diff --git a/.go-version b/.go-version
index 82bfa5ce3f..e4a973f913 100644
--- a/.go-version
+++ b/.go-version
@@ -1 +1 @@
-1.23.8
+1.24.2
diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go
index a9f7686897..34c7fa4d03 100644
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
@@ -4939,7 +4939,7 @@ func TestBackend_Roles_KeySizeRegression(t *testing.T) {
 		/*  8 */ {"ed25519", []int{0}, []int{0}, false, []string{"ed25519"}, []int{0}, false},
 
 		// Any key type should reject insecure RSA key sizes.
-		/*  9 */ {"any", []int{0}, []int{0, 256, 384, 512}, false, []string{"rsa", "rsa"}, []int{512, 1024}, true},
+		/*  9 */ {"any", []int{0}, []int{0, 256, 384, 512}, false, []string{"rsa"}, []int{1024}, true},
 		// But work for everything else.
 		/* 10 */ {"any", []int{0}, []int{0, 256, 384, 512}, false, []string{"rsa", "rsa", "ec", "ec", "ec", "ec", "ed25519"}, []int{2048, 3072, 224, 256, 384, 521, 0}, false},
 
diff --git a/builtin/logical/pki/path_roles_test.go b/builtin/logical/pki/path_roles_test.go
index 3b3bcc1401..2d28f86cdd 100644
--- a/builtin/logical/pki/path_roles_test.go
+++ b/builtin/logical/pki/path_roles_test.go
@@ -1145,8 +1145,8 @@ func getPolicyIdentifiersOffCertificate(resp logical.Response) ([]string, error)
 	if err != nil {
 		return nil, err
 	}
-	policyIdentifierStrings := make([]string, len(certificate.PolicyIdentifiers))
-	for index, asnOid := range certificate.PolicyIdentifiers {
+	policyIdentifierStrings := make([]string, len(certificate.Policies))
+	for index, asnOid := range certificate.Policies {
 		policyIdentifierStrings[index] = asnOid.String()
 	}
 	return policyIdentifierStrings, nil
diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go
index a705ee5f38..fa8395c579 100644
--- a/builtin/logical/pki/path_root.go
+++ b/builtin/logical/pki/path_root.go
@@ -658,7 +658,7 @@ func validateCaKeyUsages(keyUsages []string) error {
 		}
 	}
 	if invalidKeyUsages != nil {
-		return fmt.Errorf(strings.Join(invalidKeyUsages, "; "))
+		return errors.New(strings.Join(invalidKeyUsages, "; "))
 	}
 	return nil
 }
diff --git a/changelog/_go-ver-1200.txt b/changelog/_go-ver-1200.txt
index 63d94e1123..e30a0634c9 100644
--- a/changelog/_go-ver-1200.txt
+++ b/changelog/_go-ver-1200.txt
@@ -1,3 +1,3 @@
 ```release-note:change
-core: Bump Go version to 1.23.7.
+core: Bump Go version to 1.24.2.
 ```
diff --git a/go.mod b/go.mod
index 5378d9a142..9d90c53c4a 100644
--- a/go.mod
+++ b/go.mod
@@ -10,7 +10,7 @@ module github.com/hashicorp/vault
 // semantic related to Go module handling), this comment should be updated to explain that.
 //
 // Whenever this value gets updated, sdk/go.mod should be updated to the same value.
-go 1.23.8
+go 1.24.0
 
 replace github.com/hashicorp/vault/api => ./api
 
diff --git a/sdk/go.mod b/sdk/go.mod
index 136426e015..1953c17214 100644
--- a/sdk/go.mod
+++ b/sdk/go.mod
@@ -1,6 +1,6 @@
 module github.com/hashicorp/vault/sdk
 
-go 1.23.3
+go 1.24.0
 
 require (
 	cloud.google.com/go/cloudsqlconn v1.4.3
diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go
index f1cacaf35d..91062f927a 100644
--- a/sdk/helper/certutil/helpers.go
+++ b/sdk/helper/certutil/helpers.go
@@ -536,9 +536,10 @@ func ParsePublicKeyPEM(data []byte) (interface{}, error) {
 func AddPolicyIdentifiers(data *CreationBundle, certTemplate *x509.Certificate) {
 	oidOnly := true
 	for _, oidStr := range data.Params.PolicyIdentifiers {
-		oid, err := StringToOid(oidStr)
+		// Compatible with Go 1.24 and higher only (or 1.22 with x509usepolicies=1)
+		x509Oid, err := x509.ParseOID(oidStr)
 		if err == nil {
-			certTemplate.PolicyIdentifiers = append(certTemplate.PolicyIdentifiers, oid)
+			certTemplate.Policies = append(certTemplate.Policies, x509Oid)
 		}
 		if err != nil {
 			oidOnly = false
diff --git a/sdk/plugin/grpc_system.go b/sdk/plugin/grpc_system.go
index d85e29f9e6..42362a1ae2 100644
--- a/sdk/plugin/grpc_system.go
+++ b/sdk/plugin/grpc_system.go
@@ -483,8 +483,7 @@ func (s *gRPCSystemViewServer) RegisterRotationJob(ctx context.Context, req *pb.
 
 	rotationID, err := s.impl.RegisterRotationJob(ctx, cfgReq)
 	if err != nil {
-		return &pb.RegisterRotationJobResponse{}, status.Errorf(codes.Internal,
-			err.Error())
+		return &pb.RegisterRotationJobResponse{}, status.Error(codes.Internal, err.Error())
 	}
 
 	return &pb.RegisterRotationJobResponse{
@@ -504,8 +503,7 @@ func (s *gRPCSystemViewServer) DeregisterRotationJob(ctx context.Context, req *p
 
 	err := s.impl.DeregisterRotationJob(ctx, cfgReq)
 	if err != nil {
-		return &pb.Empty{}, status.Errorf(codes.Internal,
-			err.Error())
+		return &pb.Empty{}, status.Error(codes.Internal, err.Error())
 	}
 
 	return &pb.Empty{}, nil
diff --git a/vault/auth_test.go b/vault/auth_test.go
index 97b8287f88..3e57607c65 100644
--- a/vault/auth_test.go
+++ b/vault/auth_test.go
@@ -5,12 +5,12 @@ package vault
 
 import (
 	"context"
-	"reflect"
 	"strings"
 	"testing"
 	"time"
 
 	"github.com/armon/go-metrics"
+	"github.com/go-test/deep"
 	"github.com/hashicorp/vault/helper/metricsutil"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
@@ -142,8 +142,8 @@ func TestCore_DefaultAuthTable(t *testing.T) {
 	}
 
 	// Verify matching mount tables
-	if !reflect.DeepEqual(c.auth, c2.auth) {
-		t.Fatalf("mismatch: %v %v", c.auth, c2.auth)
+	if diffs := deep.Equal(c.auth, c2.auth); len(diffs) != 0 {
+		t.Fatalf("mismatch: %v %v:\nDiffs: %v", c.auth, c2.auth, diffs)
 	}
 }
 
@@ -230,8 +230,8 @@ func TestCore_EnableCredential(t *testing.T) {
 	}
 
 	// Verify matching auth tables
-	if !reflect.DeepEqual(c.auth, c2.auth) {
-		t.Fatalf("mismatch: %v %v", c.auth, c2.auth)
+	if diffs := deep.Equal(c.auth, c2.auth); len(diffs) != 0 {
+		t.Fatalf("mismatch: %v %v:\nDiffs: %v", c.auth, c2.auth, diffs)
 	}
 }
 
@@ -289,8 +289,8 @@ func TestCore_EnableCredential_aws_ec2(t *testing.T) {
 	}
 
 	// Verify matching auth tables
-	if !reflect.DeepEqual(c.auth, c2.auth) {
-		t.Fatalf("mismatch: %v %v", c.auth, c2.auth)
+	if diffs := deep.Equal(c.auth, c2.auth); len(diffs) != 0 {
+		t.Fatalf("mismatch: %v %v:\n%v", c.auth, c2.auth, diffs)
 	}
 }
 
@@ -377,8 +377,8 @@ func TestCore_EnableCredential_Local(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if !reflect.DeepEqual(oldCredential, c.auth) {
-		t.Fatalf("expected\n%#v\ngot\n%#v\n", oldCredential, c.auth)
+	if diffs := deep.Equal(oldCredential, c.auth); len(diffs) != 0 {
+		t.Fatalf("expected\n%#v\ngot\n%#v:\nDiffs: %v", oldCredential, c.auth, diffs)
 	}
 
 	if len(c.auth.Entries) != 2 {
@@ -486,8 +486,8 @@ func TestCore_DisableCredential(t *testing.T) {
 	}
 
 	// Verify matching mount tables
-	if !reflect.DeepEqual(c.auth, c2.auth) {
-		t.Fatalf("mismatch: %v %v", c.auth, c2.auth)
+	if diffs := deep.Equal(c.auth, c2.auth); len(diffs) != 0 {
+		t.Fatalf("mismatch: %v %v:\nDiffs: %v", c.auth, c2.auth, diffs)
 	}
 }
 
diff --git a/vault/mount_test.go b/vault/mount_test.go
index f2d87cb7bf..105ba70a59 100644
--- a/vault/mount_test.go
+++ b/vault/mount_test.go
@@ -370,8 +370,8 @@ func TestCore_Mount_Local(t *testing.T) {
 	}
 	c.mounts.Entries = compEntries
 
-	if !reflect.DeepEqual(oldMounts, c.mounts) {
-		t.Fatalf("expected\n%#v\ngot\n%#v\n", oldMounts, c.mounts)
+	if diffs := deep.Equal(oldMounts, c.mounts); len(diffs) != 0 {
+		t.Fatalf("expected\n%#v\ngot\n%#v:\nDiffs: %v", oldMounts, c.mounts, diffs)
 	}
 
 	if len(c.mounts.Entries) != 2 {