diff --git a/src/core/tsi/ssl_transport_security_utils.cc b/src/core/tsi/ssl_transport_security_utils.cc
index 803b4ab7205..d4ad3243793 100644
--- a/src/core/tsi/ssl_transport_security_utils.cc
+++ b/src/core/tsi/ssl_transport_security_utils.cc
@@ -294,6 +294,42 @@ bool HasCrlSignBit(X509* cert) {
 #endif  // OPENSSL_VERSION_NUMBEr < 0x10100000
 }
 
+absl::StatusOr<std::string> AkidFromCertificate(X509* cert) {
+  ASN1_OCTET_STRING* akid = nullptr;
+  int j = X509_get_ext_by_NID(cert, NID_authority_key_identifier, -1);
+  // Can't have multiple occurrences
+  if (j >= 0) {
+    if (X509_get_ext_by_NID(cert, NID_authority_key_identifier, j) != -1) {
+      return absl::InvalidArgumentError("Could not get AKID from certificate.");
+    }
+    akid = X509_EXTENSION_get_data(X509_get_ext(cert, j));
+  }
+  unsigned char* buf = nullptr;
+  int len = i2d_ASN1_OCTET_STRING(akid, &buf);
+  if (len <= 0) {
+    return absl::InvalidArgumentError("Could not get AKID from certificate.");
+  }
+  return std::string(reinterpret_cast<char const*>(buf), len);
+}
+
+absl::StatusOr<std::string> AkidFromCrl(X509_CRL* crl) {
+  ASN1_OCTET_STRING* akid = nullptr;
+  int j = X509_CRL_get_ext_by_NID(crl, NID_authority_key_identifier, -1);
+  // Can't have multiple occurrences
+  if (j >= 0) {
+    if (X509_CRL_get_ext_by_NID(crl, NID_authority_key_identifier, j) != -1) {
+      return absl::InvalidArgumentError("Could not get AKID from crlificate.");
+    }
+    akid = X509_EXTENSION_get_data(X509_CRL_get_ext(crl, j));
+  }
+  unsigned char* buf = nullptr;
+  int len = i2d_ASN1_OCTET_STRING(akid, &buf);
+  if (len <= 0) {
+    return absl::InvalidArgumentError("Could not get AKID from crlificate.");
+  }
+  return std::string(reinterpret_cast<char const*>(buf), len);
+}
+
 bool VerifyAKIDMatch(X509_CRL* crl, X509* issuer) {
   ASN1_OCTET_STRING* crl_akid = nullptr;
   ASN1_OCTET_STRING* cert_akid = nullptr;
diff --git a/src/core/tsi/ssl_transport_security_utils.h b/src/core/tsi/ssl_transport_security_utils.h
index b0bedee5fcb..9a0c28dd6de 100644
--- a/src/core/tsi/ssl_transport_security_utils.h
+++ b/src/core/tsi/ssl_transport_security_utils.h
@@ -165,6 +165,16 @@ bool VerifyAKIDMatch(X509_CRL* crl, X509* issuer);
 // return: a std::string of the DER encoding of the X509_NAME issuer name.
 absl::StatusOr<std::string> IssuerFromCert(X509* cert);
 
+// Gets a stable representation of the authority key identifier from an X509
+// certificate.
+// return: a std::string of the DER encoding of the AKID or a status on failure.
+absl::StatusOr<std::string> AkidFromCertificate(X509* cert);
+
+// Gets a stable representation of the authority key identifier from an X509
+// crl.
+// return: a std::string of the DER encoding of the AKID or a status on failure.
+absl::StatusOr<std::string> AkidFromCrl(X509_CRL* crl);
+
 }  // namespace grpc_core
 
 #endif  // GRPC_SRC_CORE_TSI_SSL_TRANSPORT_SECURITY_UTILS_H
diff --git a/third_party/abseil-cpp b/third_party/abseil-cpp
index 4a2c63365ef..29bf8085f3b 160000
--- a/third_party/abseil-cpp
+++ b/third_party/abseil-cpp
@@ -1 +1 @@
-Subproject commit 4a2c63365eff8823a5221db86ef490e828306f9d
+Subproject commit 29bf8085f3bf17b84d30e34b3d7ff8248fda404e
diff --git a/third_party/boringssl-with-bazel b/third_party/boringssl-with-bazel
index ae72a4514c7..2ff4b968a7e 160000
--- a/third_party/boringssl-with-bazel
+++ b/third_party/boringssl-with-bazel
@@ -1 +1 @@
-Subproject commit ae72a4514c7afd150596b0a80947f3ca9b8363b5
+Subproject commit 2ff4b968a7e0cfee66d9f151cb95635b43dc1d5b
diff --git a/third_party/envoy-api b/third_party/envoy-api
index 78f198cf96e..9d6ffa70677 160000
--- a/third_party/envoy-api
+++ b/third_party/envoy-api
@@ -1 +1 @@
-Subproject commit 78f198cf96ecdc7120ef640406770aa01af775c4
+Subproject commit 9d6ffa70677c4dbf23f6ed569676206c4e2edff4
diff --git a/third_party/xds b/third_party/xds
index 3a472e52482..e9ce68804cb 160000
--- a/third_party/xds
+++ b/third_party/xds
@@ -1 +1 @@
-Subproject commit 3a472e524827f72d1ad621c4983dd5af54c46776
+Subproject commit e9ce68804cb4e64cab5a52e3c8baf840d4ff87b7