diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index f2ea99a..e9fbb21 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -738,18 +738,21 @@ sign_req() {
 	crt_out="$EASYRSA_PKI/issued/$2.crt"
 
 	# Randomize Serial number
-	i=""
-	serial=""
-	check_serial=""
-	for i in 1 2 3 4 5; do
-		"$EASYRSA_OPENSSL" rand -hex -out "$EASYRSA_PKI/serial" 16
-		serial="$(cat "$EASYRSA_PKI/serial")"
-		check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)"
-		case "$check_serial" in
-			*"not present in db"*) break ;;
-			*) continue ;;
-		esac
-	done
+	if [ "$EASYRSA_RAND_SN" != "no" ];
+	then
+		i=""
+		serial=""
+		check_serial=""
+		for i in 1 2 3 4 5; do
+			"$EASYRSA_OPENSSL" rand -hex -out "$EASYRSA_PKI/serial" 16
+			serial="$(cat "$EASYRSA_PKI/serial")"
+			check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)"
+			case "$check_serial" in
+				*"not present in db"*) break ;;
+				*) continue ;;
+			esac
+		done
+	fi
 
 	# Support batch by internal caller:
 	[ "$3" = "batch" ] && EASYRSA_BATCH=1
diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example
index 50ddfc6..47cddf9 100644
--- a/easyrsa3/vars.example
+++ b/easyrsa3/vars.example
@@ -137,6 +137,11 @@ fi
 
 #set_var EASYRSA_CRL_DAYS	180
 
+# Random serial numbers by default, set to no for the old incremental serial numbers
+#
+#set_var EASYRSA_RAND_SN	"yes"
+
+
 # Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
 # is "no" to discourage use of deprecated extensions. If you require this
 # feature to use with --ns-cert-type, set this to "yes" here. This support