From f6df5de7210f21d7d22f1eb6fba36a23c8cc05ff Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Thu, 13 Nov 2025 16:29:43 -0500
Subject: [PATCH] VAULT-40835 Normalize serial numbers in PKI observations
 (#10788) (#10790)

* WIP

* cieps issue

Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
---
 builtin/logical/pki/path_acme_order.go  | 6 ++++--
 builtin/logical/pki/path_acme_revoke.go | 3 ++-
 builtin/logical/pki/path_issue_sign.go  | 3 ++-
 builtin/logical/pki/path_revoke.go      | 3 ++-
 builtin/logical/pki/path_root.go        | 6 +++---
 builtin/logical/pki/secret_certs.go     | 3 ++-
 6 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/builtin/logical/pki/path_acme_order.go b/builtin/logical/pki/path_acme_order.go
index 73a4011d6c..23f8a422ed 100644
--- a/builtin/logical/pki/path_acme_order.go
+++ b/builtin/logical/pki/path_acme_order.go
@@ -17,6 +17,7 @@ import (
 
 	"github.com/hashicorp/vault/builtin/logical/pki/issuing"
 	"github.com/hashicorp/vault/builtin/logical/pki/observe"
+	"github.com/hashicorp/vault/builtin/logical/pki/parsing"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/hashicorp/vault/sdk/helper/strutil"
@@ -342,8 +343,8 @@ func (b *backend) acmeFinalizeOrderHandler(ac *acmeContext, r *logical.Request,
 		observe.NewAdditionalPKIMetadata("authority_key_id", signedCertBundle.Certificate.AuthorityKeyId),
 		observe.NewAdditionalPKIMetadata("public_key_algorithm", signedCertBundle.Certificate.PublicKeyAlgorithm.String()),
 		observe.NewAdditionalPKIMetadata("public_key_size", certutil.GetPublicKeySize(signedCertBundle.Certificate.PublicKey)),
-		observe.NewAdditionalPKIMetadata("common_name", csr.Subject.CommonName),
-		observe.NewAdditionalPKIMetadata("serial_number", order.CertificateSerialNumber),
+		observe.NewAdditionalPKIMetadata("common_name", signedCertBundle.Certificate.Subject.CommonName),
+		observe.NewAdditionalPKIMetadata("serial_number", parsing.SerialFromCert(signedCertBundle.Certificate)),
 		observe.NewAdditionalPKIMetadata("certificate_expiry", order.CertificateExpiry.String()),
 		observe.NewAdditionalPKIMetadata("status", ACMEOrderValid),
 		observe.NewAdditionalPKIMetadata("account_id", order.AccountId),
@@ -888,6 +889,7 @@ func (b *backend) acmeNewOrderHandler(ac *acmeContext, req *logical.Request, _ *
 		observe.NewAdditionalPKIMetadata("not_before", notBefore.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("not_after", notAfter.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("order_id", order.OrderId),
+		observe.NewAdditionalPKIMetadata("expires", order.Expires.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("account_id", order.AccountId),
 	)
 
diff --git a/builtin/logical/pki/path_acme_revoke.go b/builtin/logical/pki/path_acme_revoke.go
index 29f97e57ce..fcf9618d9e 100644
--- a/builtin/logical/pki/path_acme_revoke.go
+++ b/builtin/logical/pki/path_acme_revoke.go
@@ -13,6 +13,7 @@ import (
 
 	"github.com/hashicorp/vault/builtin/logical/pki/issuing"
 	"github.com/hashicorp/vault/builtin/logical/pki/observe"
+	"github.com/hashicorp/vault/builtin/logical/pki/parsing"
 	"github.com/hashicorp/vault/builtin/logical/pki/pki_backend"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -130,7 +131,7 @@ func (b *backend) acmeRevocationHandler(acmeCtx *acmeContext, req *logical.Reque
 	b.pkiObserver.RecordPKIObservation(acmeCtx, req, observe.ObservationTypePKIAcmeRevoke,
 		observe.NewAdditionalPKIMetadata("issuer_name", cert.Issuer.String()),
 		observe.NewAdditionalPKIMetadata("is_ca", cert.IsCA),
-		observe.NewAdditionalPKIMetadata("serial_number", cert.SerialNumber.String()),
+		observe.NewAdditionalPKIMetadata("serial_number", parsing.SerialFromCert(cert)),
 	)
 
 	// Finally, do the relevant permissions/authorization check as
diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go
index 84c76662f8..6ef06d908f 100644
--- a/builtin/logical/pki/path_issue_sign.go
+++ b/builtin/logical/pki/path_issue_sign.go
@@ -16,6 +16,7 @@ import (
 
 	"github.com/hashicorp/vault/builtin/logical/pki/issuing"
 	"github.com/hashicorp/vault/builtin/logical/pki/observe"
+	"github.com/hashicorp/vault/builtin/logical/pki/parsing"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/hashicorp/vault/sdk/helper/consts"
@@ -509,7 +510,7 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d
 		observe.NewAdditionalPKIMetadata("not_before", parsedBundle.Certificate.NotBefore.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("subject_key_id", parsedBundle.Certificate.SubjectKeyId),
 		observe.NewAdditionalPKIMetadata("authority_key_id", parsedBundle.Certificate.AuthorityKeyId),
-		observe.NewAdditionalPKIMetadata("serial_number", parsedBundle.Certificate.SerialNumber.String()),
+		observe.NewAdditionalPKIMetadata("serial_number", parsing.SerialFromCert(parsedBundle.Certificate)),
 		observe.NewAdditionalPKIMetadata("public_key_algorithm", parsedBundle.Certificate.PublicKeyAlgorithm.String()),
 		observe.NewAdditionalPKIMetadata("public_key_size", certutil.GetPublicKeySize(parsedBundle.Certificate.PublicKey)),
 		observe.NewAdditionalPKIMetadata("lease_generated", generateLease),
diff --git a/builtin/logical/pki/path_revoke.go b/builtin/logical/pki/path_revoke.go
index 8e26737159..949138961a 100644
--- a/builtin/logical/pki/path_revoke.go
+++ b/builtin/logical/pki/path_revoke.go
@@ -19,6 +19,7 @@ import (
 
 	"github.com/hashicorp/vault/builtin/logical/pki/issuing"
 	"github.com/hashicorp/vault/builtin/logical/pki/observe"
+	"github.com/hashicorp/vault/builtin/logical/pki/parsing"
 	"github.com/hashicorp/vault/builtin/logical/pki/pki_backend"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
@@ -657,7 +658,7 @@ func (b *backend) pathRevokeWrite(ctx context.Context, req *logical.Request, dat
 	var akid []byte
 	var skid []byte
 	if cert != nil {
-		serialNumber = cert.SerialNumber.String()
+		serialNumber = parsing.SerialFromCert(cert)
 		isCa = cert.IsCA
 		akid = cert.AuthorityKeyId
 		skid = cert.SubjectKeyId
diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go
index f86f9efb53..77a1fefaf2 100644
--- a/builtin/logical/pki/path_root.go
+++ b/builtin/logical/pki/path_root.go
@@ -340,7 +340,7 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
 		observe.NewAdditionalPKIMetadata("key_name", myKey.Name),
 		observe.NewAdditionalPKIMetadata("key_type", myKey.PrivateKeyType),
 		observe.NewAdditionalPKIMetadata("role_name", role.Name),
-		observe.NewAdditionalPKIMetadata("serial_number", cb.SerialNumber),
+		observe.NewAdditionalPKIMetadata("serial_number", parsing.SerialFromCert(parsedBundle.Certificate)),
 		observe.NewAdditionalPKIMetadata("type", format),
 		observe.NewAdditionalPKIMetadata("common_name", parsedBundle.Certificate.Subject.CommonName),
 		observe.NewAdditionalPKIMetadata("subject_key_id", parsedBundle.Certificate.SubjectKeyId),
@@ -479,7 +479,7 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
 		observe.NewAdditionalPKIMetadata("not_after", parsedBundle.Certificate.NotAfter.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("not_before", parsedBundle.Certificate.NotBefore.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("common_name", parsedBundle.Certificate.Subject.CommonName),
-		observe.NewAdditionalPKIMetadata("serial_number", parsedBundle.Certificate.SerialNumber),
+		observe.NewAdditionalPKIMetadata("serial_number", parsing.SerialFromCert(parsedBundle.Certificate)),
 		observe.NewAdditionalPKIMetadata("public_key_algorithm", parsedBundle.Certificate.PublicKeyAlgorithm.String()),
 		observe.NewAdditionalPKIMetadata("public_key_size", certutil.GetPublicKeySize(parsedBundle.Certificate.PublicKey)),
 		observe.NewAdditionalPKIMetadata("subject_key_id", parsedBundle.Certificate.SubjectKeyId),
@@ -670,7 +670,7 @@ func (b *backend) pathIssuerSignSelfIssued(ctx context.Context, req *logical.Req
 		observe.NewAdditionalPKIMetadata("issuer_name", issuerName),
 		observe.NewAdditionalPKIMetadata("issuer_id", issuerId.String()),
 		observe.NewAdditionalPKIMetadata("issuing_ca", signingCB.IssuingCA),
-		observe.NewAdditionalPKIMetadata("serial_number", cert.SerialNumber),
+		observe.NewAdditionalPKIMetadata("serial_number", parsing.SerialFromCert(cert)),
 		observe.NewAdditionalPKIMetadata("not_after", cert.NotAfter.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("not_before", cert.NotBefore.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("common_name", cert.Subject.CommonName),
diff --git a/builtin/logical/pki/secret_certs.go b/builtin/logical/pki/secret_certs.go
index c808a6bbf9..fcaaf1993c 100644
--- a/builtin/logical/pki/secret_certs.go
+++ b/builtin/logical/pki/secret_certs.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/hashicorp/vault/builtin/logical/pki/issuing"
 	"github.com/hashicorp/vault/builtin/logical/pki/observe"
+	"github.com/hashicorp/vault/builtin/logical/pki/parsing"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
 )
@@ -87,7 +88,7 @@ func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, _
 	b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIRevoke,
 		observe.NewAdditionalPKIMetadata("issuer_name", cert.Issuer.String()),
 		observe.NewAdditionalPKIMetadata("is_ca", cert.IsCA),
-		observe.NewAdditionalPKIMetadata("serial_number", cert.SerialNumber.String()),
+		observe.NewAdditionalPKIMetadata("serial_number", parsing.SerialFromCert(cert)),
 	)
 
 	return revokeCert(sc, config, cert)