diff --git a/ChangeLog b/ChangeLog
index 4ee7971..9c23d13 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 Easy-RSA 3 ChangeLog
 
 3.1.1 (TBD)
+   * Always ensure X509-types files exist (#581 #696)
    * Remove renew-req (#684)
    * Re-enable use of '--vars=FILE init-pki' #640 (Revert #566)
    * Introduce --keep-tmp, keep temp files for debugging (#667)
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index eee7ec8..a3be52d 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1298,6 +1298,12 @@ $EASYRSA_PKI
 Refusing to create a new CA keypair as this operation would overwrite your
 current CA keypair. If you intended to start a new CA, run init-pki first."
 
+	# Cert type must exist under the EASYRSA_EXT_DIR
+	[ -e "$EASYRSA_EXT_DIR/ca" ] || die "\
+Missing X509-type 'ca'"
+	[ -e "$EASYRSA_EXT_DIR/COMMON" ] || die "\
+Missing X509-type 'COMMON'"
+
 	# Check for insert-marker in ssl config file
 	if ! grep -q '^#%CA_X509_TYPES_EXTRA_EXTS%' "$EASYRSA_SSL_CONF"; then
 		die "\
@@ -1645,9 +1651,9 @@ expected 2, got $# (see command help for usage)"
 
 	# Cert type must exist under the EASYRSA_EXT_DIR
 	[ -e "$EASYRSA_EXT_DIR/$crt_type" ] || die "\
-Unknown cert type '$crt_type'"
+Missing X509-type '$crt_type'"
 	[ -e "$EASYRSA_EXT_DIR/COMMON" ] || die "\
-Missing cert type 'COMMON'"
+Missing X509-type 'COMMON'"
 
 	# Cert type must NOT be COMMON
 	[ "$crt_type" != COMMON ] || die "\