Yes, if you've ever managed a shared unix system that uses ssh keys for login, you know that a large fraction of users cannot manage them.

Among the steps of generating a key pair, getting the public key (not the private one) into their authorized_keys file (which is in a hidden directory, for pete's sake) without introducing any extra characters or line breaks or getting the wrong permissions on the file, getting their ssh client programs to use the proper private key for the host they are trying to log in to, or figuring out ssh-agent, there are just way too many opportunities to screw up or get confused.

It seems a little bit uncharitable to assume the UX on client certs has to be as bad as the UX on SSH keys, although I'll concede the point that historically it has been.

It's a myth, they are not. They are uneducated and lazy¹, not stupid.

Save for minorities with genuine learning disorders, people can learn how to click/tap a bunch of buttons in a sequence. They aren't running a PKI (that's on platform/browser vendor), they are just picking an identity from the list after all. They learn how to click the right buttons all the time, as UI designers' managers decide it's time for a new bonus and swing things around with a "new graphic language".

Basic certificate management (from end-user perspective) is not harder than password management. Passkeys are conceptually the exact same thing² as TLS client certificates, just without a purposefully neglected UI and a DIY attitude³ (TLS is supported by nearly anything, barely anything knows about WebAuthn JS shenanigans).

1) Not in a bad way. "Lazy" as in "lazy evaluation", not "lazy ass". Maybe there's a better word for this.

2) Save for some technical details, both are essentially keypair management.

3) There is almost no UI, it's just an API then all the visual bits are left out as an exercise to individual app designers (partially on platform/browser developers, partially on website developers). Browser vendors just hated those areas because they weren't deemed cool and fancy ([un]like some JS framework of the day) and shoved them under the rug as deep as they could. And unlike TLS, there is no standard how to pass data around, everyone invents their own `POST /login/webauthn` semantics.

When I worked on a code signing app, I had front row seats to how magical everyone thinks certificates are. It took me several years to convince the group that they aren't that complicated.

I think the world would be a better place if LetsEncrypt had come into being about five years earlier.

The UX for client certificates is horrible and practically an afterthought, so it's no surprise.