1. Key generation is not required if you already have a key which is usable for this purpose. In this case, the server already has a public key since X.509 is already used for the server's certificate, so the certificate can be issued with the same public key. (If the client is issuing a certificate to the server, then the client's private key will be used to sign the certificate.)

2. I do not agree; I found X.509 to be better. I also think that DER is a better format than JSON (and that it does not require such things as escaping, base64 encoding, Unicode, etc). (I had made up a simpler usage for X.509 (more strict in some ways and less strict in other ways), although it is deliberately possible (without too much difficulty) to make a certificate which is compatible with both the normal usage and the simpler usage.)

3. OK. I had not considered that.