diff --git a/.env.template b/.env.template
index 2bdecc83..0a56eec6 100644
--- a/.env.template
+++ b/.env.template
@@ -146,6 +146,7 @@ REVERSE_PROXY_AUTH=0
 #AUTH_LDAP_BIND_DN=
 #AUTH_LDAP_BIND_PASSWORD=
 #AUTH_LDAP_USER_SEARCH_BASE_DN=
+#AUTH_LDAP_TLS_CACERTFILE=
 
 # Enables exporting PDF (see export docs)
 # Disabled by default, uncomment to enable
diff --git a/docs/features/authentication.md b/docs/features/authentication.md
index abdd6660..4dd619e6 100644
--- a/docs/features/authentication.md
+++ b/docs/features/authentication.md
@@ -96,6 +96,7 @@ AUTH_LDAP_USER_SEARCH_FILTER_STR=(uid=%(user)s)
 AUTH_LDAP_USER_ATTR_MAP={'first_name': 'givenName', 'last_name': 'sn', 'email': 'mail'}
 AUTH_LDAP_ALWAYS_UPDATE_USER=1
 AUTH_LDAP_CACHE_TIMEOUT=3600
+AUTH_LDAP_TLS_CACERTFILE=/etc/ssl/certs/own-ca.pem
 ```
 
 ## Reverse Proxy Authentication
diff --git a/recipes/settings.py b/recipes/settings.py
index a4e07133..c9ffd32c 100644
--- a/recipes/settings.py
+++ b/recipes/settings.py
@@ -186,6 +186,8 @@ if LDAP_AUTH:
     }
     AUTH_LDAP_ALWAYS_UPDATE_USER = bool(int(os.getenv('AUTH_LDAP_ALWAYS_UPDATE_USER', True)))
     AUTH_LDAP_CACHE_TIMEOUT = int(os.getenv('AUTH_LDAP_CACHE_TIMEOUT', 3600))
+    if 'AUTH_LDAP_TLS_CACERTFILE' in os.environ:
+        AUTH_LDAP_GLOBAL_OPTIONS = { ldap.OPT_X_TLS_CACERTFILE: os.getenv('AUTH_LDAP_TLS_CACERTFILE') }
 
 AUTHENTICATION_BACKENDS += [
     'django.contrib.auth.backends.ModelBackend',