When the identity store contains more than one certificate, it's up to the implementation of the KeyManager factory to decide which one is actually used.
I've observed that from a store that contains two certificates, the one that is expired was picked by the default implementation.
Openfire should be modified to use an implementation that favors the 'best fit' - an unexpired certificate, for example.
might be related, though not sure is it fixable (maybe it should pick one which patches the current domain name).