diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index f0c149b62..56a9a623c 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -796,9 +796,11 @@ secure_session() {
 		# atomic:
 		if mkdir "$secured_session"; then
 			# New session requires safe-ssl conf
-			unset -v OPENSSL_CONF \
-				safe_ssl_cnf_tmp working_safe_ssl_conf
+			unset -v OPENSSL_CONF safe_ssl_cnf_tmp \
+				working_safe_ssl_conf working_safe_org_conf
+
 			easyrsa_err_log="$secured_session/error.log"
+			mktemp_counter=0
 
 			verbose "\
 secure_session: CREATED: $secured_session"
@@ -817,8 +819,9 @@ remove_secure_session() {
 		if rm -rf "$secured_session"; then
 			verbose "\
 remove_secure_session: DELETED: $secured_session"
-			unset -v secured_session OPENSSL_CONF \
-				safe_ssl_cnf_tmp working_safe_ssl_conf
+			unset -v secured_session \
+				safe_ssl_cnf_tmp working_safe_ssl_conf \
+				EASYRSA_SSL_CONF OPENSSL_CONF
 			return
 		fi
 	fi
@@ -1064,7 +1067,7 @@ export EASYRSA_REQ_SERIAL=\"$EASYRSA_REQ_SERIAL\"\
 escape_hazard - Failed to write temp-file"
 
 	# Reload fields from fully escaped temp-file
-	source_vars "$escape_hazard_tmp"
+	. "$escape_hazard_tmp"
 	verbose "escape_hazard: COMPLETED"
 } # => escape_hazard()
 
@@ -1163,6 +1166,10 @@ easyrsa_mktemp safe_ssl_cnf_tmp"
 			die "expand_ssl_config - write safe-cnf temp-file"
 		verbose "expand_ssl_config: via 'write' COMPLETED"
 	fi
+
+	export EASYRSA_SSL_CONF="$safe_ssl_cnf_tmp"
+	verbose "\
+expand_ssl_config: EASYRSA_SSL_CONF = $EASYRSA_SSL_CONF"
 } # => expand_ssl_config()
 
 # Easy-RSA meta-wrapper for SSL
@@ -1192,15 +1199,8 @@ easyrsa_openssl() {
 		die "easyrsa_openssl - expand_ssl_config failed"
 
 	# VERIFY safe temp-file exists
-	if [ -e "$safe_ssl_cnf_tmp" ]; then
-		verbose "\
-> easyrsa_openssl: Safe SSL conf OK: $safe_ssl_cnf_tmp"
-		export OPENSSL_CONF="$safe_ssl_cnf_tmp"
-	else
-		verbose "\
-> easyrsa_openssl: No Safe SSL conf, FALLBACK to default"
-		export OPENSSL_CONF="$EASYRSA_SSL_CONF"
-	fi
+	export OPENSSL_CONF="$EASYRSA_SSL_CONF"
+	verbose "easyrsa_openssl: OPENSSL_CONF = $OPENSSL_CONF"
 
 	# Debug level
 	[ -z "$EASYRSA_DEBUG" ] || \
@@ -2396,6 +2396,7 @@ Writing 'copy_exts' to SSL config temp-file failed"
 		# Use this SSL config for the rest of this function
 		EASYRSA_SSL_CONF="$adjusted_ssl_cnf_tmp"
 		verbose "sign_req: Using '$copy_exts'"
+		verbose "sign_req: EASYRSA_SSL_CONF = $EASYRSA_SSL_CONF"
 	fi
 
 	# Find or create x509-type file
@@ -2739,7 +2740,16 @@ Option conflict --req-cn:
 	do_build_full=1
 
 	# create request
+	verbose "build_full: BEGIN gen_req"
 	gen_req "$name" batch
+	verbose "build_full: END gen_req"
+
+	# Recreate temp-session and
+	# drop edits to SSL Conf file
+	remove_secure_session
+	locate_support_files
+	secure_session
+	write_easyrsa_ssl_cnf_tmp
 
 	# Require --copy-ext
 	export EASYRSA_CP_EXT=1
@@ -2748,6 +2758,7 @@ Option conflict --req-cn:
 	export EASYRSA_REQ_CN=ChangeMe
 
 	# Sign it
+	verbose "build_full: BEGIN sign_req"
 	error_build_full_cleanup=1
 	if sign_req "$crt_type" "$name"; then
 		unset -v error_build_full_cleanup do_build_full
@@ -2756,6 +2767,7 @@ Option conflict --req-cn:
 Failed to sign '$name' - \
 See error messages above for details."
 	fi
+	verbose "build_full: END sign_req"
 
 	# inline it
 	if inline_creds "$name" > "$inline_out"; then
@@ -4279,18 +4291,6 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'"
 	set_var EASYRSA_REQ_CN			ChangeMe
 	set_var EASYRSA_DIGEST			sha256
 
-	# Now set by locate_support_files()
-	#set_var EASYRSA_SSL_CONF		\
-	#	"$EASYRSA_PKI/openssl-easyrsa.cnf"
-
-	# created as required
-	set_var EASYRSA_SAFE_CONF		\
-		"$EASYRSA_PKI/safessl-easyrsa.cnf"
-
-	# Now set by locate_support_files()
-	#set_var EASYRSA_TOOLS_LIB		\
-	#	"$EASYRSA/dev/easyrsa-tools.lib"
-
 	set_var EASYRSA_KDC_REALM		"CHANGEME.EXAMPLE.COM"
 
 	set_var EASYRSA_MAX_TEMP		4
@@ -4489,12 +4489,15 @@ f97425686fa1976d436fa31f550641aa"
 		# Use the existing file ONLY
 		if [ "$hash_is_unknown" ]; then
 			unset -v hash_is_unknown
-			verbose "write_easyrsa_ssl_cnf_tmp: SSL config NO CHANGE!"
+			verbose "write_easyrsa_ssl_cnf_tmp: SSL config UNKNOWN!"
+
+			# Force 'sed' expnsion of file in place
+			export EASYRSA_LEGACY_SAFE_SSL=1
 			return 0
 		fi
 
 		# Ignore existing file, prefer to use a temp-file
-		verbose "write_easyrsa_ssl_cnf_tmp: SSL config IGNORED"
+		verbose "write_easyrsa_ssl_cnf_tmp: SSL config KNOWN"
 	fi
 
 	# SET and USE temp-file from here-doc Now
@@ -4503,14 +4506,20 @@ f97425686fa1976d436fa31f550641aa"
 	easyrsa_mktemp ssl_cnf_tmp || die "\
 write_easyrsa_ssl_cnf_tmp - easyrsa_mktemp"
 
+	# Choose SSL Conf type:
+	# OpenSSL=Unexpended, LibreSSL=Expanded (Safe)
+	ssl_cnf_type=ssl-cnf
+	[ "$ssl_lib" = openssl ] || ssl_cnf_type=safe-cnf
+
 	# Write SSL cnf to temp-file
-	write ssl-cnf > "$ssl_cnf_tmp" || die "\
-write_easyrsa_ssl_cnf_tmp - write ssl-cnf"
+	write "$ssl_cnf_type" > "$ssl_cnf_tmp" || die "\
+write_easyrsa_ssl_cnf_tmp - write ssl-cnf: $ssl_cnf_tmp"
 
 	# export SSL cnf tmp
 	export EASYRSA_SSL_CONF="$ssl_cnf_tmp"
 	verbose "\
-write_easyrsa_ssl_cnf_tmp: SSL config using temp-file"
+write_easyrsa_ssl_cnf_tmp: $ssl_cnf_type \
+- EASYRSA_SSL_CONF = $ssl_cnf_tmp"
 } # => write_easyrsa_ssl_cnf_tmp()
 
 # Write x509 type file to a temp file
@@ -5169,9 +5178,6 @@ unset -v \
 	# after user interrupt when using manual password
 	prompt_restore=0
 
-	# verbose diagnostic for temp-files
-	mktemp_counter=0
-
 # Parse options
 while :; do
 	# Reset per pass flags