diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 5f3a543..1cc957d 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -3734,12 +3734,18 @@ gen_crl() {
 	easyrsa_mktemp out_file_tmp || \
 		die "gen_crl - easyrsa_mktemp out_file_tmp"
 
+	if [ -r "$out_file" ]; then
+		cp -p "$out_file" "$out_file_tmp" || \
+			warn "Failed to preserve CRL file permissions."
+	fi
+
 	easyrsa_openssl ca -utf8 -gencrl -out "$out_file_tmp" \
 		${EASYRSA_CRL_DAYS:+ -days "$EASYRSA_CRL_DAYS"} \
 		${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} || \
 			die "CRL Generation failed."
 
-	mv ${EASYRSA_BATCH:+ -f} "$out_file_tmp" "$out_file"
+	mv ${EASYRSA_BATCH:+ -f} "$out_file_tmp" "$out_file" || \
+		die "Failed to update CRL file."
 
 	notice "\
 An updated CRL has been created: