Much to our surprise - only Opera and Firefox showed the server’s certificate as revoked. Settings in Keychain Access are correct (“best effort” or “required if cert indicates”).
Safari/macOS does not check CRLs and OCSP by default. To enable it:
Chrome disabled OCSP and CRL support several years ago:
It is not possible to re-enable it. However, Chrome uses the certificate machinery built-in to operating systems, so it will sometimes work regardless, e.g. on the Mac if you enable it in Keychain Access as the first link explains.
If you want a wider range of browsers to know if the certificate for your particular site is later revoked, you can use a mechanism called must-staple (and a newer mechanism called expect-staple) to indicate that it’s mandatory to include a recent OCSP response along with the certificate itself. These mechanisms should be used with caution because, if you apply them and then don’t set up the web server correctly, visitors can be locked out of visiting the site.
gets a bit better - Chrome correctly shows "Not Secure". However, Safari is still happy. Both browsers behave the same when I changed the preference of CRL/OCSP in Keychain Access.