diff --git a/src/sbbs3/scfg/scfgsys.c b/src/sbbs3/scfg/scfgsys.c
index 484001142094a2fba1a57f66bb3d531d0ea33444..bbf3ee0e3c60981d7a7094104147de7cc3c68be3 100644
--- a/src/sbbs3/scfg/scfgsys.c
+++ b/src/sbbs3/scfg/scfgsys.c
@@ -633,7 +633,8 @@ void security_cfg(void)
 		snprintf(opt[i++], MAX_OPLN, "%-33.33s%s", "Open to New Users", str);
 		snprintf(opt[i++], MAX_OPLN, "%-33.33s%s", "User Expires When Out-of-time"
 		         , cfg.sys_misc & SM_TIME_EXP ? "Yes" : "No");
-
+		snprintf(opt[i++], MAX_OPLN, "%-33.33s%s", "Create Self-signed Certificate"
+		         , cfg.create_self_signed_cert ? "Yes" : "No");
 		strcpy(opt[i++], "Security Level Values...");
 		strcpy(opt[i++], "Expired Account Values...");
 		strcpy(opt[i++], "Quick-Validation Values...");
@@ -896,6 +897,24 @@ void security_cfg(void)
 					cfg.sys_misc &= ~SM_TIME_EXP;
 				}
 				break;
+			case __COUNTER__:
+				i = cfg.create_self_signed_cert ? 0 : 1;
+				uifc.helpbuf =
+					"`Create Self-signed TLS Certificate:`\n"
+					"\n"
+					"If you want Synchronet to automatically create a self-signed certificate\n"
+					"(for TLS connections) when the certificate file (`ctrl/ssl.cert`) cannot\n"
+					"be found or read, set this option to `Yes`.\n"
+				;
+				i = uifc.list(WIN_MID | WIN_SAV, 0, 0, 0, &i, 0
+				              , "Create Self-signed Certificate", uifcYesNoOpts);
+				if (!i && !cfg.create_self_signed_cert) {
+					cfg.create_self_signed_cert = true;
+				}
+				else if (i == 1 && cfg.create_self_signed_cert) {
+					cfg.create_self_signed_cert = false;
+				}
+				break;
 			case __COUNTER__: /* Security Levels */
 				k = 0;
 				while (1) {
diff --git a/src/sbbs3/scfgdefs.h b/src/sbbs3/scfgdefs.h
index f1eb254181a080d7a74cce7190d751364b943ca8..172d02899c7043763d54803d9ebd37b7d03bbc91 100644
--- a/src/sbbs3/scfgdefs.h
+++ b/src/sbbs3/scfgdefs.h
@@ -506,6 +506,8 @@ typedef struct
 	uint16_t		filename_maxlen;	/* Maximum filename length */
 	str_list_t      supported_archive_formats;    /* Full support in libachive */
 
+	bool			create_self_signed_cert;
+
 	fevent_t		node_daily;			/* Node's daily event */
 	uint32_t		node_misc;			/* Misc bits for node setup */
 	bool			spinning_pause_prompt;
diff --git a/src/sbbs3/scfglib1.c b/src/sbbs3/scfglib1.c
index e0f9a239a19d3a631b75f7b08198e632d17845cc..bd9991e09332efa50ebe696412637f3adcef1103 100644
--- a/src/sbbs3/scfglib1.c
+++ b/src/sbbs3/scfglib1.c
@@ -127,6 +127,7 @@ bool read_main_cfg(scfg_t* cfg, char* error, size_t maxerrlen)
 	cfg->max_getkey_inactivity = (uint)iniGetDuration(ini, ROOT_SECTION, "max_getkey_inactivity", 300);
 	cfg->inactivity_warn = (uchar)iniGetUInteger(ini, ROOT_SECTION, "inactivity_warn", 75);
 	cfg->spinning_pause_prompt = iniGetBool(ini, ROOT_SECTION, "spinning_pause_prompt", true);
+	cfg->create_self_signed_cert = iniGetBool(ini, ROOT_SECTION, "create_self_signed_cert", false);
 
 	cfg->user_backup_level = iniGetUInteger(ini, ROOT_SECTION, "user_backup_level", 5);
 	cfg->mail_backup_level = iniGetUInteger(ini, ROOT_SECTION, "mail_backup_level", 5);
diff --git a/src/sbbs3/scfgsave.c b/src/sbbs3/scfgsave.c
index 4b616e9df954f142fab4fc6865a3015ba440bf7b..441702bcaf424d68508259b53d1732528c8b03b2 100644
--- a/src/sbbs3/scfgsave.c
+++ b/src/sbbs3/scfgsave.c
@@ -147,6 +147,7 @@ bool write_main_cfg(scfg_t* cfg)
 	iniSetDuration(&ini, ROOT_SECTION, "max_getkey_inactivity", cfg->max_getkey_inactivity, NULL);
 	iniSetUInteger(&ini, ROOT_SECTION, "inactivity_warn", cfg->inactivity_warn, NULL);
 	iniSetBool(&ini, ROOT_SECTION, "spinning_pause_prompt", cfg->spinning_pause_prompt, NULL);
+	iniSetBool(&ini, ROOT_SECTION, "create_self_signed_cert", cfg->create_self_signed_cert, NULL);
 	iniSetUInteger(&ini, ROOT_SECTION, "user_backup_level", cfg->user_backup_level, NULL);
 	iniSetUInteger(&ini, ROOT_SECTION, "mail_backup_level", cfg->mail_backup_level, NULL);
 	iniSetUInteger(&ini, ROOT_SECTION, "config_backup_level", cfg->config_backup_level, NULL);
diff --git a/src/sbbs3/ssl.c b/src/sbbs3/ssl.c
index da825b7a08d7a89bd1d43a90eb5f648ad862401a..838c491ef54c4af871045a53c64d74275355eeb5 100644
--- a/src/sbbs3/ssl.c
+++ b/src/sbbs3/ssl.c
@@ -476,6 +476,12 @@ static struct cert_list * get_ssl_cert(scfg_t *cfg, int (*lprintf)(int level, co
 		}
 	}
 	else {
+		lprintf(LOG_WARNING, "Failed to open/read TLS certificate: %s", cert_path);
+		if (!cfg->create_self_signed_cert) {
+			assert_pthread_mutex_unlock(&get_ssl_cert_mutex);
+			free(cert_entry);
+			return NULL;
+		}
 		lprintf(LOG_NOTICE, "Creating self-signed TLS certificate");
 		/* Couldn't do that... create a new context and use the cert from there... */
 		if (!DO("creating TLS context", CRYPT_UNUSED, cryptCreateContext(&cert_entry->cert, CRYPT_UNUSED, CRYPT_ALGO_RSA))) {