diff --git a/OneCryptoPkg/Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.c b/OneCryptoPkg/Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.c
index c34a39dce..183c5e1ed 100644
--- a/OneCryptoPkg/Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.c
+++ b/OneCryptoPkg/Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.c
@@ -42,10 +42,13 @@ DebugPrint (
   )
 {
   VA_LIST  Marker;
+  CHAR8    Buffer[256];
 
   VA_START (Marker, Format);
-  OneCryptoDebugPrint (ErrorLevel, Format, Marker);
+  AsciiVSPrint (Buffer, sizeof (Buffer), Format, Marker);
   VA_END (Marker);
+
+  OneCryptoDebugPrint (ErrorLevel, "%a", Buffer);
 }
 
 /**
diff --git a/OneCryptoPkg/OneCryptoPkg.dsc b/OneCryptoPkg/OneCryptoPkg.dsc
index 917a0af9d..c17d3c20a 100644
--- a/OneCryptoPkg/OneCryptoPkg.dsc
+++ b/OneCryptoPkg/OneCryptoPkg.dsc
@@ -27,6 +27,9 @@
   # Enable NASM assembly source style for accelerated OpenSSL crypto
   gEfiCryptoPkgTokenSpaceGuid.PcdOpensslLibAssemblySourceStyleNasm|TRUE
 
+[PcdsPatchableInModule.AARCH64]
+  gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
+
 [PcdsFeatureFlag.AARCH64]
   #
   # Use the PE target assembly source files when building with the CLANGPDB
@@ -54,6 +57,23 @@
   gOneCryptoPkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0x80000000
 !endif
 
+[PcdsFixedAtBuild.AARCH64]
+  # Ensure DEBUG prints are enabled (excluding VERBOSE: 0x8040004F & ~0x00400000 = 0x8000004F)
+  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+  gEfiMdePkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0x8000004F
+
+  # OneCryptoPkg Debug Configuration
+  # DEBUG builds: Enable Debug Print (BIT1) and Debug Code (BIT2) = 0x06
+  # RELEASE builds: Disable all debug features = 0x00
+  # Note: Debug Clear Memory (BIT3) is intentionally disabled for all builds
+!if $(TARGET) == DEBUG
+  gOneCryptoPkgTokenSpaceGuid.PcdDebugPropertyMask|0x06
+  gOneCryptoPkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0xFFFFFFFF
+!else
+  gOneCryptoPkgTokenSpaceGuid.PcdDebugPropertyMask|0x00
+  gOneCryptoPkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0x80000000
+!endif
+
 [LibraryClasses.AARCH64]
   CompilerIntrinsicsLib|MdePkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf
 
@@ -345,7 +365,10 @@
       UefiDriverEntryPoint        | MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf
       UefiBootServicesTableLib    | MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf
       MemoryAllocationLib         | MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
-      DebugLib                    | MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf
+      DebugLib                    | AdvLoggerPkg/Library/BaseDebugLibAdvancedLogger/BaseDebugLibAdvancedLogger.inf
+      DebugPrintErrorLevelLib     | MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
+      AdvancedLoggerLib           | AdvLoggerPkg/Library/AdvancedLoggerLib/Dxe/AdvancedLoggerLib.inf
+      AssertLib                   | AdvLoggerPkg/Library/AssertLib/AssertLib.inf
   }
 
   #############################################################################
diff --git a/OneCryptoPkg/Plugin/OneCryptoBundler/OneCryptoBundler.py b/OneCryptoPkg/Plugin/OneCryptoBundler/OneCryptoBundler.py
index 8001764a9..c306c14cb 100644
--- a/OneCryptoPkg/Plugin/OneCryptoBundler/OneCryptoBundler.py
+++ b/OneCryptoPkg/Plugin/OneCryptoBundler/OneCryptoBundler.py
@@ -50,7 +50,9 @@ def create_package(
                 for arch in architectures:
                     zip_bundle(workspace, target, arch, toolchain, zipf)
             add_log_files(workspace, zipf)
-            log_bundle_info(workspace, output_zip, targets, architectures, toolchain, zipf)
+
+        # Log after the zip is closed so the SHA256 covers the finalized file
+        log_bundle_info(workspace, output_zip, targets, architectures, toolchain)
 
 
 def zip_bundle(workspace, target, arch, toolchain, output_zip):
@@ -99,7 +101,7 @@ def add_log_files(workspace, zipf):
 
 
 
-def log_bundle_info(workspace, output_zip, targets, architectures, toolchain, zipf):
+def log_bundle_info(workspace, output_zip, targets, architectures, toolchain):
     """
     Log a packaging summary including EFI sizes, compression ratios, and SHA256.
 
@@ -109,7 +111,6 @@ def log_bundle_info(workspace, output_zip, targets, architectures, toolchain, zi
         targets: List of build targets (DEBUG, RELEASE)
         architectures: List of architectures (X64, AARCH64)
         toolchain: Toolchain used (e.g., VS2022, GCC5)
-        zipf: Open ZipFile object to read entry metadata from
     """
     logging.critical("=" * 80)
     logging.critical("OneCrypto Packaging Summary:")
diff --git a/OpensslPkg/Library/BaseCryptLib/Pk/CryptX509.c b/OpensslPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 315bb95e4..c10d6ef6a 100644
--- a/OpensslPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/OpensslPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -105,18 +105,25 @@ X509ConstructCertificateStackV (
   UINT8  *Cert;
   UINTN  CertSize;
   X509   *X509Cert;
+  UINTN  CertIndex; // MU_CHANGE
 
   STACK_OF (X509)  *CertStack;
   BOOLEAN  Status;
+  BOOLEAN  NewlyAllocated; // MU_CHANGE
 
   //
   // Check input parameters.
   //
   if (X509Stack == NULL) {
+    DEBUG ((DEBUG_ERROR, "[%a] X509ConstructCertificateStackV X509Stack is NULL\n", gEfiCallerBaseName)); // MU_CHANGE
     return FALSE;
   }
 
   Status = FALSE;
+  // MU_CHANGE [BEGIN]
+  CertIndex      = 0;
+  NewlyAllocated = FALSE;
+  // MU_CHANGE [END]
 
   //
   // Initialize X509 stack object.
@@ -125,8 +132,11 @@ X509ConstructCertificateStackV (
   if (CertStack == NULL) {
     CertStack = sk_X509_new_null ();
     if (CertStack == NULL) {
+      DEBUG ((DEBUG_ERROR, "[%a] X509ConstructCertificateStackV failed to allocate X509 stack\n", gEfiCallerBaseName)); // MU_CHANGE
       return Status;
     }
+
+    NewlyAllocated = TRUE; // MU_CHANGE
   }
 
   while (TRUE) {
@@ -135,6 +145,7 @@ X509ConstructCertificateStackV (
     //
     Cert = VA_ARG (Args, UINT8 *);
     if (Cert == NULL) {
+      DEBUG ((DEBUG_ERROR, "[%a] X509ConstructCertificateStackV reached end of list after %Lu certs\n", gEfiCallerBaseName, (UINT64)CertIndex)); // MU_CHANGE
       break;
     }
 
@@ -164,10 +175,19 @@ X509ConstructCertificateStackV (
     // Insert the new X509 object into X509 stack object.
     //
     sk_X509_push (CertStack, X509Cert);
+    CertIndex++; // MU_CHANGE
   }
 
   if (!Status) {
-    sk_X509_pop_free (CertStack, X509_free);
+    // MU_CHANGE [BEGIN]
+    if (NewlyAllocated) {
+      DEBUG ((DEBUG_ERROR, "[%a] X509ConstructCertificateStackV failed, freeing newly allocated stack\n", gEfiCallerBaseName));
+      sk_X509_pop_free (CertStack, X509_free);
+    } else {
+      DEBUG ((DEBUG_ERROR, "[%a] X509ConstructCertificateStackV failed, preserving pre-existing stack\n", gEfiCallerBaseName));
+    }
+
+    // MU_CHANGE [END]
   } else {
     *X509Stack = (UINT8 *)CertStack;
   }