diff --git a/lib/resty/openssl/x509/csr.lua b/lib/resty/openssl/x509/csr.lua
index 08c48608..d7795a95 100644
--- a/lib/resty/openssl/x509/csr.lua
+++ b/lib/resty/openssl/x509/csr.lua
@@ -245,11 +245,6 @@ local function modify_extension(replace, ctx, nid, toset, crit)
     return false, format_error("X509V3_add1_i2d", code)
   end
 
-  code = C.X509_REQ_add_extensions(ctx, extensions_ptr[0])
-  if code ~= 1 then
-    return false, format_error("X509_REQ_add_extensions", code)
-  end
-
   if need_cleanup then
     -- cleanup old attributes
     -- delete the first only, why?
@@ -259,6 +254,11 @@ local function modify_extension(replace, ctx, nid, toset, crit)
     end
   end
 
+  code = C.X509_REQ_add_extensions(ctx, extensions_ptr[0])
+  if code ~= 1 then
+    return false, format_error("X509_REQ_add_extensions", code)
+  end
+
   -- mark encoded form as invalid so next time it will be re-encoded
   if OPENSSL_11_OR_LATER then
     C.i2d_re_X509_REQ_tbs(ctx, nil)