diff --git a/app/api/api.go b/app/api/api.go
index 0d796e9d..23c747f8 100644
--- a/app/api/api.go
+++ b/app/api/api.go
@@ -485,7 +485,7 @@ func (a *api) start(ctx context.Context) error {
 					},
 					DefaultHostname: cfg.Host.Name[0],
 					EmailAddress:    cfg.TLS.Email,
-					IsProduction:    false,
+					IsProduction:    !cfg.TLS.Staging,
 					Logger:          a.log.logger.core.WithComponent("Let's Encrypt"),
 				})
 				if err != nil {
diff --git a/autocert/autocert.go b/autocert/autocert.go
index 1ab8fe8c..e3b672f0 100644
--- a/autocert/autocert.go
+++ b/autocert/autocert.go
@@ -53,6 +53,9 @@ func New(config Config) (Manager, error) {
 	ca := certmagic.LetsEncryptStagingCA
 	if config.IsProduction {
 		ca = certmagic.LetsEncryptProductionCA
+		m.logger.Info().WithField("ca", ca).Log("Using production CA")
+	} else {
+		m.logger.Info().WithField("ca", ca).Log("Using staging CA")
 	}
 
 	certmagic.DefaultACME.Agreed = true
diff --git a/cluster/cluster.go b/cluster/cluster.go
index e30373a0..2b612e46 100644
--- a/cluster/cluster.go
+++ b/cluster/cluster.go
@@ -427,7 +427,7 @@ func New(ctx context.Context, config Config) (Cluster, error) {
 			Storage:         storage,
 			DefaultHostname: names[0],
 			EmailAddress:    c.config.TLS.Email,
-			IsProduction:    false,
+			IsProduction:    !c.config.TLS.Staging,
 			Logger:          c.logger.WithComponent("Let's Encrypt"),
 		})
 		if err != nil {
@@ -1100,6 +1100,10 @@ func verifyClusterConfig(local, remote *config.Config) error {
 			if local.TLS.Email != remote.TLS.Email {
 				return fmt.Errorf("tls.email is different")
 			}
+
+			if local.TLS.Staging != remote.TLS.Staging {
+				return fmt.Errorf("tls.staging is different")
+			}
 		}
 	}
 
diff --git a/config/config.go b/config/config.go
index edbbda34..c2a48aa4 100644
--- a/config/config.go
+++ b/config/config.go
@@ -186,6 +186,7 @@ func (d *Config) init() {
 	d.vars.Register(value.NewBool(&d.TLS.Enable, false), "tls.enable", "CORE_TLS_ENABLE", nil, "Enable HTTPS", false, false)
 	d.vars.Register(value.NewBool(&d.TLS.Auto, false), "tls.auto", "CORE_TLS_AUTO", nil, "Enable Let's Encrypt certificate", false, false)
 	d.vars.Register(value.NewEmail(&d.TLS.Email, "cert@datarhei.com"), "tls.email", "CORE_TLS_EMAIL", nil, "Email for Let's Encrypt registration", false, false)
+	d.vars.Register(value.NewBool(&d.TLS.Staging, false), "tls.staging", "CORE_TLS_STAGING", nil, "Use Let's Encrypt staging CA", false, false)
 	d.vars.Register(value.NewFile(&d.TLS.CertFile, "", d.fs), "tls.cert_file", "CORE_TLS_CERT_FILE", []string{"CORE_TLS_CERTFILE"}, "Path to certificate file in PEM format", false, false)
 	d.vars.Register(value.NewFile(&d.TLS.KeyFile, "", d.fs), "tls.key_file", "CORE_TLS_KEY_FILE", []string{"CORE_TLS_KEYFILE"}, "Path to key file in PEM format", false, false)
 
diff --git a/config/data.go b/config/data.go
index 473c8d25..6b1c490c 100644
--- a/config/data.go
+++ b/config/data.go
@@ -62,6 +62,7 @@ type Data struct {
 		Enable   bool   `json:"enable"`
 		Auto     bool   `json:"auto"`
 		Email    string `json:"email"`
+		Staging  bool   `json:"staging"`
 		CertFile string `json:"cert_file"`
 		KeyFile  string `json:"key_file"`
 	} `json:"tls"`