diff --git a/README.md b/README.md
index 442cbd5..30313fe 100644
--- a/README.md
+++ b/README.md
@@ -138,6 +138,7 @@ Environment variables (will overwrite other server configs)
 | HMD_LDAP_SEARCHBASE | o=users,dc=example,dc=com | LDAP directory to begin search from |
 | HMD_LDAP_SEARCHFILTER | (uid={{username}}) | LDAP filter to search with |
 | HMD_LDAP_SEARCHATTRIBUTES | no example | LDAP attributes to search with |
+| HMD_LDAP_TLS_CA | no example | Root CA for LDAP TLS in PEM format |
 | HMD_IMGUR_CLIENTID | no example | Imgur API client id |
 | HMD_EMAIL | `true` or `false` | set to allow email register and signin |
 | HMD_IMAGE_UPLOAD_TYPE | `imgur`, `s3` or `filesystem` | Where to upload image. For S3, see our [S3 Image Upload Guide](docs/guides/s3-image-upload.md) |
diff --git a/lib/config.js b/lib/config.js
index a44c279..053d083 100644
--- a/lib/config.js
+++ b/lib/config.js
@@ -118,6 +118,12 @@ if (process.env.HMD_LDAP_SEARCHFILTER)
     ldap.searchFilter = process.env.HMD_LDAP_SEARCHFILTER;
 if (process.env.HMD_LDAP_SEARCHATTRIBUTES)
     ldap.searchAttributes = process.env.HMD_LDAP_SEARCHATTRIBUTES;
+if (process.env.HMD_LDAP_TLS_CA) {
+    var ca = {
+        ca: process.env.HMD_LDAP_TLS_CA
+    }
+    ldap.tlsOptions = ldap.tlsOptions ? Object.assign(ldap.tlsOptions, ca) : ca
+}
 var imgur = process.env.HMD_IMGUR_CLIENTID || config.imgur || false;
 var email = process.env.HMD_EMAIL || config.email || false;