Sanitize serial number in revocation path.

Ping #1180

builtin/logical/pki/path_revoke.go

@@ -2,6 +2,7 @@ package pki
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/hashicorp/vault/helper/certutil"
 	"github.com/hashicorp/vault/logical"
@@ -47,6 +48,10 @@ func (b *backend) pathRevokeWrite(req *logical.Request, data *framework.FieldDat
 		return logical.ErrorResponse("The serial number must be provided"), nil
 	}
 
+	// We store and identify by lowercase colon-separated hex, but other
+	// utilities use dashes and/or uppercase, so normalize
+	serial = strings.Replace(strings.ToLower(serial), "-", ":", -1)
+
 	b.revokeStorageLock.Lock()
 	defer b.revokeStorageLock.Unlock()