This is in 12.2-RELEASE, which is not an option yet.
I blacklisted some certificates, and "certctl blacklisted" showed them getting blacklisted, but "certctl list" would also still show them. My common sense tells me that I can’t have a certificate trusted and blacklisted at the same time.
I think the issue here is that blacklisting a cert does not trigger a rehash, so certctl list won't reflect it until the next rehash. We should make this more proactive and actually remove it from /etc/ssl/certs, though...
When I had tried rehashing yesterday, it would undo my blacklisting. Or at least so it seemed.
(In reply to corvid from comment #2)
Oh, oh dear. =(