diff --git a/app/models/certificate.rb b/app/models/certificate.rb
index 51d4ac5e4..072d98076 100644
--- a/app/models/certificate.rb
+++ b/app/models/certificate.rb
@@ -45,7 +45,7 @@ class Certificate < ActiveRecord::Base
     csr_file.rewind
 
     crt_file = Tempfile.new('client_crt')
-    _out, err, _st = Open3.capture3("openssl ca -keyfile #{ENV['ca_key_path']} \
+    _out, err, _st = Open3.capture3("openssl ca -config #{ENV['openssl_config_path']} -keyfile #{ENV['ca_key_path']} \
     -cert #{ENV['ca_cert_path']} \
     -extensions usr_cert -notext -md sha256 \
     -in #{csr_file.path} -out #{crt_file.path} -key '#{ENV['ca_key_password']}' -batch")
@@ -67,7 +67,7 @@ class Certificate < ActiveRecord::Base
     crt_file.write(crt)
     crt_file.rewind
 
-    _out, err, _st = Open3.capture3("openssl ca -keyfile #{ENV['ca_key_path']} \
+    _out, err, _st = Open3.capture3("openssl ca -config #{ENV['openssl_config_path']} -keyfile #{ENV['ca_key_path']} \
       -cert #{ENV['ca_cert_path']} \
       -revoke #{crt_file.path} -key '#{ENV['ca_key_password']}' -batch")
 
@@ -81,7 +81,7 @@ class Certificate < ActiveRecord::Base
       return false
     end
 
-    _out, _err, _st = Open3.capture3("openssl ca -keyfile #{ENV['ca_key_path']} \
+    _out, _err, _st = Open3.capture3("openssl ca -config #{ENV['openssl_config_path']} -keyfile #{ENV['ca_key_path']} \
       -cert #{ENV['ca_cert_path']} \
       -gencrl -out #{ENV['crl_path']} -key '#{ENV['ca_key_password']}' -batch")
   end
diff --git a/config/application-example.yml b/config/application-example.yml
index 02d1cc7e2..31e5771fc 100644
--- a/config/application-example.yml
+++ b/config/application-example.yml
@@ -10,6 +10,7 @@ secret_key_base: please-change-it-you-can-generate-it-with-rake-secret
 devise_secret: please-change-it-you-can-generate-it-with-rake-secret
 
 # Used by admin server, you can leave those empty for when running EPP server:
+openssl_config_path: '/etc/ssl/openssl.cnf'
 crl_path:     '/home/registry/registry/shared/ca/crl/crl.pem'
 ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
 ca_key_path:  '/home/registry/registry/shared/ca/private/ca.key.pem'