diff --git a/getssl b/getssl
index f3e60a4..e8af6b4 100755
--- a/getssl
+++ b/getssl
@@ -226,6 +226,7 @@ SERVER_TYPE="https"
 SKIP_HTTP_TOKEN_CHECK="false"
 SSLCONF="$(openssl version -d 2>/dev/null| cut -d\" -f2)/openssl.cnf"
 OCSP_MUST_STAPLE="false"
+MS_LDAPS="false"
 TEMP_UPGRADE_FILE=""
 TOKEN_USER_ID=""
 USE_SINGLE_ACL="false"
@@ -641,6 +642,11 @@ create_csr() { # create a csr using a given key (if it doesn't already exist)
     if [[ "$OCSP_MUST_STAPLE" == "true" ]]; then
       printf "\n1.3.6.1.5.5.7.1.24 = DER:30:03:02:01:05" >> "$tmp_conf"
     fi
+    # this is required if you want to use LDAP over SSL in Microsoft Active Directory
+    # see also: https://serverfault.com/a/573038 and https://support.microsoft.com/en-us/help/321051/
+    if [[ "$MS_LDAPS" == "true" ]]; then
+      printf "\nextendedKeyUsage = 1.3.6.1.5.5.7.3.1" >> "$tmp_conf"
+    fi
     openssl req -new -sha256 -key "$csr_key" -subj "$CSR_SUBJECT" -reqexts SAN -config "$tmp_conf" > "$csr_file"
     rm -f "$tmp_conf"
   fi