diff --git a/dev/easyrsa-tools.lib b/dev/easyrsa-tools.lib
index cf8b62b8..1c77c260 100644
--- a/dev/easyrsa-tools.lib
+++ b/dev/easyrsa-tools.lib
@@ -767,7 +767,14 @@ Cannot renew this certificate, a conflicting file exists:
 			die "Failed to create inline directoy."
 
 	# Extract certificate usage from old cert
-	ssl_cert_x509v3_eku "$crt_in" cert_type
+	if ! ssl_cert_x509v3_eku "$crt_in" cert_type; then
+		# On failure, try using openssl 1.1.0
+		cert_type=
+		openssl_v110=1
+		ssl_cert_x509v3_eku "$crt_in" cert_type || \
+			die "renew - ssl_cert_x509v3_eku openssl_v110 failed"
+		openssl_v110=
+	fi
 
 	# Use SAN from old cert ONLY
 	if grep 'X509v3 Subject Alternative Name' "$crt_in"; then
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 690055af..b3188384 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1217,7 +1217,7 @@ verify_ssl_lib() {
 	# Run once only
 	[ "$verify_ssl_lib_ok" ] && return
 	verify_ssl_lib_ok=1
-	unset -v openssl_v3
+	unset -v openssl_v3 openssl_v110
 
 	# redirect std-err, ignore missing ssl/openssl.cnf
 	val="$(
@@ -4145,7 +4145,7 @@ ssl_cert_x509v3_eku() {
 	unset -v __known
 
 	# Extract certificate Extended Key Usage
-	if [ "$ssl_lib" = libressl ]; then
+	if [ "$ssl_lib" = libressl ] || [ "$openssl_v110" ]; then
 		__eku="$(
 			"$EASYRSA_OPENSSL" x509 -in "${__crt}" -noout -text | \
 				sed -n "/${__pattern}/{n;s/^ *//g;p;}"