Is your feature request related to a problem? Please describe.
When you use the client_auth_type: RequireAndVerifyClientCert for authentification, you have to generate a cert for each of your client.
When it's time to remove a hacked/no more used server, you cannot (for the time being) revoke it's certificate and anybody coul'd use the old certs to send logs to Loki.

server:
  http_tls_config:
    client_ca_file: /etc/loki/ca.crt
    client_auth_type: RequireAndVerifyClientCert
    cert_file: /etc/loki/ca.crt
    key_file: /etc/loki/ca.key

Describe the solution you'd like
In the server: http_tls_config part, we can add an option to set the crl (certificate revocation list) file like this :

server:
  http_tls_config:
    [...]
    client_crl_file /etc/nginx/certs/ca-crl.crt
    [...]

Describe alternatives you've considered
It's also possible to use OCSP, but it seems that it's more complicated to implement actually.