diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 871ca34..db6eb36 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -847,9 +847,12 @@ infrastructure in order to prevent the revoked cert from being accepted.
 gen_crl() {
 	verify_ca_init
 
+	# make safessl-easyrsa.cnf
+	make_ssl_config
+
 	out_file="$EASYRSA_PKI/crl.pem"
 	out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_file_tmp"
-	"$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SSL_CONF" || die "\
+	"$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SAFE_CONF" || die "\
 CRL Generation failed.
 "
 	mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_2=