diff --git a/test/mesh/mesh_access.c b/test/mesh/mesh_access.c
index 918730e6e..1ca4e8a75 100644
--- a/test/mesh/mesh_access.c
+++ b/test/mesh/mesh_access.c
@@ -1356,10 +1356,26 @@ void mesh_access_netkey_finalize(mesh_network_key_t * network_key){
     btstack_memory_mesh_network_key_free(network_key);
 }
 
+void mesh_access_appkey_finalize(mesh_transport_key_t * transport_key){
+    mesh_transport_key_remove(transport_key);
+    mesh_delete_app_key(transport_key->appkey_index);
+    btstack_memory_mesh_transport_key_free(transport_key);
+}
+
 void mesh_access_key_refresh_revoke_keys(mesh_subnet_t * subnet){
+    // delete old netkey index
     mesh_access_netkey_finalize(subnet->old_key);
     subnet->old_key = subnet->new_key;
     subnet->new_key = NULL;
+
+    // delete old appkeys, if any
+    mesh_transport_key_iterator_t it;
+    mesh_transport_key_iterator_init(&it, subnet->netkey_index);
+    while (mesh_transport_key_iterator_has_more(&it)){
+        mesh_transport_key_t * transport_key = mesh_transport_key_iterator_get_next(&it);
+        if (transport_key->old_key == 0) continue;
+        mesh_access_appkey_finalize(transport_key);
+    }
 }
 
 static void mesh_access_secure_network_beacon_handler(uint8_t packet_type, uint16_t channel, uint8_t * packet, uint16_t size){
diff --git a/test/mesh/mesh_access.h b/test/mesh/mesh_access.h
index d7d8d498f..74ca1a6a9 100644
--- a/test/mesh/mesh_access.h
+++ b/test/mesh/mesh_access.h
@@ -347,6 +347,8 @@ void mesh_delete_app_key(uint16_t internal_index);
 void mesh_delete_app_keys(void);
 void mesh_load_app_keys(void);
 
+void mesh_access_appkey_finalize(mesh_transport_key_t * transport_key);
+
 // Mesh Model Subscriptions
 int mesh_model_contains_subscription(mesh_model_t * mesh_model, uint16_t address);
 
diff --git a/test/mesh/mesh_configuration_server.c b/test/mesh/mesh_configuration_server.c
index 99507403d..927f57ec8 100644
--- a/test/mesh/mesh_configuration_server.c
+++ b/test/mesh/mesh_configuration_server.c
@@ -400,14 +400,7 @@ static void mesh_configuration_server_delete_appkey(mesh_transport_key_t * trans
         }
     }
 
-    // remove from list
-    mesh_transport_key_remove(transport_key);
-
-    // delete from TLV
-    mesh_delete_app_key(appkey_index);
-
-    // free memory
-    btstack_memory_mesh_transport_key_free(transport_key);
+    mesh_access_appkey_finalize(transport_key);
 }
 
 // Foundatiopn Message
@@ -1098,6 +1091,8 @@ static void config_appkey_add_handler(mesh_model_t *mesh_model, mesh_pdu_t * pdu
     app_key->appkey_index = appkey_index;
     app_key->netkey_index = netkey_index;
     app_key->version = 0;
+    app_key->old_key = 0;
+
     memcpy(app_key->key, appkey, 16);
 
     // calculate AID
@@ -1171,6 +1166,9 @@ static void config_appkey_update_handler(mesh_model_t *mesh_model, mesh_pdu_t *
     new_app_key->version = (uint8_t)(existing_app_key + 1);
     memcpy(new_app_key->key, appkey, 16);
 
+    // mark old key
+    existing_app_key->old_key = 1;
+
     // calculate AID
     access_pdu_in_process = pdu;
     mesh_transport_key_calc_aid(&configuration_server_cmac_request, new_app_key, config_appkey_add_or_update_aid, new_app_key);
diff --git a/test/mesh/mesh_keys.h b/test/mesh/mesh_keys.h
index 959c2eeba..16fef41d1 100644
--- a/test/mesh/mesh_keys.h
+++ b/test/mesh/mesh_keys.h
@@ -108,6 +108,9 @@ typedef struct {
     // internal version - allows for newer-than relation between keys with same appkey_index
     uint8_t version;
 
+    // old key - mark key as 'older' in app key update or startup
+    uint8_t old_key;
+
     // application key flag, 0 for device key
     uint8_t akf;