diff --git a/easyrsa b/easyrsa
index e019982..635a2b9 100755
--- easyrsa
+++ easyrsa
@@ -376,7 +376,7 @@ $out"
 
 verify_ssl_lib () {
 	# make safessl-easyrsa.cnf
-	make_ssl_config
+	[ "$1" == "no_safe_ssl_config" ] || make_ssl_config
 
 	# Verify EASYRSA_OPENSSL command gives expected output
 	if [ -z "$EASYRSA_SSL_OK" ]; then
@@ -403,7 +403,7 @@ verify_pki_init() {
 	help_note="Run easyrsa without commands for usage and command help."
 
 	# check that the pki dir exists
-	vars_source_check
+	vars_source_check no_safe_ssl_config
 	[ -d "$EASYRSA_PKI" ] || die "\
 EASYRSA_PKI does not exist (perhaps you need to run init-pki)?
 Expected to find the EASYRSA_PKI at: $EASYRSA_PKI
@@ -1452,7 +1452,7 @@ vars_setup() {
 	vars=
 
 	# set up program path
-	prog_vars="${0%/*}/vars"
+	prog_vars="/etc/easy-rsa/vars"
 	# set up PKI path
 	pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars"
 
@@ -1482,7 +1482,7 @@ Note: using Easy-RSA configuration from: $vars"
 	fi
 	
 	# Set defaults, preferring existing env-vars if present
-	set_var EASYRSA		"${0%/*}"
+	set_var EASYRSA		"/etc/easy-rsa"
 	set_var EASYRSA_OPENSSL	openssl
 	set_var EASYRSA_PKI	"$PWD/pki"
 	set_var EASYRSA_DN	cn_only
@@ -1510,7 +1510,11 @@ Note: using Easy-RSA configuration from: $vars"
 	set_var EASYRSA_DIGEST		sha256
 
 	set_var EASYRSA_SSL_CONF	"$EASYRSA_PKI/openssl-easyrsa.cnf"
-	set_var EASYRSA_SAFE_CONF	"$EASYRSA_PKI/safessl-easyrsa.cnf"
+        if touch "$EASYRSA/safessl-easyrsa.cnf" &>/dev/null; then
+                set_var EASYRSA_SAFE_CONF       "$EASYRSA/safessl-easyrsa.cnf"
+        else
+                set_var EASYRSA_SAFE_CONF       "$EASYRSA_PKI/safessl-easyrsa.cnf"
+        fi
 
 	# Same as above for the x509-types extensions dir
 	if [ -d "$EASYRSA_PKI/x509-types" ]; then
diff --git a/vars.example b/vars.example
index f03ea6e..2e1d781 100644
--- vars.example
+++ vars.example
@@ -47,7 +47,7 @@ fi
 # itself, which is also where the configuration files are located in the
 # easy-rsa tree.
 
-#set_var EASYRSA	"${0%/*}"
+#set_var EASYRSA	"/etc/easy-rsa"
 
 # If your OpenSSL command is not in the system PATH, you will need to define the
 # path to it here. Normally this means a full path to the executable, otherwise