(Maint) Make a CRL valid on the same second it is updated
Because openSSL says that a CRL is valid only at least one second after
it was last updated, setting the last_updated field to right now causes
the CRL to be not valid for one second. This was showing up as an
intermittent failure in our test cases.
The CRL is now always made to be last_updated one second ago so that it
is immediately valid.