VAULT-40618 Update PKI observation timestamps to use RFC-3339 format (#10560) (#10568)

Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>

builtin/logical/pki/path_acme_order.go

@@ -883,8 +883,8 @@ func (b *backend) acmeNewOrderHandler(ac *acmeContext, req *logical.Request, _ *
 		observe.NewAdditionalPKIMetadata("role_name", role),
 		observe.NewAdditionalPKIMetadata("issuer_name", issuerName),
 		observe.NewAdditionalPKIMetadata("issuer_id", issuerId),
-		observe.NewAdditionalPKIMetadata("not_before", notBefore),
-		observe.NewAdditionalPKIMetadata("not_after", notAfter),
+		observe.NewAdditionalPKIMetadata("not_before", notBefore.Format(time.RFC3339)),
+		observe.NewAdditionalPKIMetadata("not_after", notAfter.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("order_id", order.OrderId),
 		observe.NewAdditionalPKIMetadata("account_id", order.AccountId),
 	)

builtin/logical/pki/path_issue_sign.go

@@ -490,8 +490,8 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d
 		observe.NewAdditionalPKIMetadata("role_name", role.Name),
 		observe.NewAdditionalPKIMetadata("stored", !role.NoStore),
 		observe.NewAdditionalPKIMetadata("common_name", parsedBundle.Certificate.Subject.CommonName),
-		observe.NewAdditionalPKIMetadata("not_after", parsedBundle.Certificate.NotAfter.String()),
-		observe.NewAdditionalPKIMetadata("not_before", parsedBundle.Certificate.NotBefore.String()),
+		observe.NewAdditionalPKIMetadata("not_after", parsedBundle.Certificate.NotAfter.Format(time.RFC3339)),
+		observe.NewAdditionalPKIMetadata("not_before", parsedBundle.Certificate.NotBefore.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("subject_key_id", parsedBundle.Certificate.SubjectKeyId),
 		observe.NewAdditionalPKIMetadata("authority_key_id", parsedBundle.Certificate.AuthorityKeyId),
 		observe.NewAdditionalPKIMetadata("serial_number", parsedBundle.Certificate.SerialNumber.String()),

builtin/logical/pki/path_roles.go

@@ -1086,7 +1086,7 @@ func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data
 		observe.NewAdditionalPKIMetadata("ttl", entry.TTL.String()),
 		observe.NewAdditionalPKIMetadata("no_store", entry.NoStore),
 		observe.NewAdditionalPKIMetadata("not_after", entry.NotAfter),
-		observe.NewAdditionalPKIMetadata("not_before", entry.NotBeforeDuration.String()),
+		observe.NewAdditionalPKIMetadata("not_before_duration", entry.NotBeforeDuration.String()),
 	)
 
 	return resp, nil
@@ -1311,7 +1311,7 @@ func (b *backend) pathRolePatch(ctx context.Context, req *logical.Request, data
 		observe.NewAdditionalPKIMetadata("ttl", entry.TTL.String()),
 		observe.NewAdditionalPKIMetadata("no_store", entry.NoStore),
 		observe.NewAdditionalPKIMetadata("not_after", entry.NotAfter),
-		observe.NewAdditionalPKIMetadata("not_before", entry.NotBeforeDuration.String()),
+		observe.NewAdditionalPKIMetadata("not_before_duration", entry.NotBeforeDuration.String()),
 	)
 
 	return resp, nil

builtin/logical/pki/path_root.go

@@ -347,8 +347,8 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
 		observe.NewAdditionalPKIMetadata("authority_key_id", parsedBundle.Certificate.AuthorityKeyId),
 		observe.NewAdditionalPKIMetadata("public_key_algorithm", parsedBundle.Certificate.PublicKeyAlgorithm.String()),
 		observe.NewAdditionalPKIMetadata("public_key_size", certutil.GetPublicKeySize(parsedBundle.Certificate.PublicKey)),
-		observe.NewAdditionalPKIMetadata("not_after", parsedBundle.Certificate.NotAfter.String()),
-		observe.NewAdditionalPKIMetadata("not_before", parsedBundle.Certificate.NotBefore.String()))
+		observe.NewAdditionalPKIMetadata("not_after", parsedBundle.Certificate.NotAfter.Format(time.RFC3339)),
+		observe.NewAdditionalPKIMetadata("not_before", parsedBundle.Certificate.NotBefore.Format(time.RFC3339)))
 
 	return resp, nil
 }
@@ -476,8 +476,8 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
 	b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIIssuerSignIntermediate,
 		observe.NewAdditionalPKIMetadata("issuer_name", issuerName),
 		observe.NewAdditionalPKIMetadata("issuer_id", issuerId),
-		observe.NewAdditionalPKIMetadata("not_after", parsedBundle.Certificate.NotAfter.String()),
-		observe.NewAdditionalPKIMetadata("not_before", parsedBundle.Certificate.NotBefore.String()),
+		observe.NewAdditionalPKIMetadata("not_after", parsedBundle.Certificate.NotAfter.Format(time.RFC3339)),
+		observe.NewAdditionalPKIMetadata("not_before", parsedBundle.Certificate.NotBefore.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("common_name", parsedBundle.Certificate.Subject.CommonName),
 		observe.NewAdditionalPKIMetadata("subject_key_id", parsedBundle.Certificate.SubjectKeyId),
 		observe.NewAdditionalPKIMetadata("authority_key_id", parsedBundle.Certificate.AuthorityKeyId),
@@ -668,8 +668,8 @@ func (b *backend) pathIssuerSignSelfIssued(ctx context.Context, req *logical.Req
 		observe.NewAdditionalPKIMetadata("issuer_id", issuerId.String()),
 		observe.NewAdditionalPKIMetadata("issuing_ca", signingCB.IssuingCA),
 		observe.NewAdditionalPKIMetadata("serial_number", cert.SerialNumber),
-		observe.NewAdditionalPKIMetadata("not_after", cert.NotAfter.String()),
-		observe.NewAdditionalPKIMetadata("not_before", cert.NotBefore.String()),
+		observe.NewAdditionalPKIMetadata("not_after", cert.NotAfter.Format(time.RFC3339)),
+		observe.NewAdditionalPKIMetadata("not_before", cert.NotBefore.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("common_name", cert.Subject.CommonName),
 		observe.NewAdditionalPKIMetadata("public_key_algorithm", cert.PublicKeyAlgorithm.String()),
 		observe.NewAdditionalPKIMetadata("public_key_size", certutil.GetPublicKeySize(cert.PublicKey)),