I should mention this is a great example of why we need acme clients embedded into the servers.
Caddy, for instance (yes I made it yada yada) staples OCSP automatically, and when it sees a Revoked status, will automatically replace the cert and rotate the key if the reason is Key Compromise.
Caddy also caches staples to disk and reuses them in case responders go down and shares staples across a cluster. All this happens automatically.
But as mentioned above, revocation is broken and we actually need shorter cert lifetimes instead.
This is the way 
