non self-signed x509 certificates are encoded with authorityKeyIdentifier