID: some-subject-key-id\n\nOld X.509 authority:\n  No old X.509 authority found\n",
+			expectStdoutJSON:   `{"active":{"authority_id":"active-id","expires_at":"1001","upstream_authority_subject_key_id":"some-subject-key-id"},"prepared":{"authority_id":"prepared-id","expires_at":"1002","upstream_authority_subject_key_id":"some-subject-key-id"}}`,
 		},
 		{
 			name:             "wrong UDS path",
-			args:             []string{common.AddrArg, common.AddrValue},
+			args:             []string{clitest.AddrArg, clitest.AddrValue},
 			expectReturnCode: 1,
-			expectStderr:     common.AddrError,
+			expectStderr:     "Error: could not get X.509 authorities: " + clitest.AddrError,
 		},
 		{
 			name:             "server error",
@ -112,9 +121,9 @@ func TestX509Show(t *testing.T) {
 			expectStderr:     "Error: could not get X.509 authorities: rpc error: code = Internal desc = internal server error\n",
 		},
 	} {
-		for _, format := range authority_common.AvailableFormats {
+		for _, format := range authoritycommon_test.AvailableFormats {
 			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
-				test := authority_common.SetupTest(t, x509.NewX509ShowCommandWithEnv)
+				test := authoritycommon_test.SetupTest(t, x509.NewX509ShowCommandWithEnv)
 				test.Server.ActiveX509 = tt.active
 				test.Server.PreparedX509 = tt.prepared
 				test.Server.OldX509 = tt.old
@ -124,7 +133,7 @@ func TestX509Show(t *testing.T) {

 				returnCode := test.Client.Run(append(test.Args, args...))

-				authority_common.RequireOutputBasedOnFormat(t, format, test.Stdout.String(), tt.expectStdoutPretty, tt.expectStdoutJSON)
+				authoritycommon_test.RequireOutputBasedOnFormat(t, format, test.Stdout.String(), tt.expectStdoutPretty, tt.expectStdoutJSON)
 				require.Equal(t, tt.expectStderr, test.Stderr.String())
 				require.Equal(t, tt.expectReturnCode, returnCode)
 			})
--- a/cmd/spire-server/cli/localauthority/x509/x509_taint.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_taint.go
@ -0,0 +1,91 @@
+package x509
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+
+	"github.com/mitchellh/cli"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	"github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon"
+	"github.com/spiffe/spire/cmd/spire-server/util"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
+)
+
+// NewX509TaintCommand creates a new "x509 taint" subcommand for "localauthority" command.
+func NewX509TaintCommand() cli.Command {
+	return newX509TaintCommand(commoncli.DefaultEnv)
+}
+
+// NewX509TaintCommandWithEnv creates a new "x509 taint" subcommand for "localauthority" command
+// using the environment specified
+func NewX509TaintCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &x509TaintCommand{env: env})
+}
+
+func newX509TaintCommand(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &x509TaintCommand{env: env})
+}
+
+type x509TaintCommand struct {
+	authorityID string
+	printer     cliprinter.Printer
+	env         *commoncli.Env
+}
+
+func (c *x509TaintCommand) Name() string {
+	return "localauthority x509 taint"
+}
+
+func (*x509TaintCommand) Synopsis() string {
+	return "Marks the previously active X.509 authority as being tainted"
+}
+
+func (c *x509TaintCommand) AppendFlags(f *flag.FlagSet) {
+	f.StringVar(&c.authorityID, "authorityID", "", "The authority ID of the X.509 authority to taint")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintX509Taint)
+}
+
+// Run executes all logic associated with a single invocation of the
+// `spire-server localauthority x509 taint` CLI command
+func (c *x509TaintCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+	if err := c.validate(); err != nil {
+		return err
+	}
+
+	client := serverClient.NewLocalAuthorityClient()
+	resp, err := client.TaintX509Authority(ctx, &localauthorityv1.TaintX509AuthorityRequest{
+		AuthorityId: c.authorityID,
+	})
+	if err != nil {
+		return fmt.Errorf("could not taint X.509 authority: %w", err)
+	}
+
+	return c.printer.PrintProto(resp)
+}
+
+func prettyPrintX509Taint(env *commoncli.Env, results ...any) error {
+	r, ok := results[0].(*localauthorityv1.TaintX509AuthorityResponse)
+	if !ok {
+		return errors.New("internal error: cli printer; please report this bug")
+	}
+
+	env.Println("Tainted X.509 authority:")
+	if r.TaintedAuthority == nil {
+		return errors.New("internal error: expected to have tainted X.509 authority information")
+	}
+
+	authoritycommon.PrettyPrintX509AuthorityState(env, r.TaintedAuthority)
+
+	return nil
+}
+
+func (c *x509TaintCommand) validate() error {
+	if c.authorityID == "" {
+		return errors.New("an authority ID is required")
+	}
+
+	return nil
+}
--- a/cmd/spire-server/cli/localauthority/x509/x509_taint_posix_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_taint_posix_test.go
@ -0,0 +1,14 @@
+//go:build !windows
+
+package x509_test
+
+var (
+	x509TaintUsage = `Usage of localauthority x509 taint:
+  -authorityID string
+    	The authority ID of the X.509 authority to taint
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+`
+)
--- a/cmd/spire-server/cli/localauthority/x509/x509_taint_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_taint_test.go
@ -0,0 +1,89 @@
+package x509_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/gogo/status"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	authoritycommon_test "github.com/spiffe/spire/cmd/spire-server/cli/authoritycommon/test"
+	"github.com/spiffe/spire/cmd/spire-server/cli/localauthority/x509"
+	"github.com/spiffe/spire/test/clitest"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
+)
+
+func TestX509TaintHelp(t *testing.T) {
+	test := authoritycommon_test.SetupTest(t, x509.NewX509TaintCommandWithEnv)
+
+	test.Client.Help()
+	require.Equal(t, x509TaintUsage, test.Stderr.String())
+}
+
+func TestX509TaintSynopsys(t *testing.T) {
+	test := authoritycommon_test.SetupTest(t, x509.NewX509TaintCommandWithEnv)
+	require.Equal(t, "Marks the previously active X.509 authority as being tainted", test.Client.Synopsis())
+}
+
+func TestX509Taint(t *testing.T) {
+	for _, tt := range []struct {
+		name               string
+		args               []string
+		expectReturnCode   int
+		expectStdoutPretty string
+		expectStdoutJSON   string
+		expectStderr       string
+		serverErr          error
+		tainted            *localauthorityv1.AuthorityState
+	}{
+		{
+			name:             "success",
+			expectReturnCode: 0,
+			args:             []string{"-authorityID", "prepared-id"},
+			tainted: &localauthorityv1.AuthorityState{
+				AuthorityId:                   "tainted-id",
+				ExpiresAt:                     1001,
+				UpstreamAuthoritySubjectKeyId: "some-subject-key-id",
+			},
+			expectStdoutPretty: "Tainted X.509 authority:\n  Authority ID: tainted-id\n  Expires at: 1970-01-01 00:16:41 +0000 UTC\n",
+			expectStdoutJSON:   `{"tainted_authority":{"authority_id":"tainted-id","expires_at":"1001","upstream_authority_subject_key_id":"some-subject-key-id"}}`,
+		},
+		{
+			name:             "no authority id",
+			expectReturnCode: 1,
+			expectStderr:     "Error: an authority ID is required\n",
+		},
+		{
+			name: "wrong UDS path",
+			args: []string{
+				clitest.AddrArg, clitest.AddrValue,
+				"-authorityID", "prepared-id",
+			},
+			expectReturnCode: 1,
+			expectStderr:     "Error: could not taint X.509 authority: " + clitest.AddrError,
+		},
+		{
+			name:             "server error",
+			args:             []string{"-authorityID", "old-id"},
+			serverErr:        status.Error(codes.Internal, "internal server error"),
+			expectReturnCode: 1,
+			expectStderr:     "Error: could not taint X.509 authority: rpc error: code = Internal desc = internal server error\n",
+		},
+	} {
+		for _, format := range authoritycommon_test.AvailableFormats {
+			t.Run(fmt.Sprintf("%s using %s format", tt.name, format), func(t *testing.T) {
+				test := authoritycommon_test.SetupTest(t, x509.NewX509TaintCommandWithEnv)
+				test.Server.TaintedX509 = tt.tainted
+				test.Server.Err = tt.serverErr
+				args := tt.args
+				args = append(args, "-output", format)
+
+				returnCode := test.Client.Run(append(test.Args, args...))
+
+				authoritycommon_test.RequireOutputBasedOnFormat(t, format, test.Stdout.String(), tt.expectStdoutPretty, tt.expectStdoutJSON)
+				require.Equal(t, tt.expectStderr, test.Stderr.String())
+				require.Equal(t, tt.expectReturnCode, returnCode)
+			})
+		}
+	}
+}
--- a/cmd/spire-server/cli/localauthority/x509/x509_taint_windows_test.go
+++ b/cmd/spire-server/cli/localauthority/x509/x509_taint_windows_test.go
@ -0,0 +1,14 @@
+//go:build windows
+
+package x509_test
+
+var (
+	x509TaintUsage = `Usage of localauthority x509 taint:
+  -authorityID string
+    	The authority ID of the X.509 authority to taint
+  -namedPipeName string
+    	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+`
+)
--- a/cmd/spire-server/cli/logger/mocks_test.go
+++ b/cmd/spire-server/cli/logger/mocks_test.go
@ -1,18 +1,17 @@
 package logger_test

 import (
+	"bytes"
+	"context"
 	"io"
 	"testing"

+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"

-	"bytes"
-	"context"
-
 	"github.com/mitchellh/cli"
 	loggerv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/logger/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"google.golang.org/grpc"
 )
@ -55,7 +54,7 @@ func setupCliTest(t *testing.T, server *mockLoggerService, newClient func(*commo
 		stdin:  stdin,
 		stdout: stdout,
 		stderr: stderr,
-		args:   []string{common.AddrArg, common.GetAddr(addr)},
+		args:   []string{clitest.AddrArg, clitest.GetAddr(addr)},
 		server: server,
 		client: client,
 	}
--- a/cmd/spire-server/cli/logger/printers.go
+++ b/cmd/spire-server/cli/logger/printers.go
@ -33,8 +33,5 @@ func PrettyPrintLogger(env *commoncli.Env, results ...any) error {
 		return fmt.Errorf("internal error: logrus log level %d has no name; please report this as a bug", logrusLaunch)
 	}

-	if err := env.Printf("Logger Level : %s\nLaunch Level : %s\n\n", currentText, launchText); err != nil {
-		return err
-	}
-	return nil
+	return env.Printf("Logger Level : %s\nLaunch Level : %s\n\n", currentText, launchText)
 }
--- a/cmd/spire-server/cli/logger/printers_test.go
+++ b/cmd/spire-server/cli/logger/printers_test.go
@ -14,7 +14,7 @@ import (
 func TestPrettyPrintLogger(t *testing.T) {
 	for _, tt := range []struct {
 		name           string
-		logger         interface{}
+		logger         any
 		outWriter      errorWriter
 		errWriter      errorWriter
 		env            *commoncli.Env
@ -53,7 +53,6 @@ Launch Level : info
 			expectedError: errors.New("internal error: unexpected type *types.Entry returned; please report this as a bug"),
 		},
 	} {
-		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			tt.env = &commoncli.Env{
 				Stdout: &tt.outWriter,
--- a/cmd/spire-server/cli/run/run.go
+++ b/cmd/spire-server/cli/run/run.go
@ -14,6 +14,7 @@ import (
 	"path/filepath"
 	"reflect"
 	"sort"
+	"strconv"
 	"strings"
 	"syscall"
 	"time"
@ -30,11 +31,13 @@ import (
 	"github.com/spiffe/spire/pkg/common/bundleutil"
 	"github.com/spiffe/spire/pkg/common/catalog"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/config"
 	"github.com/spiffe/spire/pkg/common/diskcertmanager"
 	"github.com/spiffe/spire/pkg/common/fflag"
 	"github.com/spiffe/spire/pkg/common/health"
 	"github.com/spiffe/spire/pkg/common/log"
 	"github.com/spiffe/spire/pkg/common/telemetry"
+	"github.com/spiffe/spire/pkg/common/tlspolicy"
 	"github.com/spiffe/spire/pkg/server"
 	"github.com/spiffe/spire/pkg/server/authpolicy"
 	bundleClient "github.com/spiffe/spire/pkg/server/bundle/client"
@ -107,7 +110,9 @@ type experimentalConfig struct {
 	CacheReloadInterval   string                      `hcl:"cache_reload_interval"`
 	EventsBasedCache      bool                        `hcl:"events_based_cache"`
 	PruneEventsOlderThan  string                      `hcl:"prune_events_older_than"`
+	EventTimeout          string                      `hcl:"event_timeout"`
 	SQLTransactionTimeout string                      `hcl:"sql_transaction_timeout"`
+	RequirePQKEM          bool                        `hcl:"require_pq_kem"`

 	Flags fflag.RawConfig `hcl:"feature_flags"`

@ -316,7 +321,7 @@ func ParseFile(path string, expandEnv bool) (*Config, error) {

 	// If envTemplate flag is passed, substitute $VARIABLES in configuration file
 	if expandEnv {
-		data = os.ExpandEnv(data)
+		data = config.ExpandEnv(data)
 	}

 	if err := hcl.Decode(&c, data); err != nil {
@ -407,7 +412,7 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
 		sc.LogReopener = log.ReopenOnSignal(logger, reopenableFile)
 	}

-	bindAddress, err := net.ResolveTCPAddr("tcp", fmt.Sprintf("%s:%d", c.Server.BindAddress, c.Server.BindPort))
+	bindAddress, err := net.ResolveTCPAddr("tcp", net.JoinHostPort(strings.Trim(c.Server.BindAddress, "[]"), strconv.Itoa(c.Server.BindPort)))
 	if err != nil {
 		return nil, fmt.Errorf(`could not resolve bind address "%s:%d": %w`, c.Server.BindAddress, c.Server.BindPort, err)
 	}
@ -508,6 +513,12 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
 	sc.ProfilingFreq = c.Server.ProfilingFreq
 	sc.ProfilingNames = c.Server.ProfilingNames

+	sc.TLSPolicy = tlspolicy.Policy{
+		RequirePQKEM: c.Server.Experimental.RequirePQKEM,
+	}
+
+	tlspolicy.LogPolicy(sc.TLSPolicy, log.NewHCLogAdapter(logger, "tlspolicy"))
+
 	for _, adminID := range c.Server.AdminIDs {
 		id, err := spiffeid.FromString(adminID)
 		if err != nil {
@ -558,6 +569,7 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
 	}

 	if c.Server.UseLegacyDownstreamX509CATTL != nil {
+		sc.Log.Warn("'use_legacy_downstream_x509_ca_ttl' is deprecated and will be removed in a future release")
 		sc.UseLegacyDownstreamX509CATTL = *c.Server.UseLegacyDownstreamX509CATTL
 		if sc.UseLegacyDownstreamX509CATTL {
 			sc.Log.Warn("Using legacy downstream X509 CA TTL calculation; this option will be removed in a future release")
@ -565,10 +577,9 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
 			sc.Log.Info("Using preferred downstream X509 CA TTL calculation")
 		}
 	} else {
-		// The default value should be false in SPIRE 1.11.0 and the flag
-		// removed in SPIRE 1.12.0.
-		sc.UseLegacyDownstreamX509CATTL = true
-		sc.Log.Info("Using legacy downstream X509 CA TTL calculation by default; this default will change in a future release")
+		// The flag should be removed in SPIRE 1.13.0.
+		sc.UseLegacyDownstreamX509CATTL = false
+		sc.Log.Info("Using preferred downstream X509 CA TTL calculation")
 	}

 	// If the configured TTLs can lead to surprises, then do our best to log an
@ -697,11 +708,20 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
 	}

 	if c.Server.Experimental.SQLTransactionTimeout != "" {
+		sc.Log.Warn("experimental.sql_transaction_timeout is deprecated, use experimental.event_timeout instead")
 		interval, err := time.ParseDuration(c.Server.Experimental.SQLTransactionTimeout)
 		if err != nil {
 			return nil, fmt.Errorf("could not parse SQL transaction timeout interval: %w", err)
 		}
-		sc.SQLTransactionTimeout = interval
+		sc.EventTimeout = interval
+	}
+
+	if c.Server.Experimental.EventTimeout != "" {
+		interval, err := time.ParseDuration(c.Server.Experimental.EventTimeout)
+		if err != nil {
+			return nil, fmt.Errorf("could not parse event timeout interval: %w", err)
+		}
+		sc.EventTimeout = interval
 	}

 	if c.Server.Experimental.EventsBasedCache {
@ -752,10 +772,7 @@ func setBundleEndpointConfigProfile(config *bundleEndpointConfig, dataDir string
 			return nil
 		case profileConfig.HTTPSWeb.ServingCertFile != nil:
 			federationConfig.BundleEndpoint.DiskCertManager, err = configToDiskCertManager(profileConfig.HTTPSWeb.ServingCertFile, log)
-			if err != nil {
-				return err
-			}
-			return nil
+			return err
 		default:
 			return errors.New("malformed https_web profile configuration: 'acme' or 'serving_cert_file' is required")
 		}
@ -894,6 +911,10 @@ func validateConfig(c *Config) error {
 		}
 	}

+	if c.Server.Experimental.EventTimeout != "" && c.Server.Experimental.SQLTransactionTimeout != "" {
+		return errors.New("both experimental sql_transaction_timeout and event_timeout set, only set event_timeout")
+	}
+
 	return c.validateOS()
 }

--- a/cmd/spire-server/cli/run/run_posix_test.go
+++ b/cmd/spire-server/cli/run/run_posix_test.go
@ -236,7 +236,7 @@ func mergeInputCasesOS(*testing.T) []mergeInputCase {
 			},
 		},
 		{
-			msg:       "socket_path should be configuable by CLI flag",
+			msg:       "socket_path should be configurable by CLI flag",
 			fileInput: func(c *Config) {},
 			cliFlags:  []string{"-socketPath=foo"},
 			test: func(t *testing.T, c *Config) {
--- a/cmd/spire-server/cli/run/run_test.go
+++ b/cmd/spire-server/cli/run/run_test.go
@ -64,6 +64,7 @@ func TestParseConfigGood(t *testing.T) {
 	_, ok := trustDomainConfig.EndpointProfile.(bundleClient.HTTPSWebProfile)
 	assert.True(t, ok)
 	assert.True(t, c.Server.AuditLogEnabled)
+	assert.True(t, c.Server.Experimental.RequirePQKEM)
 	testParseConfigGoodOS(t, c)

 	// Parse/reprint cycle trims outer whitespace
@ -455,12 +456,20 @@ func TestMergeInput(t *testing.T) {
 				require.True(t, c.Server.AuditLogEnabled)
 			},
 		},
+		{
+			msg: "require_pq_kem should be configurable by file",
+			fileInput: func(c *Config) {
+				c.Server.Experimental.RequirePQKEM = true
+			},
+			cliFlags: []string{},
+			test: func(t *testing.T, c *Config) {
+				require.True(t, c.Server.Experimental.RequirePQKEM)
+			},
+		},
 	}
 	cases = append(cases, mergeInputCasesOS(t)...)

 	for _, testCase := range cases {
-		testCase := testCase
-
 		fileInput := &Config{Server: &serverConfig{}}

 		testCase.fileInput(fileInput)
@ -504,6 +513,28 @@ func TestNewServerConfig(t *testing.T) {
 				require.Equal(t, 1337, c.BindAddress.Port)
 			},
 		},
+		{
+			msg: "IPv6 bind_address in square brackets and bind_port should be correctly parsed",
+			input: func(c *Config) {
+				c.Server.BindAddress = "[2001:101::]"
+				c.Server.BindPort = 1337
+			},
+			test: func(t *testing.T, c *server.Config) {
+				require.Equal(t, "2001:101::", c.BindAddress.IP.String())
+				require.Equal(t, 1337, c.BindAddress.Port)
+			},
+		},
+		{
+			msg: "IPv6 bind_address without square brackets and bind_port should be correctly parsed",
+			input: func(c *Config) {
+				c.Server.BindAddress = "2001:101::"
+				c.Server.BindPort = 1337
+			},
+			test: func(t *testing.T, c *server.Config) {
+				require.Equal(t, "2001:101::", c.BindAddress.IP.String())
+				require.Equal(t, 1337, c.BindAddress.Port)
+			},
+		},
 		{
 			msg: "bind_address with hostname value should be correctly parsed",
 			input: func(c *Config) {
@ -1113,6 +1144,24 @@ func TestNewServerConfig(t *testing.T) {
 				require.Nil(t, c)
 			},
 		},
+		{
+			msg: "sql_transaction_timeout is correctly parsed",
+			input: func(c *Config) {
+				c.Server.Experimental.SQLTransactionTimeout = "1m"
+			},
+			test: func(t *testing.T, c *server.Config) {
+				require.Equal(t, time.Minute, c.EventTimeout)
+			},
+		},
+		{
+			msg: "event_timeout is correctly parsed",
+			input: func(c *Config) {
+				c.Server.Experimental.EventTimeout = "1m"
+			},
+			test: func(t *testing.T, c *server.Config) {
+				require.Equal(t, time.Minute, c.EventTimeout)
+			},
+		},
 		{
 			msg: "audit_log_enabled is enabled",
 			input: func(c *Config) {
@ -1160,12 +1209,26 @@ func TestNewServerConfig(t *testing.T) {
 				}, c.AdminIDs)
 			},
 		},
+		{
+			msg:   "require PQ KEM is disabled (default)",
+			input: func(c *Config) {},
+			test: func(t *testing.T, c *server.Config) {
+				require.Equal(t, false, c.TLSPolicy.RequirePQKEM)
+			},
+		},
+		{
+			msg: "require PQ KEM is enabled",
+			input: func(c *Config) {
+				c.Server.Experimental.RequirePQKEM = true
+			},
+			test: func(t *testing.T, c *server.Config) {
+				require.Equal(t, true, c.TLSPolicy.RequirePQKEM)
+			},
+		},
 	}
 	cases = append(cases, newServerConfigCasesOS(t)...)

 	for _, testCase := range cases {
-		testCase := testCase
-
 		input := defaultValidConfig()

 		testCase.input(input)
@ -1285,10 +1348,17 @@ func TestValidateConfig(t *testing.T) {
 			},
 			expectedErr: `federation.federates_with["domain.test"].bundle_endpoint_url must use the HTTPS protocol; URL found: "http://example.org/test"`,
 		},
+		{
+			name: "can't set both sql_transaction_timeout and event_timeout",
+			applyConf: func(c *Config) {
+				c.Server.Experimental.EventTimeout = "1h"
+				c.Server.Experimental.SQLTransactionTimeout = "1h"
+			},
+			expectedErr: "both experimental sql_transaction_timeout and event_timeout set, only set event_timeout",
+		},
 	}

 	for _, testCase := range testCases {
-		testCase := testCase
 		t.Run(testCase.name, func(t *testing.T) {
 			conf := defaultValidConfig()
 			testCase.applyConf(conf)
@ -1501,8 +1571,6 @@ func TestWarnOnUnknownConfig(t *testing.T) {
 	}

 	for _, testCase := range cases {
-		testCase := testCase
-
 		c, err := ParseFile(filepath.Join(testFileDir, testCase.confFile), false)
 		require.NoError(t, err)

@ -1693,7 +1761,7 @@ func TestHasCompatibleTTLs(t *testing.T) {
 			msg:                      "default_jwt_svid_ttl is small enough for the configured CA TTL but larger than the max",
 			caTTL:                    time.Hour * 24 * 7 * 4 * 6, // Six months
 			x509SvidTTL:              0,
-			jwtSvidTTL:               time.Hour * 24 * 7 * 2, // Two weeks,,
+			jwtSvidTTL:               time.Hour * 24 * 7 * 2, // Two weeks
 			hasCompatibleSvidTTL:     true,
 			hasCompatibleX509SvidTTL: true,
 			hasCompatibleJwtSvidTTL:  false,
@ -1710,7 +1778,6 @@ func TestHasCompatibleTTLs(t *testing.T) {
 	}

 	for _, testCase := range cases {
-		testCase := testCase
 		if testCase.caTTL == 0 {
 			testCase.caTTL = credtemplate.DefaultX509CATTL
 		}
--- a/cmd/spire-server/cli/run/run_windows_test.go
+++ b/cmd/spire-server/cli/run/run_windows_test.go
@ -160,7 +160,7 @@ func mergeInputCasesOS(*testing.T) []mergeInputCase {
 			},
 		},
 		{
-			msg:       "named_pipe_name be configuable by CLI flag",
+			msg:       "named_pipe_name be configurable by CLI flag",
 			fileInput: func(c *Config) {},
 			cliFlags:  []string{"-namedPipeName=foo"},
 			test: func(t *testing.T, c *Config) {
--- a/cmd/spire-server/cli/token/generate.go
+++ b/cmd/spire-server/cli/token/generate.go
@ -3,14 +3,16 @@ package token
 import (
 	"context"
 	"flag"
+	"fmt"

 	"github.com/mitchellh/cli"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1"
 	prototypes "github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/util"
+	serverutil "github.com/spiffe/spire/cmd/spire-server/util"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
+	"github.com/spiffe/spire/pkg/common/util"
 )

 func NewGenerateCommand() cli.Command {
@ -18,7 +20,7 @@ func NewGenerateCommand() cli.Command {
 }

 func newGenerateCommand(env *commoncli.Env) cli.Command {
-	return util.AdaptCommand(env, &generateCommand{env: env})
+	return serverutil.AdaptCommand(env, &generateCommand{env: env})
 }

 type generateCommand struct {
@ -39,16 +41,20 @@ func (g *generateCommand) Synopsis() string {
 	return "Generates a join token"
 }

-func (g *generateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+func (g *generateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
 	id, err := getID(g.SpiffeID)
 	if err != nil {
 		return err
 	}
+	ttl, err := util.CheckedCast[int32](g.TTL)
+	if err != nil {
+		return fmt.Errorf("invalid value for TTL: %w", err)
+	}

 	c := serverClient.NewAgentClient()
 	resp, err := c.CreateJoinToken(ctx, &agentv1.CreateJoinTokenRequest{
 		AgentId: id,
-		Ttl:     int32(g.TTL),
+		Ttl:     ttl,
 	})
 	if err != nil {
 		return err
--- a/cmd/spire-server/cli/token/generate_test.go
+++ b/cmd/spire-server/cli/token/generate_test.go
@ -9,8 +9,8 @@ import (
 	"github.com/mitchellh/cli"
 	agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/test/clitest"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
@ -116,7 +116,7 @@ type tokenTest struct {
 }

 func (t *tokenTest) args(extra ...string) []string {
-	return append([]string{common.AddrArg, t.addr}, extra...)
+	return append([]string{clitest.AddrArg, t.addr}, extra...)
 }

 func setupTest(t *testing.T) *tokenTest {
@ -137,7 +137,7 @@ func setupTest(t *testing.T) *tokenTest {
 	})

 	return &tokenTest{
-		addr:   common.GetAddr(addr),
+		addr:   clitest.GetAddr(addr),
 		stderr: stderr,
 		stdin:  stdin,
 		stdout: stdout,
--- a/cmd/spire-server/cli/upstreamauthority/revoke.go
+++ b/cmd/spire-server/cli/upstreamauthority/revoke.go
@ -0,0 +1,86 @@
+package upstreamauthority
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+
+	"github.com/mitchellh/cli"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	"github.com/spiffe/spire/cmd/spire-server/util"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/cliprinter"
+)
+
+// NewRevokeCommand creates a new "upstreamauthority revoke" subcommand for "upstreamauthority" command.
+func NewRevokeCommand() cli.Command {
+	return newRevokeCommand(commoncli.DefaultEnv)
+}
+
+// NewRevokeCommandWithEnv creates a new "upstreamauthority revoke" subcommand for "upstreamauthority" command
+// using the environment specified
+func NewRevokeCommandWithEnv(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &upstreamauthorityRevokeCommand{env: env})
+}
+
+func newRevokeCommand(env *commoncli.Env) cli.Command {
+	return util.AdaptCommand(env, &upstreamauthorityRevokeCommand{env: env})
+}
+
+type upstreamauthorityRevokeCommand struct {
+	subjectKeyID string
+	printer      cliprinter.Printer
+	env          *commoncli.Env
+}
+
+func (c *upstreamauthorityRevokeCommand) Name() string {
+	return "upstreamauthority revoke"
+}
+
+func (*upstreamauthorityRevokeCommand) Synopsis() string {
+	return "Revokes the previously active X.509 upstream authority by removing it from the bundle and propagating this update throughout the cluster"
+}
+
+func (c *upstreamauthorityRevokeCommand) AppendFlags(f *flag.FlagSet) {
+	f.StringVar(&c.subjectKeyID, "subjectKeyID", "", "The X.509 Subject Key Identifier (or SKID) of the authority's CA certificate of the X.509 upstream authority to revoke")
+	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintRevoke)
+}
+
+// Run executes all logic associated with a single invocation of the
+// `spire-server upstreamauthority revoke` CLI command
+func (c *upstreamauthorityRevokeCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
+	if err := c.validate(); err != nil {
+		return err
+	}
+
+	client := serverClient.NewLocalAuthorityClient()
+	resp, err := client.RevokeX509UpstreamAuthority(ctx, &localauthorityv1.RevokeX509UpstreamAuthorityRequest{
+		SubjectKeyId: c.subjectKeyID,
+	})
+	if err != nil {
+		return fmt.Errorf("could not revoke X.509 upstream authority: %w", err)
+	}
+
+	return c.printer.PrintProto(resp)
+}
+
+func prettyPrintRevoke(env *commoncli.Env, results ...any) error {
+	r, ok := results[0].(*localauthorityv1.RevokeX509UpstreamAuthorityResponse)
+	if !ok {
+		return errors.New("internal error: cli printer; please report this bug")
+	}
+
+	env.Println("Revoked X.509 upstream authority:")
+	env.Printf("  Subject Key ID: %s\n", r.UpstreamAuthoritySubjectKeyId)
+
+	return nil
+}
+
+func (c *upstreamauthorityRevokeCommand) validate() error {
+	if c.subjectKeyID == "" {
+		return errors.New("the Subject Key ID of the X.509 upstream authority is required")
+	}
+
+	return nil
+}
--- a/cmd/spire-server/cli/upstreamauthority/revoke_posix_test.go
+++ b/cmd/spire-server/cli/upstreamauthority/revoke_posix_test.go
@ -0,0 +1,14 @@
+//go:build !windows
+
+package upstreamauthority_test
+
+var (
+	revokeUsage = `Usage of upstreamauthority revoke:
+  -output value
+    	Desired output format (pretty, json); default: pretty.
+  -socketPath string
+    	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
+  -subjectKeyID string
+    	The X.509 Subject Key Identifier (or SKID) of the authority's CA certificate of the X.509 upstream authority to revoke
+`
+)
--- a/Show More
+++ b/Show More
 @ -1 +1 @@
 .23.0
 .24.4