diff --git a/salt/modules/x509.py b/salt/modules/x509.py
index 346ff2cb68db..03534c53df90 100644
--- a/salt/modules/x509.py
+++ b/salt/modules/x509.py
@@ -390,7 +390,7 @@ def _passphrase_callback(passphrase):
     Returns a callback function used to supply a passphrase for private keys
     '''
     def f(*args):
-        return salt.utils.stringutils.to_str(passphrase)
+        return salt.utils.stringutils.to_bytes(passphrase)
     return f
 
 
@@ -961,7 +961,7 @@ def create_crl(  # pylint: disable=too-many-arguments,too-many-locals
 
         serial_number = rev_item['serial_number'].replace(':', '')
         # OpenSSL bindings requires this to be a non-unicode string
-        serial_number = salt.utils.stringutils.to_str(serial_number)
+        serial_number = salt.utils.stringutils.to_bytes(serial_number)
 
         if 'not_after' in rev_item and not include_expired:
             not_after = datetime.datetime.strptime(
@@ -976,6 +976,7 @@ def create_crl(  # pylint: disable=too-many-arguments,too-many-locals
         rev_date = datetime.datetime.strptime(
             rev_item['revocation_date'], '%Y-%m-%d %H:%M:%S')
         rev_date = rev_date.strftime('%Y%m%d%H%M%SZ')
+        rev_date = salt.utils.stringutils.to_bytes(rev_date)
 
         rev = OpenSSL.crypto.Revoked()
         rev.set_serial(serial_number)
@@ -1005,7 +1006,7 @@ def create_crl(  # pylint: disable=too-many-arguments,too-many-locals
         'days': days_valid
     }
     if digest:
-        export_kwargs['digest'] = bytes(digest)
+        export_kwargs['digest'] = salt.utils.stringutils.to_bytes(digest)
     else:
         log.warning('No digest specified. The default md5 digest will be used.')
 
@@ -1573,7 +1574,7 @@ def create_certificate(
             pem_type='CERTIFICATE'
         )
     else:
-        return cert.as_pem()
+        return salt.utils.stringutils.to_str(cert.as_pem())
 # pylint: enable=too-many-locals
 
 
diff --git a/tests/unit/modules/test_x509.py b/tests/unit/modules/test_x509.py
index 1b1ac5c2bc9f..9789e03d6ef6 100644
--- a/tests/unit/modules/test_x509.py
+++ b/tests/unit/modules/test_x509.py
@@ -136,7 +136,7 @@ def test_create_key(self):
         '''
         ret = x509.create_private_key(text=True,
                                       passphrase='super_secret_passphrase')
-        self.assertIn(b'BEGIN RSA PRIVATE KEY', ret)
+        self.assertIn('BEGIN RSA PRIVATE KEY', ret)
 
     @skipIf(not HAS_M2CRYPTO, 'Skipping, M2Crypto is unavailble')
     def test_create_certificate(self):
@@ -176,7 +176,7 @@ def test_create_certificate(self):
                                       authorityKeyIdentifier='keyid,issuer:always',
                                       days_valid=3650,
                                       days_remaining=0)
-        self.assertIn(b'BEGIN CERTIFICATE', ret)
+        self.assertIn('BEGIN CERTIFICATE', ret)
 
     @skipIf(not HAS_M2CRYPTO, 'Skipping, M2Crypto is unavailble')
     def test_create_crl(self):
@@ -240,7 +240,7 @@ def test_create_crl(self):
         os.remove(ca_crl_file.name)
 
         # Ensure that a CRL was actually created
-        self.assertIn(b'BEGIN X509 CRL', crl)
+        self.assertIn('BEGIN X509 CRL', crl)
 
     @skipIf(not HAS_M2CRYPTO, 'Skipping, M2Crypto is unavailble')
     def test_revoke_certificate_with_crl(self):