diff --git a/SOURCES/0003-Truncate-IP-address-in-SAN.patch b/SOURCES/0003-Truncate-IP-address-in-SAN.patch
new file mode 100644
index 0000000..c492f38
--- /dev/null
+++ b/SOURCES/0003-Truncate-IP-address-in-SAN.patch
@@ -0,0 +1,68 @@
+From 0875cd6169e876c4296a307631d49b801fc686dc Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 8 Mar 2022 16:33:35 -0500
+Subject: [PATCH] Truncate IP address in SAN
+
+In OpenSSL 1.1, this was done automatically when addind a SAN extension,
+but in OpenSSL 3.0 it is rejected as an invalid input.
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ src/x509.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/x509.c b/src/x509.c
+index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644
+--- a/src/x509.c
++++ b/src/x509.c
+@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
+   size_t i;
+   X509_NAME *subject;
+   char *alt_name = NULL;
+   char *tmp = NULL;
+   char *san = NULL;
++  char *slash = NULL;
+   TALLOC_CTX *tmp_ctx;
+   X509_EXTENSION *ex = NULL;
+   struct sscg_x509_req *csr;
+ 
+   /* Make sure we have a key available */
+@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
+                 tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
+             }
+           else
+             {
+               san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
++              /* SAN IP addresses cannot include the subnet mask */
++              if ((slash = strchr (san, '/')))
++                {
++                  /* Truncate at the slash */
++                  *slash = '\0';
++                }
+             }
+           CHECK_MEM (san);
+ 
+           if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
+             {
+@@ -287,11 +294,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
+           alt_name = tmp;
+         }
+     }
+ 
+   ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
+-  CHECK_MEM (ex);
++  if (!ex)
++    {
++      ret = EINVAL;
++      fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);
++      goto done;
++    }
++
+   sk_X509_EXTENSION_push (certinfo->extensions, ex);
+ 
+   /* Set the public key for the certificate */
+   sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
+   CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
+-- 
+2.35.1
+
diff --git a/SPECS/sscg.spec b/SPECS/sscg.spec
index 782aff0..d940fbe 100644
--- a/SPECS/sscg.spec
+++ b/SPECS/sscg.spec
@@ -9,7 +9,7 @@
 
 Name:           sscg
 Version:        3.0.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Simple SSL certificate generator
 
 License:        GPLv3+ with exceptions
@@ -28,6 +28,7 @@ BuildRequires:  help2man
 
 Patch0001: 0001-Drop-usage-of-ERR_GET_FUNC.patch
 Patch0002: 0002-Correct-certificate-lifetime-calculation.patch
+Patch0003: 0003-Truncate-IP-address-in-SAN.patch
 
 
 %description
@@ -59,6 +60,10 @@ false signatures from the service certificate.
 %{_mandir}/man8/%{name}.8*
 
 %changelog
+* Wed Mar 09 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-5
+- Handle IP addresses in subjectAlternativeName correctly
+- Resolves: rhbz#2061923
+
 * Fri Oct 29 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-4
 - Correct certificate lifetime calculation
 - Resolves: rhbz#2017667