Add serial label to probe_ssl_last_chain_info metric

[skywalkr]

Can we add a serial number label to the probe_ssl_last_chain_info metric so certificates can be uniquely identified as defined at 4.1.2.2 in RFC 2459? Currently, this metric provides the sha256 fingerprint and while this value can be used to uniquely identify a certificate (subject to hash collisions of course), it can't be used to label match with a certificate fingerprint using a different algorithm.

An example use case would be vector matching on a separate metric coming from a different system that provides the same labels as probe_ssl_last_chain_info, but with the sha1 fingerprint instead.

A second use-case and challenge I currently face involves event management and mapping alerts for expiring certificates to the correct certificate in our CMDB. One source of this certificate data is Osquery, which provides full certificate data but with the SHA-1 fingerprint.

I understand we don't want to add all certificate details as labels, but I think having all required labels used to uniquely identify a certificate would be beneficial to all.

[dswarbrick]

Certificate serial numbers are not necessarily unique. Certificates with different subjects could potentially have the same serial number.

[skywalkr]

I agree that there is nothing stopping someone from generating a certificate with the same issuer and same serial number using openssl, however, the spec for PKI states they must be unique by issuer and serial, and they are when we're talking about PKI from trusted roots as the serial number is how CRL works.