Add note clarifying revoked issuer associations (#19289)

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

website/content/api-docs/secret/pki.mdx

@@ -3790,6 +3790,17 @@ expiration time.
   performance of OCSP and CRL building, by shifting work to a tidy operation
   instead.
 
+~> Note: With multiple issuers, a CA which issued a particular revoked
+   certificate may be removed and re-added, resulting in a different issuer
+   ID value. When building CRLs, these links are automatically updated for any
+   missing or added issuers, but during OCSP this value is computed and then
+   discarded, potentially causing a performance penalty on each request.
+   During regular CA operations, it is not necessary to run this operation.
+   <br /><br />
+   It is suggested to run this tidy when removing or importing new issuers and
+   on the first upgrade to a post-1.11 Vault version, but otherwise not to run
+   it during automatic tidy operations.
+
 - `tidy_expired_issuers` `(bool: false)` - Set to true to automatically remove
   expired issuers after the `issuer_safety_buffer` duration has elapsed. We
   log the issuer certificate on removal to allow recovery; no keys are removed