Currently there is a strong push in future Azure cloud CA service to not support CRL, but only OCSP as the cert validation technology. CRL is considered outdated and too complicated to manage.

I believe currently the OPC UA spec supports only CA certs with CRL. Not having a CRL is a special case that is by default disabled.

The CTT certification tool by default mandates a valid CRL.

Poor CRL support in the Push model (see https://apps.opcfoundation.org/mantis/view.php?id=4081) make it difficult to manage the CRL on servers, not even talking about clients.

Because many factory networks do not support internet access, to e.g. validate a cert by accessing an OCSP responder, the GDS should have a mechanism to provide the cert status in a method for local servers.

Server can then implement either way, with internet access directly access the OCSP responder, without use the local GDS.

The CA certificates need to be mandated to include the CRL Distribution Point (CDP) extension or the OCSP responder.
However, also OCSP has issues in a OPC UA world, e.g. difficulties to respond to cert chains, requires http, OCSP stapling needs TLS etc. Things which may not be available in a small server.

So a method in the GDS to validate an app cert might be a good idea combined with some type of OCSP/ OCSP stapling. This way server push CRL distribution could be avoided. Also for clients it may be easier to validate server certs.