diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 21112db..e51f8eb 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -843,6 +843,15 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 	# Use this new SSL config for the rest of this function
 	EASYRSA_SSL_CONF="$conf_tmp"
 
+	# When EASYRSA_EXTRA_EXTS is defined, pass it as-is to SSL -addext
+	if [ -n "$EASYRSA_EXTRA_EXTS" ]; then
+		# example: "-addext foo,a:b -addext bah,c:d -addext baz e:f,g"
+		[ "${EASYRSA_EXTRA_EXTS%% *}" = '-addext' ] || \
+			die "EASYRSA_EXTRA_EXTS: $EASYRSA_EXTRA_EXTS"
+		EASYRSA_CA_EXTRA_EXTS="$EASYRSA_EXTRA_EXTS"
+		unset -v EASYRSA_EXTRA_EXTS
+	fi
+
 	# Choose SSL Library version (1 or 3) and build CA
 	case "$osslv_major" in # => BEGIN SSL lib version
 
@@ -903,6 +912,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 		# shellcheck disable=SC2086
 		easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \
 			-out "$out_file_tmp" ${opts} ${crypto_opts} \
+			${EASYRSA_CA_EXTRA_EXTS} \
 			${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \
 				die "Failed to build the CA"
 	;;
@@ -963,6 +973,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 		#shellcheck disable=SC2086
 		easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \
 			-keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts \
+			${EASYRSA_CA_EXTRA_EXTS} \
 			${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \
 				|| die "Failed to build the CA"
 	;;