Rookie mistake: SSH's KRL is also a CRL. See KEY REVOCATION LISTS in ssh-keygen(1). You can revoke plain keys with it, but also revoke certs (both by serial number and identity) with it.

The infrastructure I built for access control using SSH certs used it. I know it works because I tested for it specifically.