SSH certificates revokation list

Question

Hope somebody can clarify how the revokation list works :)

I deployed a test environment with three linux to manage SSH certificates to customers and eb able to revokate them when necessary.

The servers are the follwoing:

A- SSH Cert server
B- LogServer (to try the accesses from client with the certificates)
C- User laptop

On the server A I have the CA certificates (public and private key) which I use to sign the public keys from client to generate a client-certificate.

Everything works good. I can revoke certificates and the access is denied on logserver.

My question: While doing the KRL list with the command ssh-keygen -k -f ca_krl , I don't specify the -s flag but if I create the revokation list with the same command directly on another machine rarely than the CA server like the logserver/client -> the revokations don't work (which I'm glad).

So how the KRL list works? It takes the key automatically from the CA server? What's the difference between the -s or without flag?

Tests done:

1. Delete KRL klist from the CA server and create it on the logserver , then revokate client cert. (The connection still successfull with the client cert.)
2. Transfer the created KRL list from the CA server to the logserver and modify on the logserver the KRL file revokating the client cert. (The connection still successfull with the client cert.)
3. The point 1 and 2 using the -s flag. (The connection still successfull with the client cert.)
4. At the CA server, generate the KRL file in another folder different than the private/public key (in case it takes it automatically) and without specifying the -s flag. (I'm able to revokate certificates and the connections are blocked successfully)

what am I missing? Why should I sign the KRL file if I can only revokate from the CA server? How it's possible to work?