diff --git a/builtin/logical/pki/path_tidy.go b/builtin/logical/pki/path_tidy.go
index 3ae30fd4da68..a9088f4883ee 100644
--- a/builtin/logical/pki/path_tidy.go
+++ b/builtin/logical/pki/path_tidy.go
@@ -31,6 +31,14 @@ the revocation list`,
 				Default: false,
 			},
 
+			"tidy_revoked_certs": &framework.FieldSchema{
+				Type: framework.TypeBool,
+				Description: `Set to true to expire all revoked
+certificates, even if their duration has not yet passed. This will cause these
+certificates to be removed from the CRL the next time the CRL is generated.`,
+				Default: false,
+			},
+
 			"safety_buffer": &framework.FieldSchema{
 				Type: framework.TypeDurationSecond,
 				Description: `The amount of extra time that must have passed
@@ -54,6 +62,7 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
 	safetyBuffer := d.Get("safety_buffer").(int)
 	tidyCertStore := d.Get("tidy_cert_store").(bool)
 	tidyRevocationList := d.Get("tidy_revocation_list").(bool)
+	tidyRevokedCerts := d.Get("tidy_revoked_certs").(bool)
 
 	if safetyBuffer < 1 {
 		return logical.ErrorResponse("safety_buffer must be greater than zero"), nil
@@ -163,7 +172,7 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
 						return errwrap.Wrapf(fmt.Sprintf("unable to parse stored revoked certificate with serial %q: {{err}}", serial), err)
 					}
 
-					if time.Now().After(revokedCert.NotAfter.Add(bufferDuration)) {
+					if tidyRevokedCerts || time.Now().After(revokedCert.NotAfter.Add(bufferDuration)) {
 						if err := req.Storage.Delete(ctx, "revoked/"+serial); err != nil {
 							return errwrap.Wrapf(fmt.Sprintf("error deleting serial %q from revoked list: {{err}}", serial), err)
 						}
diff --git a/website/source/api/secret/pki/index.html.md b/website/source/api/secret/pki/index.html.md
index b652a633ad70..b0ceea22501d 100644
--- a/website/source/api/secret/pki/index.html.md
+++ b/website/source/api/secret/pki/index.html.md
@@ -1532,6 +1532,10 @@ expiration time.
 - `tidy_revocation_list` `(bool: false)` Specifies whether to tidy up the
   revocation list (CRL).
 
+- `tidy_revoked_certs` `(bool: false)` Set to true to expire all revoked
+  certificates, even if their duration has not yet passed. This will cause these
+  certificates to be removed from the CRL the next time the CRL is generated.
+
 - `safety_buffer` `(string: "")` Specifies  A duration (given as an integer
   number of seconds or a string; defaults to `72h`) used as a safety buffer to
   ensure certificates are not expunged prematurely; as an example, this can keep