diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index d019f87..00bdcf0 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1010,10 +1010,10 @@ at: $crt_in"
 		)
 	expire_date=$(date -d "$expire_date" +%s)
 
-	allow_renew_date=$(date -d '+30day' +%s)
+	allow_renew_date=$(date -d "+${EASYRSA_CERT_RENEW}day" +%s)
 
 	[ "$expire_date" -lt "$allow_renew_date" ] || die "\
-Certificate expires in more than 30 days.
+Certificate expires in more than $EASYRSA_CERT_RENEW days.
 Renewal not allowed."
 
 	# Extract certificate usage from old cert
@@ -1488,6 +1488,7 @@ Note: using Easy-RSA configuration from: $vars"
 	set_var EASYRSA_EC_DIR		"$EASYRSA_PKI/ecparams"
 	set_var EASYRSA_CA_EXPIRE	3650
 	set_var EASYRSA_CERT_EXPIRE	1080 # new default of 36 months	
+	set_var EASYRSA_CERT_RENEW	30
 	set_var EASYRSA_CRL_DAYS	180
 	set_var EASYRSA_NS_SUPPORT	no
 	set_var EASYRSA_NS_COMMENT	"Easy-RSA (~VER~) Generated Certificate"
diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example
index 372be04..f03ea6e 100644
--- a/easyrsa3/vars.example
+++ b/easyrsa3/vars.example
@@ -127,6 +127,10 @@ fi
 # parsed after this timeframe passes. It is only used for an expected next
 # publication date.
 
+# How many days before its expiration date a certificate is allowed to be
+# renewed?
+#set_var EASYRSA_CERT_RENEW	30
+
 #set_var EASYRSA_CRL_DAYS	180
 
 # Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default