It is a clock skew. CA adds it to all signed stuff, such as certificates and CRLs to allow clocks between enrollment client and CA server to be out of sync for a bit: +/- 5mins. 5 mins is not a random value, it is derived from Kerberos threshold. The behavior you are observing is expected, correct and by design. You should not do anything with it.