According to RFC 3280, the 'Authority Key Identifier' extension is mandatory for certificates signed by CAs. For self-signed CA- and non-CA-certificates this extension is optional.

This leads to following problem:

• Server creates it's self-signed cert (A)
• Cert (A) is copied to client trust cert store
• Server cert gets invalid (e.g. expires), so a new one (B) is created
• Cert (B) is copied to client trust cert store

Now the client connects to the server, the server sends it's cert to the client and the client PKI provider looks if the cert is trusted. When searching for the issuer cert of the server cert, it compares the Issuer of the server cert with the Subject of the certs in it's store.

If now the first cert looked at is (A), the compare returns true (Subject and Issuer of (A) and (B) are the same), and the signature of the server cert is checked. This check fails, as the signature of (B) is made with the key of (B), and the connection attempt will fail.

Adding the 'Authority Key Identifier' (AKID) extension to the certificates would prevent this problem, as PKI providers check this extension if existing when searching for an issuer certificate. The AKID would be different in (A) and (B), as the keys used in the certificates would be different.

This is why the 'Authority Key Identifier' extension should be made mandatory for all application instance certificates.