diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 7b548a7f2..773e2e9a0 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -3187,7 +3187,7 @@ gen_crl() {
 	fi
 
 	easyrsa_openssl ca -utf8 -gencrl -out "$out_file_tmp" \
-		${EASYRSA_CRL_DAYS:+ -days "$EASYRSA_CRL_DAYS"} \
+		${EASYRSA_CRL_DAYS:+ -crldays "$EASYRSA_CRL_DAYS"} \
 		${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} || \
 			die "CRL Generation failed."
 
@@ -5801,8 +5801,14 @@ x509_extensions	= basic_exts		# The extensions to add to the cert
 # is designed for will. In return, we get the Issuer attached to CRLs.
 crl_extensions	= crl_ext
 
+# These fields are always configured via the command line.
+# These fields are removed from this here-doc but retained
+# in 'openssl-easyrsa.cnf' file, in case something breaks.
+# default_days is no longer required by Easy-RSA
 default_days	= $ENV::EASYRSA_CERT_EXPIRE	# how long to certify for
-default_crl_days	= $ENV::EASYRSA_CRL_DAYS	# how long before next CRL
+# default_crl_days is no longer required by Easy-RSA
+#default_crl_days	= $ENV::EASYRSA_CRL_DAYS	# how long before next CRL
+
 default_md	= $ENV::EASYRSA_DIGEST		# use public key default MD
 preserve	= no			# keep passed DN ordering