diff --git a/coordinator/mesh.go b/coordinator/mesh.go
index c7f10f9e7a..1dad23b68d 100644
--- a/coordinator/mesh.go
+++ b/coordinator/mesh.go
@@ -5,6 +5,7 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/asn1"
 	"encoding/hex"
 	"fmt"
 	"log/slog"
@@ -76,7 +77,9 @@ func (m *meshAuthority) SNPValidateOpts(report *sevsnp.Report) (*validate.Option
 	}, nil
 }
 
-func (m *meshAuthority) ValidateCallback(_ context.Context, report *sevsnp.Report, _ []byte, peerPubKeyBytes []byte) error {
+func (m *meshAuthority) ValidateCallback(_ context.Context, report *sevsnp.Report,
+	oid asn1.ObjectIdentifier, reportRaw, _, peerPubKeyBytes []byte,
+) error {
 	mnfst, err := m.manifests.Latest()
 	if err != nil {
 		return fmt.Errorf("getting latest manifest: %w", err)
@@ -93,7 +96,7 @@ func (m *meshAuthority) ValidateCallback(_ context.Context, report *sevsnp.Repor
 		return fmt.Errorf("failed to parse peer public key: %w", err)
 	}
 
-	var extensions []pkix.Extension // TODO
+	extensions := []pkix.Extension{{Id: oid, Value: reportRaw}}
 	cert, err := m.ca.NewAttestedMeshCert(dnsNames, extensions, peerPubKey)
 	if err != nil {
 		return fmt.Errorf("failed to issue new attested mesh cert: %w", err)
diff --git a/internal/attestation/snp/validator.go b/internal/attestation/snp/validator.go
index 418308365b..1221eb0e24 100644
--- a/internal/attestation/snp/validator.go
+++ b/internal/attestation/snp/validator.go
@@ -30,7 +30,8 @@ type Validator struct {
 }
 
 type validateCallbacker interface {
-	ValidateCallback(ctx context.Context, report *sevsnp.Report, nonce []byte, peerPublicKey []byte) error
+	ValidateCallback(ctx context.Context, report *sevsnp.Report, validatorOID asn1.ObjectIdentifier,
+		reportRaw, nonce, peerPublicKey []byte) error
 }
 
 type validateOptsGenerator interface {
@@ -123,7 +124,9 @@ func (v *Validator) Validate(ctx context.Context, attDocRaw []byte, nonce []byte
 	// Run callbacks.
 
 	for _, callbacker := range v.callbackers {
-		if err := callbacker.ValidateCallback(ctx, report, nonce, peerPublicKey); err != nil {
+		if err := callbacker.ValidateCallback(
+			ctx, report, v.OID(), reportRaw, nonce, peerPublicKey,
+		); err != nil {
 			return fmt.Errorf("callback failed: %w", err)
 		}
 	}