diff --git a/lib/serverspec/type/x509_certificate.rb b/lib/serverspec/type/x509_certificate.rb
index 2c003001..4a26f8ed 100644
--- a/lib/serverspec/type/x509_certificate.rb
+++ b/lib/serverspec/type/x509_certificate.rb
@@ -84,9 +84,9 @@ def parse_dates_str_to_map(dates_str)
 
     # Normalize output between openssl versions.
     def normalize_dn(dn)
-      return subject unless subject.start_with?('/')
-      # normalize openssl >= 1.1 to < 1.1 output
-      subject[1..-1].split('/').join(', ').gsub('=', ' = ')
+      return dn unless dn.start_with?('/')
+      # normalize openssl < 1.1 to >= 1.1 output
+      dn[1..-1].split('/').join(', ').gsub('=', ' = ')
     end
   end
 end
diff --git a/spec/type/linux/x509_certificate_spec.rb b/spec/type/linux/x509_certificate_spec.rb
index 0f2b6c42..faa1829e 100644
--- a/spec/type/linux/x509_certificate_spec.rb
+++ b/spec/type/linux/x509_certificate_spec.rb
@@ -12,14 +12,24 @@
   it { should_not be_certificate }
 end
 
-describe x509_certificate('test.pem') do
-  let(:stdout) { sample_subj }
-  its(:subject) { should eq '/O=some/OU=thing' }
+describe x509_certificate('test-openssl-1.0.pem') do
+  let(:stdout) { sample_subj_openssl_1_0 }
+  its(:subject) { should eq 'O = some, OU = thing' }
 end
 
-describe x509_certificate('test.pem') do
-  let(:stdout) { sample_issuer }
-  its(:issuer) { should eq '/O=some/OU=issuer' }
+describe x509_certificate('test-openssl-1.1.pem') do
+  let(:stdout) { sample_subj_openssl_1_1 }
+  its(:subject) { should eq 'O = some, OU = thing' }
+end
+
+describe x509_certificate('test-openssl-1.0.pem') do
+  let(:stdout) { sample_issuer_openssl_1_0 }
+  its(:issuer) { should eq 'O = some, OU = issuer' }
+end
+
+describe x509_certificate('test-openssl-1.1.pem') do
+  let(:stdout) { sample_issuer_openssl_1_1 }
+  its(:issuer) { should eq 'O = some, OU = issuer' }
 end
 
 describe x509_certificate('test.pem') do
@@ -38,18 +48,30 @@
   its(:subject_alt_names) { should eq %w[DNS:*.example.com DNS:www.example.net IP:192.0.2.10] }
 end
 
-def sample_subj
+def sample_subj_openssl_1_0
   <<'EOS'
 subject= /O=some/OU=thing
 EOS
 end
 
-def sample_issuer
+def sample_subj_openssl_1_1
+  <<'EOS'
+subject=O = some, OU = thing
+EOS
+end
+
+def sample_issuer_openssl_1_0
   <<'EOS'
 issuer= /O=some/OU=issuer
 EOS
 end
 
+def sample_issuer_openssl_1_1
+  <<'EOS'
+issuer=O = some, OU = issuer
+EOS
+end
+
 def sample_validity
   <<'EOS'
 notBefore=Jul  1 11:11:00 2000 GMT