So the Hashicorp answer for CRLs (for Vault) is to issue certificates with a short time to live, which seems to be Let’s Encrypt answer also.

There is a vault resource to configure a CRL server, in this code the vault mount is PKI.

resource "vault_pki_secret_backend_config_urls" "config_urls" {         
  depends_on = [ "vault_mount.pki"]
  backend              = vault_mount.pki.path
  issuing_certificates = ["http://my-domain.com:8200/v1/pki/ca"]
  crl_distribution_points= ["http://domain.com:8200/v1/pki/crl"]
}

For private keys, having people contact vault as above is probably fine, you probably don’t want to expose vault to the public.
Another option I have used was to create a public S3 bucket and then use openssl to generate CRL lists as such, the output of this was to a local file that I could copy out to S3. You basically need to have the CA that created the cert, sign a revocation an d then put the generated files onto a public server.

The script I wrote years ago to generate CRLs with openssl was basically:

openssl ca -config ./openssl.cnf -name CA_intermediate -gencrl -out "$cert_ca_dir/revocations/$TF_VAR_myname/intermediate_ca.crl.pem