External CA: auto-fetch not populating CRL despite URL being reachable

[grapes2331]

EDIT: I've updated my post a few times to try and make my problem clearer. My goal is to periodically fetch the CRL from my Issuing CA so OpenVPN can enforce client cert revocation. Auto-fetch is enabled but the CRL Name column is empty for both CAs nothing has been fetched. The buttons in the Revocation row don't do anything when clicked. The CRL URL is reachable from the OPNsense shell over HTTP.

Here is my current certificate configuration. I have an offline Root CA → online Issuing CA. Both CA certs imported into System → Trust → Authorities. I confirmed that the Issuing CA's CRL is reachable inside OPNsense shell, fetch succeeds, returns valid 1KB DER. "Auto fetch CRL's" is enabled in System → Trust → Settings. "Store intermediate" and "Store CRL's" also enabled.

Why auto-fetch doesn't help me:

The Settings tooltip says auto-fetch downloads CRLs from CDPs in CAs in the trust store. For my hierarchy my Root CA cert has an empty CDP, and the Issuing CA cert's CDP points to the Root's CRL. The Issuing CA's CRL URL only appears in CDPs of leaf certs, which aren't in the trust store. So auto-fetch can never discover the URL for the CRL.

What I've tried in System → Trust → Revocation

Clicking the + on the Issuing CA row opens a dialog with a Method dropdown showing only, "Internal: build CRL from OPNsense issued certs", "Import existing" which seems to only accept PEM.

Is there a supported way in OPNsense to configure periodic URL-based CRL fetching for an externally managed CA whose CRL URL is not advertised by any imported CA cert?