Yes, to an extent, but given the state of certificate revocation, some might say this is "by design".
There are 2 main ways to revoke a certificate - one is by listing it on a certificate revocation list (CRL), whose URL is inside the CA certificate. This means to check the CRL, the client leaks their IP to the CA operator every time they check. The list of revoked certificates can be as long as the list of certificates issued which are still unexpired - that could be a large download, and you'll need to refresh it periodically.
A lot of implementations don't bother using CRLs as a result.
The alternative is OCSP, where you can query (in real-time) with the CA whether a given certificate is still valid or not. This means you're revealing which certificate you're checking, so you're telling a third party every time you visit a site. Since OCSP is just a way of getting a refreshed signed confirmation the certificate isn't expired, OCSP stapling is an option, where your web server requests a timestamped OCSP statement and serves it to all requesters - they can check the signature on the OCSP response, and know the certificate wasn't revoked at the time of the CA-signed timestamp.
OCSP stapling solves the privacy issue of leaking the sites you visit in real time, and also avoids browsers having to fetch a large CRL list regularly.
Revocation is a challenge any time you do certificates or signed data - same with JWT/Paseto - in a distributed system a signed bearer token can solve state sync challenges, but then your new state sync challenge is syncing token revocation!
There are 2 main ways to revoke a certificate - one is by listing it on a certificate revocation list (CRL), whose URL is inside the CA certificate. This means to check the CRL, the client leaks their IP to the CA operator every time they check. The list of revoked certificates can be as long as the list of certificates issued which are still unexpired - that could be a large download, and you'll need to refresh it periodically.
A lot of implementations don't bother using CRLs as a result.
The alternative is OCSP, where you can query (in real-time) with the CA whether a given certificate is still valid or not. This means you're revealing which certificate you're checking, so you're telling a third party every time you visit a site. Since OCSP is just a way of getting a refreshed signed confirmation the certificate isn't expired, OCSP stapling is an option, where your web server requests a timestamped OCSP statement and serves it to all requesters - they can check the signature on the OCSP response, and know the certificate wasn't revoked at the time of the CA-signed timestamp.
OCSP stapling solves the privacy issue of leaking the sites you visit in real time, and also avoids browsers having to fetch a large CRL list regularly.
Revocation is a challenge any time you do certificates or signed data - same with JWT/Paseto - in a distributed system a signed bearer token can solve state sync challenges, but then your new state sync challenge is syncing token revocation!