Issue certificates and revocation lists a few seconds in the past of the
true issuance time, to allow the client to be a bit in the past compared
to the server. Otherwise, the client would receive a "not valid yet"
certificate or CRL, which could crash it (es: caucase-update). Which
normally is intended (so time attacks are noticed), but in this case is
counter-productive.