diff --git a/agent/connect/ca.go b/agent/connect/ca.go
index a0a65ece6..efe7c14f3 100644
--- a/agent/connect/ca.go
+++ b/agent/connect/ca.go
@@ -7,6 +7,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
+	"strings"
 )
 
 // ParseCert parses the x509 certificate from a PEM-encoded value.
@@ -72,3 +73,9 @@ func KeyId(raw interface{}) ([]byte, error) {
 	h.Write(pub.Y.Bytes())
 	return h.Sum([]byte{}), nil
 }
+
+// HexString returns a standard colon-separated hex value for the input
+// byte slice. This should be used with cert serial numbers and so on.
+func HexString(input []byte) string {
+	return strings.Replace(fmt.Sprintf("% x", input), " ", ":", -1)
+}
diff --git a/agent/consul/connect_ca_endpoint.go b/agent/consul/connect_ca_endpoint.go
index a4cb569d8..f7557578c 100644
--- a/agent/consul/connect_ca_endpoint.go
+++ b/agent/consul/connect_ca_endpoint.go
@@ -257,7 +257,7 @@ func (s *ConnectCA) Sign(
 
 	// Set the response
 	*reply = structs.IssuedCert{
-		SerialNumber: template.SerialNumber,
+		SerialNumber: connect.HexString(template.SerialNumber.Bytes()),
 		CertPEM:      buf.String(),
 		Service:      serviceId.Service,
 		ServiceURI:   template.URIs[0].String(),
diff --git a/agent/structs/connect_ca.go b/agent/structs/connect_ca.go
index f75efed5c..5ac8a0fc2 100644
--- a/agent/structs/connect_ca.go
+++ b/agent/structs/connect_ca.go
@@ -1,7 +1,6 @@
 package structs
 
 import (
-	"math/big"
 	"time"
 )
 
@@ -71,7 +70,8 @@ func (q *CASignRequest) RequestDatacenter() string {
 // IssuedCert is a certificate that has been issued by a Connect CA.
 type IssuedCert struct {
 	// SerialNumber is the unique serial number for this certificate.
-	SerialNumber *big.Int
+	// This is encoded in standard hex separated by :.
+	SerialNumber string
 
 	// CertPEM and PrivateKeyPEM are the PEM-encoded certificate and private
 	// key for that cert, respectively. This should not be stored in the