When changing e.g. the CRL managed by the new PKI subsystem, the certificates and services using these certificates get not "reloaded" notified about the change.
When a cert is changed, the consuming service should be notified and reloaded to read in the new certificates.