I’m a trained netsec professional so handling keys and such is not really a hassle for me. What is a hassle IMO is having to manually do more things than hitting the “revoke” button to fully properly revoke a certificate, so that’s where the CRL/OCSP req comes from.

Looks like that part is something you really only get for free with EJBCA, which I’ve tried and found very exhausting to use for my home network. If I had to pick one for work I’d probably go with EJBCA though, seems worth the effort if you’re doing more complex things.

step-ca does not currently support active revocation mechanisms like a Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP).

Meh. Doesn’t do what I need it to. :/

Does seem like automatic CRL/OCSP is something you only get for free with EJBCA. Frustrating, that.