diff --git a/.travis.yml b/.travis.yml
index 767dcd3..209d3b6 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -12,6 +12,7 @@ env:
  - PATH=/usr/bin:/bin:./
 script:
  - which shellcheck
+ - shellcheck -V
  - bash -c 'export SHELLCHECK_OPTS="-e SC2006"; shopt -s globstar; shellcheck **/*.sh easyrsa3/easyrsa'
  - bash -c 'pwd'
  - bash -c 'ls -la'
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index c4fde5c..9ccebfd 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -292,7 +292,7 @@ prog_exit() {
 	[ ! -z "$1" ] && ESTAT=$1
 	(set -o echo 2>/dev/null) || stty echo
 	echo "" # just to get a clean line
-	exit $ESTAT
+	exit "$ESTAT"
 } # => prog_exit()
 
 # Make LibreSSL safe config file from OpenSSL config file
@@ -440,7 +440,7 @@ and initialize a fresh PKI here."
 		mkdir -p "$EASYRSA_PKI/$i" || die "Failed to create PKI file structure (permissions?)"
 	done
 	
-	if [ ! -f "$EASYRSA_SSL_CONF" -a -f "$EASYRSA/openssl-easyrsa.cnf" ];
+	if [ ! -f "$EASYRSA_SSL_CONF" ] && [ -f "$EASYRSA/openssl-easyrsa.cnf" ];
 	then
 		cp "$EASYRSA/openssl-easyrsa.cnf" "$EASYRSA_SSL_CONF"
 	fi
@@ -525,6 +525,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 		printf "Re-Enter New CA Key Passphrase: "
 		hide_read_pass kpass2
 		echo
+		# shellcheck disable=2154
 		if [ "$kpass" = "$kpass2" ];
 		then
 			printf "%s" "$kpass" > "$out_key_pass_tmp"
@@ -649,7 +650,7 @@ $EASYRSA_EXTRA_EXTS"
 	req_out_tmp="$(mktemp "$req_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$req_out_tmp"
 	# generate request
 	[ $EASYRSA_BATCH ] && opts="$opts -batch"
-	# shellcheck disable=SC2086
+	# shellcheck disable=2086,2148
 	"$EASYRSA_OPENSSL" req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \
 		-config "$EASYRSA_SAFE_CONF" -keyout "$key_out_tmp" -out "$req_out_tmp" $opts \
 		|| die "Failed to generate request"
@@ -937,8 +938,8 @@ Run easyrsa without commands for usage and command help."
 	want_key=1
 	while [ -n "$1" ]; do
 		case "$1" in
-			noca) want_ca= ;;
-			nokey) want_key= ;;
+			noca) want_ca="" ;;
+			nokey) want_key="" ;;
 			*) warn "Ignoring unknown command option: '$1'" ;;
 		esac
 		shift
@@ -1013,7 +1014,7 @@ See help output for usage details."
 	crypto="-aes256"
 	while [ -n "$1" ]; do
 		case "$1" in
-			nopass)	crypto= ;;
+			nopass)	crypto="" ;;
 			file)	file="$raw_file" ;;
 			*)	warn "Ignoring unknown command option: '$1'" ;;
 		esac
@@ -1244,7 +1245,7 @@ while :; do
 	# Separate option from value:
 	opt="${1%%=*}"
 	val="${1#*=}"
-	empty_ok= # Empty values are not allowed unless excepted
+	empty_ok="" # Empty values are not allowed unless excepted
 
 	case "$opt" in
 	--days)