Thank you Dave for bringing this email to my attention...somehow it got slipped by me.

I just want to point out that if you do choose to "remove" certs from the internal ldap repository, please do not remove any certs that are revoked but not yet expired.  Doing so will cause your CRL generation to miss the revoked certificates, and render them valid when checked upon by clients.  It would be a big security violation of PKI.