Add additional fields to LIST issuers for Web UI (#20276)

* Add additional fields to LIST issuers for Web UI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

builtin/logical/pki/path_fetch_issuers.go

@@ -84,8 +84,28 @@ func (b *backend) pathListIssuersHandler(ctx context.Context, req *logical.Reque
 
 		responseKeys = append(responseKeys, string(identifier))
 		responseInfo[string(identifier)] = map[string]interface{}{
-			"issuer_name": issuer.Name,
-			"is_default":  identifier == config.DefaultIssuerId,
+			"issuer_name":   issuer.Name,
+			"is_default":    identifier == config.DefaultIssuerId,
+			"serial_number": issuer.SerialNumber,
+
+			// While nominally this could be considered sensitive information
+			// to be returned on an unauthed endpoint, there's two mitigating
+			// circumstances:
+			//
+			// 1. Key IDs are purely random numbers generated by Vault and
+			//    have no relationship to the actual key material.
+			// 2. They also don't _do_ anything by themselves. There is no
+			//    modification of KeyIDs allowed, you need to be authenticated
+			//    to Vault to understand what they mean, you _essentially_
+			//    get the same information from looking at/comparing various
+			//    cert's SubjectPublicKeyInfo field, and there's the `default`
+			//    reference that anyone with issuer generation capabilities
+			//    can use even if they can't access any of the other /key/*
+			//    endpoints.
+			//
+			// So all in all, exposing this value is not a security risk and
+			// is otherwise beneficial for the UI, hence its inclusion.
+			"key_id": issuer.KeyID,
 		}
 	}
 

changelog/20276.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/pki: Include CA serial number, key UUID on issuers list endpoint.
+```