diff --git a/caddytls/client.go b/caddytls/client.go
index e173b8e7d..852fbe422 100644
--- a/caddytls/client.go
+++ b/caddytls/client.go
@@ -197,7 +197,7 @@ Attempts:
 	for attempts := 0; attempts < 2; attempts++ {
 		namesObtaining.Add([]string{name})
 		acmeMu.Lock()
-		certificate, failures := c.acmeClient.ObtainCertificate([]string{name}, true, nil)
+		certificate, failures := c.acmeClient.ObtainCertificate([]string{name}, true, nil, c.config.MustStaple)
 		acmeMu.Unlock()
 		namesObtaining.Remove([]string{name})
 		if len(failures) > 0 {
@@ -285,7 +285,7 @@ func (c *ACMEClient) Renew(name string) error {
 	for attempts := 0; attempts < 2; attempts++ {
 		namesObtaining.Add([]string{name})
 		acmeMu.Lock()
-		newCertMeta, err = c.acmeClient.RenewCertificate(certMeta, true)
+		newCertMeta, err = c.acmeClient.RenewCertificate(certMeta, true, c.config.MustStaple)
 		acmeMu.Unlock()
 		namesObtaining.Remove([]string{name})
 		if err == nil {
diff --git a/caddytls/config.go b/caddytls/config.go
index dd744164e..6632aed28 100644
--- a/caddytls/config.go
+++ b/caddytls/config.go
@@ -105,6 +105,9 @@ type Config struct {
 
 	// The state needed to operate on-demand TLS
 	OnDemandState OnDemandState
+
+	// Add the must staple TLS extension to the CSR generated by lego/acme
+	MustStaple bool
 }
 
 // OnDemandState contains some state relevant for providing
diff --git a/caddytls/setup.go b/caddytls/setup.go
index 8e822015b..d789674c1 100644
--- a/caddytls/setup.go
+++ b/caddytls/setup.go
@@ -164,6 +164,8 @@ func setupTLS(c *caddy.Controller) error {
 					return c.Errf("Unsupported Storage provider '%s'", args[0])
 				}
 				config.StorageProvider = args[0]
+			case "muststaple":
+				config.MustStaple = true
 			default:
 				return c.Errf("Unknown keyword '%s'", c.Val())
 			}
diff --git a/caddytls/setup_test.go b/caddytls/setup_test.go
index b630e7414..a008bcd2b 100644
--- a/caddytls/setup_test.go
+++ b/caddytls/setup_test.go
@@ -103,6 +103,7 @@ func TestSetupParseWithOptionalParams(t *testing.T) {
 	params := `tls ` + certFile + ` ` + keyFile + ` {
             protocols tls1.0 tls1.2
             ciphers RSA-AES256-CBC-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384
+            muststaple
         }`
 	cfg := new(Config)
 	RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
@@ -124,6 +125,10 @@ func TestSetupParseWithOptionalParams(t *testing.T) {
 	if len(cfg.Ciphers)-1 != 3 {
 		t.Errorf("Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(cfg.Ciphers)-1)
 	}
+
+	if !cfg.MustStaple {
+		t.Errorf("Expected must staple to be true")
+	}
 }
 
 func TestSetupDefaultWithOptionalParams(t *testing.T) {