Starting with RSA Identity Governance & Lifecycle 7.2.0, Root (Server) and Client Certificates are now
RFC-5280 compliant. What this means is that when new server and client keystores are generated, they will be generated with a
Subject Key Identifier (SKI) extension that is exactly 160 bits (20 Octet) in size. Prior to 7.2.0, certificates were generated with greater than 20 octets which potentially flagged Remote AFX Agents and Remote Collection Agents as security risks and blocked communication to these agents via firewalls. See related RSA Knowledge Base Article
000039238 -- Firewall is blocking Remote AFX Agents and Remote Collection Agents from communicating with the Application Server in RSA Identity Governance & Lifecycle for more information.
An example of a non RFC-compliant certificate (SKI > 20 octets) is shown below. Most octets are redacted but that is what the redaction is covering: