Just a few additional points, don't really want to belabor the OCSP topic.
- OCSP will be faster in situations where there are large CRLs. An OCSP request is a tiny binary payload wrapped in a single HTTP request. The total transaction (req and rep) is usually less that 1K.
- A local OCSP would need to know the remote CRLs it's managing so it can go get them and cache. That's no different than the CRL situation you have now. And since the responder knows what and where they are, it'll always have a copy (fresh or otherwise) of that CRL and can make a valid OCSP response.
- My suggestion then, if local CRL validation is what you're aiming for, is to create a timed script that simply generates a query to the BIG-IP VIP and performs mTLS with a cert from each of the known issuers. This will force the BIG-IP to always have an up-to-date CRL in cache.