diff --git a/openssl-little-CA/CA.sh b/openssl-little-CA/CA.sh
index d92c110..36c31fb 100755
--- a/openssl-little-CA/CA.sh
+++ b/openssl-little-CA/CA.sh
@@ -177,6 +177,13 @@ case $1 in
     exit $RET
     ;;
 -sign|-signreq)
+		# Display a notice/warning when copy_extensions is disabled/enabled
+		# FIXME: we grep on the whole openssl.cnf file instead of just the 'ca' -> 'CA_default' section
+		if grep -q '^[[:space:]]*copy_extensions[[:space:]]*=[[:space:]]*copy' $( echo "$SSLEAY_CONFIG" | sed 's/-config//' ); then
+			echo "warning: copy_extensions is enabled, read the certificate carefully before signing."
+		else
+			echo "notice: copy_extensions disabled, extension such as SubjectAltName will be stripped."
+		fi
     $CA -policy policy_anything -out newcert.pem -days "$DAYS" -infiles newreq.pem
     RET=$?
     cat newcert.pem