When dealing with PKI certificates, any revocation action will cause the CRL to be regenerated. Any expired certificates are then subsequently removed from the CRL when it is regenerated. After a certificate is revoked before the TTL, it gets added to a CRL. Sometimes during validation, the CRL can be looked at to see if the cert was revoked or not in order to determine if it is valid or not, but if the CRL is not checked and the TTL is still valid, it would treat the cert as valid.
A way to mitigate this is to set generate_lease to false in the PKI role as setting to true will result in the lease being created and associated with the cert will being set to the TTL of the token requesting the cert. Therefore, the cert will expire when the lease of that token expires since that token was a Service Token. The token TTL created is determined by what is configured in auth method role.