diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index ecb876c..69dfe92 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1288,6 +1288,14 @@ $EASYRSA_PKI
 Refusing to create a new CA keypair as this operation would overwrite your
 current CA keypair. If you intended to start a new CA, run init-pki first."
 
+	# Check for insert-marker in ssl config file
+	if ! grep -q '^#%CA_X509_TYPES_EXTRA_EXTS%' "$EASYRSA_SSL_CONF"; then
+		die "\
+The copy of openssl-easyrsa.cnf in use does not support X509-type 'ca'.
+* $EASYRSA_SSL_CONF
+Please update openssl-easyrsa.cnf to the latest official release."
+	fi
+
 	# create necessary files and dirs:
 	err_file="Unable to create necessary PKI files (permissions?)"
 	for i in issued certs_by_serial \
@@ -1525,6 +1533,14 @@ Continuing with key generation will replace this key."
 
 	# When EASYRSA_EXTRA_EXTS is defined, append it to openssl's [req] section:
 	if [ "$EASYRSA_EXTRA_EXTS" ]; then
+		# Check for insert-marker in ssl config file
+		if ! grep -q '^#%EXTRA_EXTS%' "$EASYRSA_SSL_CONF"; then
+			die "\
+The copy of openssl-easyrsa.cnf in use does not support request extensions.
+* $EASYRSA_SSL_CONF
+Please update openssl-easyrsa.cnf to the latest official release."
+		fi
+
 		# Setup & insert the extra ext data keyed by a magic line
 		extra_exts="
 req_extensions = req_extra
@@ -1672,6 +1688,14 @@ $(display_dn req "$req_in")
 
 	# When EASYRSA_CP_EXT is defined, adjust openssl's [default_ca] section:
 	if [ "$EASYRSA_CP_EXT" ]; then
+		# Check for insert-marker in ssl config file
+		if ! grep -q '^#%COPY_EXTS%' "$EASYRSA_SSL_CONF"; then
+			die "\
+The copy of openssl-easyrsa.cnf in use does not support --copy-ext.
+* $EASYRSA_SSL_CONF
+Please update openssl-easyrsa.cnf to the latest official release."
+		fi
+
 		# Setup & insert the copy_extensions data keyed by a magic line
 		copy_exts="copy_extensions = copy"
 		# shellcheck disable=SC2016 # vars don't expand in single quote