That bad? Well, I believe you and I am glad I never invested significant time into PHP.
Incidentally, while revocation is the critical part of the whole certificate system (I learned that, oh, 25 years ago in a university lecture on "authentication systems", so it has been known to anybody that wanted to find out for at least 5 years longer), most people do not get that at all. You can routinely tell people apart into those that get what crypto can do and what it cannot and those that are clueless, merely by asking about certificate revocation. Incidentally, there still is no certificate revocation system that works, even after at least 30 years or so of research. The only thing that works to some degree is shipping revocation lists with browser updates. But that is neither a good solution, nor a general one.