diff --git a/ChangeLog b/ChangeLog
index e075d23..d065a8b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 Easy-RSA 3 ChangeLog
 
 3.1.1 (TBD)
+   * Resolve long-standing issue with --subca-len=N (#691)
    * Expand 'show-renew', include 'renewed/certs_by_serial' (#700)
    * Introduce 'renew' (version 3). Only renew cert (#688)
    * Require 'openssl-easyrsa.cnf' is up to date (#695}
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 63e996b..1cb7946 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -533,10 +533,9 @@ die() {
 	print "
 Easy-RSA error:
 
-$1" 1>&2
-
-	show_host
-
+$1
+" 1>&2
+	die_error_exit=1
 	exit "${2:-1}"
 } # => die()
 
@@ -668,7 +667,6 @@ easyrsa_mktemp() {
 
 # remove temp files and do terminal cleanups
 cleanup() {
-	verbose "* Cleanup!"
 	if [ "${EASYRSA_TEMP_DIR_session%/*}" ] && \
 		[ -d "$EASYRSA_TEMP_DIR_session" ]
 	then
@@ -701,7 +699,8 @@ Temporary session not preserved."
 	fi
 
 	# Remove files when build_full()->sign_req() is interrupted
-	[ "$on_error_build_full_cleanup" ] && rm -f "$crt_out" "$req_out" "$key_out"
+	[ "$on_error_build_full_cleanup" ] && \
+		rm -f "$crt_out" "$req_out" "$key_out"
 
 	# Restore files when renew is interrupted
 	[ "$on_error_undo_renew_move" ] && renew_restore_move; :
@@ -738,6 +737,8 @@ Temporary session not preserved."
 		exit 0
 	else
 		# if 'cleanup' is called without 'ok' then an error occurred
+		# Do not show_host() for confirm() aborted exit
+		[ "$die_error_exit" ] && show_host
 		exit 1
 	fi
 } # => cleanup()
@@ -1695,21 +1696,6 @@ at: $crt_out"
 The certificate request file is not in a valid X509 request format.
 File Path: $req_in"
 
-	# Display the request subject in an easy-to-read format
-	# Confirm the user wishes to sign this request
-	# Support batch by internal caller:
-	#[ "$3" = "batch" ] ||
-	confirm "Confirm request details: " "yes" "\
-You are about to sign the following certificate.
-Please check over the details shown below for accuracy. Note that this request
-has not been cryptographically verified. Please be sure it came from a trusted
-source or that you have verified the request checksum with the sender.
-
-Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIRE days:
-
-$(display_dn req "$req_in")
-"	# => confirm end
-
 	# Get fixed dates by --fix-offset
 	if [ "$EASYRSA_FIX_OFFSET" ]; then
 		fixed_dates="$( # subshell for debug
@@ -1760,8 +1746,19 @@ Please update openssl-easyrsa.cnf to the latest official release."
 			die "Failed to read X509-type $crt_type"
 
 		# Support a dynamic CA path length when present:
-		[ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ] && \
-			print "basicConstraints = CA:TRUE, pathlen:$EASYRSA_SUBCA_LEN"
+		if [ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ]; then
+			# Print the last occurence of basicContraints in x509-types/ca
+			# If basicContraints not defined then bail
+			# shellcheck disable=SC2016 # vars don't expand in ''
+			awkscript='/^[[:blank:]]*basicConstraints[[:blank:]]*=/ { bC=$0 }
+				END { if (length(bC) == 0 ) exit 1; print bC }'
+			basicConstraints="$(
+				awk "$awkscript" "$EASYRSA_EXT_DIR/$crt_type"
+				)" || die "\
+basicConstraints is not defined, cannot use 'pathlen'"
+			print "$basicConstraints, pathlen:$EASYRSA_SUBCA_LEN"
+			unset -v basicConstraints
+		fi
 
 		# Deprecated Netscape extension support, if enabled
 		if print "$EASYRSA_NS_SUPPORT" | awk_yesno; then
@@ -1801,6 +1798,21 @@ Please update openssl-easyrsa.cnf to the latest official release."
 Failed to create temp extension file (bad permissions?) at:
 $ext_tmp"
 
+	# Display the request subject in an easy-to-read format
+	# Confirm the user wishes to sign this request
+	# Support batch by internal caller:
+	#[ "$3" = "batch" ] ||
+	confirm "Confirm request details: " "yes" "\
+You are about to sign the following certificate.
+Please check over the details shown below for accuracy. Note that this request
+has not been cryptographically verified. Please be sure it came from a trusted
+source or that you have verified the request checksum with the sender.
+
+Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIRE days:
+
+$(display_dn req "$req_in")
+"	# => confirm end
+
 	# sign request
 	crt_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
 	easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \
@@ -3989,7 +4001,6 @@ detect_host() {
 
 # Extra diagnostics
 show_host() {
-	print
 	print_version
 	print "$host_out | ${ssl_version:-ssl_version not currently set}"
 	[ "$EASYRSA_DEBUG" ] || return 0
@@ -4938,12 +4949,9 @@ trap "exit 3" 3
 trap "exit 6" 6
 trap "exit 14" 15
 
-# Get host details - does not require vars_setup
-detect_host
-
 # Initialisation requirements
-unset -v easyrsa_error_exit user_san_true user_vars_true \
-	alias_days
+unset -v die_error_exit easyrsa_error_exit \
+	user_san_true user_vars_true alias_days
 
 # Parse options
 while :; do
@@ -5100,6 +5108,9 @@ case "$cmd" in
 		unset -v no_pki_required
 esac
 
+# Get host details - does not require vars_setup
+detect_host
+
 # Intelligent env-var detection and auto-loading:
 vars_setup