diff --git a/reg-tests/ssl/ssl_generate_certificate.vtc b/reg-tests/ssl/ssl_generate_certificate.vtc
index aa129546d..1f758f98a 100644
--- a/reg-tests/ssl/ssl_generate_certificate.vtc
+++ b/reg-tests/ssl/ssl_generate_certificate.vtc
@@ -150,7 +150,7 @@ client c5 -connect ${h1_clearlst_sock} {
 # Use another SNI - the server certificate should be generated and different
 # than the default one
 client c6 -connect ${h1_clearlst_sock} {
-  txreq -url "/P-384" -hdr "x-sni: unknown-sni.com"
+  txreq -url "/P-384" -hdr "x-sni: sni-longer-sni-longer-sni-longer-sni-longer-than-64-bytes-unknown-sni.com"
   rxresp
   expect resp.status == 200
   expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
diff --git a/src/ssl_gencert.c b/src/ssl_gencert.c
index ccb5d1b0d..ca4b3c530 100644
--- a/src/ssl_gencert.c
+++ b/src/ssl_gencert.c
@@ -141,11 +141,14 @@ static SSL_CTX *ssl_sock_do_create_cert(const char *servername, struct bind_conf
 
 	/* Set the subject name using the same, but the CN */
 	name = X509_NAME_dup(name);
-	if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
-				       (const unsigned char *)servername,
-				       -1, -1, 0) != 1) {
-		X509_NAME_free(name);
-		goto mkcert_error;
+
+	if (strlen(servername) <= 64) {
+		if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
+		                              (const unsigned char *)servername,
+		                              -1, -1, 0) != 1) {
+			X509_NAME_free(name);
+			goto mkcert_error;
+		}
 	}
 	if (X509_set_subject_name(newcrt, name) != 1) {
 		X509_NAME_free(name);