pfSense

according to https://datatracker.ietf.org/doc/html/rfc4514 "," (comma) must be escaped:

   Each octet of the character to be escaped is replaced by a backslash
   and two hex digits, which form a single octet in the code of the
   character.  Alternatively, if and only if the character to be escaped
   is one of

      ' ', '"', '#', '+', ',', ';', '<', '=', '>', or '\'
      (U+0020, U+0022, U+0023, U+002B, U+002C, U+003B,
       U+003C, U+003D, U+003E, U+005C, respectively)

   it can be prefixed by a backslash ('\' U+005C).

but here's the double backslash:

Subject: CN = commacert, O = "Comma \\, test" 

see https://github.com/pfsense/pfsense/blob/55dc00701011c2547a55dabf7716d2939cadc509/src/etc/inc/certs.inc#L1471

Interesting. Looks like the output varies by platform or OpenSSL version. Where I initially checked that was on an older Mac and it outputs only "\,", but on Linux and FreeBSD with openssl 1.1.x it shows "\\,".

Opening it in Windows also shows "Test \, comma".

Are you certain it's not actually correct and maybe the output from OpenSSL is what's not as expected?

Here's some more details when examining certificates generated from different sources:

1. Cert from third-party app default: O=Test\, INC
2. Cert from Third-party app with escaped characters: O=Test\\\, INC
3. Cert from pfSense 2.4.5p1/21.05 default: O=Test\\\, INC
4. Cert from pfSense 2.4.5p1/21.05 with escaped characters: O=Test\\\, INC

From this, it seems that any special character defined in the pfSense cert_escape_x509_chars function will be passed as escaped to the php function openssl_csr_new which then seems to escape both \ and , resulting in \\\, entered into the certificate.

Additionally, I noticed that if php is built with LDAP support, it can use the ldap_escape function which includes all the characters in cert_escape_x509_chars as well as \r
https://github.com/php/php-src/blob/4c0231ebc38fa27fe2c037c7ca087de5e16bdc2a/ext/ldap/ldap.c#L3899

If cert_escape_x509_chars is to be used, perhaps it should also include \r?

it looks like `cert_escape_x509_chars()` is not needed - `openssl_csr_new()` automatically adds double quotes in case of a special character.

tests without `cert_escape_x509_chars()`:

$ openssl x509 -in commatest.crt -text -noout | head
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7 (0x7)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = freeradius-temp-ca
        Validity
            Not Before: Jun 16 11:56:29 2021 GMT
            Not After : Jun 14 11:56:29 2031 GMT
        Subject: CN = commatest, O = "Comma , test" 

$ openssl x509 -in nocommatest.crt -text -noout | head
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 8 (0x8)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = freeradius-temp-ca
        Validity
            Not Before: Jun 16 12:01:02 2021 GMT
            Not After : Jun 14 12:01:02 2031 GMT
        Subject: CN = nocommatest, O = No comma test

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/286