In the case of LetsEncrypt certificates, there is even an API for this revocation.
However, given how ineffective revocation is, it unfortunately could still be a viable strategy.
The easier approach is, of course, using the fact that browsers now consider http://127.0.0.1 (and/or http://localhost) a secure origin to avoid this issue.
I would think that they could distribute the cert (and the key) and have it work. [Edit] Unless browsers detect that it's a local IP address behind the domain name and still consider it a special case of origin.