diff --git a/.gitignore b/.gitignore
index bd493f3..d5c2244 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 easyrsa3/pki/*
 easyrsa3/vars
 dist-staging
+easyrsa3/safessl-easyrsa.cnf
diff --git a/.travis.yml b/.travis.yml
index bd946c9..04478c1 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -11,6 +11,7 @@ addons:
 env:
  - PATH=/usr/bin:/bin:./
 script:
+ - which shellcheck
  - bash -c 'export SHELLCHECK_OPTS="-e SC2006"; shopt -s globstar; shellcheck **/*.sh easyrsa3/easyrsa'
  - bash -c 'pwd'
  - bash -c 'ls -la'
diff --git a/build/build-dist.sh b/build/build-dist.sh
index 5bc91e5..70c13f0 100755
--- a/build/build-dist.sh
+++ b/build/build-dist.sh
@@ -78,6 +78,8 @@ stage_unix() {
 	
 	cp -R "$SRC_ROOT/doc" "$DIST_ROOT/unix/$PV/" || die "failed to copy unix doc"
 
+	sed -i -e "s/~~~/$VERSION/" "$DIST_ROOT/unix/$PV/easyrsa"
+
 	# files not included
 	rm -rf "$DIST_ROOT/unix/$PV/doc/TODO" || die "failed rm TODO"
 }
@@ -92,6 +94,7 @@ stage_win() {
 	for f in $SRC_ROOT/doc/*.md;
 	do
 		fname=$(basename "$f" .md)
+		sed -i -e "s/~~~/$VERSION/" "$SRC_ROOT/$f"
 		python -m markdown "$f" > "$DIST_ROOT/windows/$PV/doc/$fname.html"
 	done
 	
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index cede5b1..1849281 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -2,7 +2,7 @@
 
 # Easy-RSA 3 -- A Shell-based CA Utility
 #
-# Copyright (C) 2013 by the Open-Source OpenVPN development community.
+# Copyright (C) 2018 by the Open-Source OpenVPN development community.
 # A full list of contributors can be found in the ChangeLog.
 #
 # This code released under version 2 of the GNU GPL; see COPYING and the
@@ -287,19 +287,46 @@ clean_temp() {
 	done
 } # => clean_temp()
 
+# Make LibreSSL safe config file from OpenSSL config file
+make_ssl_config() {
+sed	-e "s,ENV::,,g" \
+	-e "s,\$dir,$EASYRSA_PKI,g" \
+	-e "s,\$EASYRSA_PKI,$EASYRSA_PKI,g" \
+	-e "s,\$EASYRSA_CERT_EXPIRE,$EASYRSA_CERT_EXPIRE,g" \
+	-e "s,\$EASYRSA_CRL_DAYS,$EASYRSA_CRL_DAYS,g" \
+	-e "s,\$EASYRSA_DIGEST,$EASYRSA_DIGEST,g" \
+	-e "s,\$EASYRSA_KEY_SIZE,$EASYRSA_KEY_SIZE,g" \
+	-e "s,\$EASYRSA_DIGEST,$EASYRSA_DIGEST,g" \
+	-e "s,\$EASYRSA_DN,$EASYRSA_DN,g" \
+	-e "s,\$EASYRSA_REQ_COUNTRY,$EASYRSA_REQ_COUNTRY,g" \
+	-e "s,\$EASYRSA_REQ_PROVINCE,$EASYRSA_REQ_PROVINCE,g" \
+	-e "s,\$EASYRSA_REQ_CITY,$EASYRSA_REQ_CITY,g" \
+	-e "s,\$EASYRSA_REQ_ORG,$EASYRSA_REQ_ORG,g" \
+	-e "s,\$EASYRSA_REQ_OU,$EASYRSA_REQ_OU,g" \
+	-e "s,\$EASYRSA_REQ_CN,$EASYRSA_REQ_CN,g" \
+	-e "s,\$EASYRSA_REQ_EMAIL,$EASYRSA_REQ_EMAIL,g" \
+	"$EASYRSA_SSL_CONF" > "$EASYRSA_SAFE_CONF" || die "\
+Failed to update $EASYRSA_SAFE_CONF"
+} # => make_ssl_config()
+
 vars_source_check() {
 	# Check for defined EASYRSA_PKI
 	[ -n "$EASYRSA_PKI" ] || die "\
 EASYRSA_PKI env-var undefined"
 
+	# make safessl-easyrsa.cnf
+	make_ssl_config
+
 	# Verify EASYRSA_OPENSSL command gives expected output
 	if [ -z "$EASYRSA_SSL_OK" ]; then
 		val="$("$EASYRSA_OPENSSL" version)"
 		case "${val%% *}" in
-			OpenSSL|LibreSSL) ;;
+			OpenSSL|LibreSSL)
+				notice "\
+Using SSL: $EASYRSA_OPENSSL $("$EASYRSA_OPENSSL" version)" ;;
 			*) die "\
 Missing or invalid OpenSSL
-Expected to find openssl command at: $EASYRSA_OPENSSL"
+Expected to find openssl command at: $EASYRSA_OPENSSL" ;;
 		esac
 	fi
 	EASYRSA_SSL_OK=1
@@ -500,11 +527,15 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 		"$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | \
 			"$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts
 	fi
+
+	# make safessl-easyrsa.cnf
+	make_ssl_config
+
 	# create the CA keypair:
 	[ ! $nopass ] && crypto_opts="-passin file:$out_key_pass_tmp"
 	#shellcheck disable=SC2086
 	"$EASYRSA_OPENSSL" req -utf8 -new -key "$out_key_tmp" \
-		-config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts || \
+		-config "$EASYRSA_SAFE_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts || \
 		die "Failed to build the CA"
 
 	mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2=
@@ -595,13 +626,16 @@ $EASYRSA_EXTRA_EXTS"
 		EASYRSA_SSL_CONF="$EASYRSA_TEMP_CONF"
 	fi
 
+	# make safessl-easyrsa.cnf
+	make_ssl_config
+
 	key_out_tmp="$(mktemp "$key_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$key_out_tmp"
 	req_out_tmp="$(mktemp "$req_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$req_out_tmp"
 	# generate request
 	[ $EASYRSA_BATCH ] && opts="$opts -batch"
 	# shellcheck disable=SC2086
 	"$EASYRSA_OPENSSL" req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \
-		-config "$EASYRSA_SSL_CONF" -keyout "$key_out_tmp" -out "$req_out_tmp" $opts \
+		-config "$EASYRSA_SAFE_CONF" -keyout "$key_out_tmp" -out "$req_out_tmp" $opts \
 		|| die "Failed to generate request"
 	mv "$key_out_tmp" "$key_out"; EASYRSA_TEMP_FILE_2=
 	mv "$req_out_tmp" "$req_out"; EASYRSA_TEMP_FILE_3=
@@ -711,10 +745,13 @@ $(display_dn req "$req_in")
 Failed to create temp extension file (bad permissions?) at:
 $EASYRSA_TEMP_EXT"
 
+	# make safessl-easyrsa.cnf
+	make_ssl_config
+
 	# sign request
 	# shellcheck disable=SC2086
 	crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp"
-	"$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$EASYRSA_SSL_CONF" \
+	"$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$EASYRSA_SAFE_CONF" \
 		-extfile "$EASYRSA_TEMP_EXT" -days "$EASYRSA_CERT_EXPIRE" -batch $opts \
 		|| die "signing failed (openssl output above may have more detail)"
 	mv "$crt_out_tmp" "$crt_out"; EASYRSA_TEMP_FILE_2=
@@ -794,7 +831,10 @@ $(display_dn x509 "$crt_in")
 Unable to revoke as no certificate was found. Certificate was expected
 at: $crt_in"
 
-	"$EASYRSA_OPENSSL" ca -utf8 -revoke "$crt_in" -config "$EASYRSA_SSL_CONF" || die "\
+	# make safessl-easyrsa.cnf
+	make_ssl_config
+
+	"$EASYRSA_OPENSSL" ca -utf8 -revoke "$crt_in" -config "$EASYRSA_SAFE_CONF" || die "\
 Failed to revoke certificate: revocation command failed."
 
 	notice "\
@@ -810,9 +850,12 @@ infrastructure in order to prevent the revoked cert from being accepted.
 gen_crl() {
 	verify_ca_init
 
+	# make safessl-easyrsa.cnf
+	make_ssl_config
+
 	out_file="$EASYRSA_PKI/crl.pem"
 	out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_file_tmp"
-	"$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SSL_CONF" || die "\
+	"$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SAFE_CONF" || die "\
 CRL Generation failed.
 "
 	mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_2=
@@ -969,7 +1012,7 @@ $file"
 If the key is currently encrypted you must supply the decryption passphrase.
 ${crypto:+You will then enter a new PEM passphrase for this key.$NL}"
 
-	"$EASYRSA_OPENSSL" "$key_type" -in "$file" -out "$file" "$crypto" || die "\
+	"$EASYRSA_OPENSSL" "$key_type" -in "$file" -out "$file" $crypto || die "\
 Failed to change the private key passphrase. See above for possible openssl
 error messages."
 
@@ -1126,10 +1169,10 @@ Note: using Easy-RSA configuration from: $vars"
 	set_var EASYRSA_CURVE		secp384r1
 	set_var EASYRSA_EC_DIR		"$EASYRSA_PKI/ecparams"
 	set_var EASYRSA_CA_EXPIRE	3650
-	set_var EASYRSA_CERT_EXPIRE	3650
+	set_var EASYRSA_CERT_EXPIRE	1080 # new default of 36 months	
 	set_var EASYRSA_CRL_DAYS	180
 	set_var EASYRSA_NS_SUPPORT	no
-	set_var EASYRSA_NS_COMMENT	"Easy-RSA Generated Certificate"
+	set_var EASYRSA_NS_COMMENT	"Easy-RSA (~~~) Generated Certificate"
 	set_var EASYRSA_TEMP_CONF	"$EASYRSA_PKI/openssl-easyrsa.temp"
 	set_var EASYRSA_TEMP_EXT	"$EASYRSA_PKI/extensions.temp"
 	set_var EASYRSA_TEMP_FILE_2	""
@@ -1140,7 +1183,9 @@ Note: using Easy-RSA configuration from: $vars"
 	# Detect openssl config, preferring EASYRSA_PKI over EASYRSA
 	if [ -f "$EASYRSA_PKI/openssl-easyrsa.cnf" ]; then
 		set_var EASYRSA_SSL_CONF	"$EASYRSA_PKI/openssl-easyrsa.cnf"
+		set_var EASYRSA_SAFE_CONF	"$EASYRSA_PKI/safessl-easyrsa.cnf"
 	else	set_var EASYRSA_SSL_CONF	"$EASYRSA/openssl-easyrsa.cnf"
+		set_var EASYRSA_SAFE_CONF	"$EASYRSA/safessl-easyrsa.cnf"
 	fi
 
 	# Same as above for the x509-types extensions dir
@@ -1159,7 +1204,7 @@ Note: using Easy-RSA configuration from: $vars"
 	fi
 
 	# Setting OPENSSL_CONF prevents bogus warnings (especially useful on win32)
-	export OPENSSL_CONF="$EASYRSA_SSL_CONF"
+	export OPENSSL_CONF="$EASYRSA_SAFE_CONF"
 } # vars_setup()
 
 # variable assignment by indirection when undefined; merely exports
diff --git a/easyrsa3/openssl-easyrsa.cnf b/easyrsa3/openssl-easyrsa.cnf
index d9109b5..4167031 100644
--- a/easyrsa3/openssl-easyrsa.cnf
+++ b/easyrsa3/openssl-easyrsa.cnf
@@ -1,4 +1,4 @@
-# For use with Easy-RSA 3.0 and OpenSSL 1.0.*
+# For use with Easy-RSA 3.1 and OpenSSL or LibreSSL
 
 RANDFILE		= $ENV::EASYRSA_PKI/.rnd