diff --git a/builtin/credential/cert/path_certs.go b/builtin/credential/cert/path_certs.go
index 7b6057a11665..96c93ac56277 100644
--- a/builtin/credential/cert/path_certs.go
+++ b/builtin/credential/cert/path_certs.go
@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-sockaddr"
+	"github.com/hashicorp/vault/helper/parseutil"
 	"github.com/hashicorp/vault/helper/policyutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
@@ -234,16 +235,9 @@ func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *fr
 		}
 	}
 
-	var parsedCIDRs []*sockaddr.SockAddrMarshaler
-	for _, v := range d.Get("bound_cidrs").([]string) {
-		parsedCIDR, err := sockaddr.NewSockAddr(v)
-		if err != nil {
-			if b.Logger().IsDebug() {
-				b.Logger().Debug(fmt.Sprintf("unable to parse %s as a cidr: %s", v, err))
-			}
-			return logical.ErrorResponse(fmt.Sprintf("unable to parse %s as a cidr", v)), logical.ErrInvalidRequest
-		}
-		parsedCIDRs = append(parsedCIDRs, &sockaddr.SockAddrMarshaler{parsedCIDR})
+	parsedCIDRs, err := parseutil.ParseAddrs(d.Get("bound_cidrs"))
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
 	}
 
 	certEntry := &CertEntry{
diff --git a/logical/plugin/pb/translation.go b/logical/plugin/pb/translation.go
index 32f127488f4c..3ebdf4d0e114 100644
--- a/logical/plugin/pb/translation.go
+++ b/logical/plugin/pb/translation.go
@@ -6,8 +6,8 @@ import (
 	"time"
 
 	"github.com/golang/protobuf/ptypes"
-	"github.com/hashicorp/go-sockaddr"
 	"github.com/hashicorp/vault/helper/errutil"
+	"github.com/hashicorp/vault/helper/parseutil"
 	"github.com/hashicorp/vault/helper/wrapping"
 	"github.com/hashicorp/vault/logical"
 )
@@ -551,13 +551,14 @@ func ProtoAuthToLogicalAuth(a *Auth) (*logical.Auth, error) {
 		return nil, err
 	}
 
-	var boundCIDRs []*sockaddr.SockAddrMarshaler
-	for _, cidr := range a.BoundCidrs {
-		parsedCIDR, err := sockaddr.NewSockAddr(cidr)
-		if err != nil {
-			return nil, err
-		}
-		boundCIDRs = append(boundCIDRs, &sockaddr.SockAddrMarshaler{parsedCIDR})
+	boundCIDRs, err := parseutil.ParseAddrs(a.BoundCidrs)
+	if err != nil {
+		return nil, err
+	}
+	if len(boundCIDRs) == 0 {
+		// On inbound auths, if auth.BoundCIDRs is empty, it will be nil.
+		// Let's match that behavior outbound.
+		boundCIDRs = nil
 	}
 
 	return &logical.Auth{