Since Gateway 10.1 CR04, graphman has added support for certificate revocation control policies.  importing a  graphman bundle with revocation policy however fails in some situations.

The public certificate cannot be created  because the revocation control policy does not exist, and the revocation control policy cannot be completed because the certificate does not exist

Gateway 10.1 

This will occur when the certificate is using a revocation policy which does not exist and the revocation policy also is using a certificate which has a revocation policy set .

As a workaround you can :

As soon as you identify the cert that is referenced from the revocation check policy, create a separate bundle with these certs, with no references to revocation check policies.

Consider it as first bundle, and then continue with the original bundle.

Original bundle ensures the certs to the expected configuration after mutation