diff --git a/certs/cert-generator/badssl-must-staple.conf b/certs/cert-generator/badssl-must-staple.conf
new file mode 100644
index 00000000..a97438f3
--- /dev/null
+++ b/certs/cert-generator/badssl-must-staple.conf
@@ -0,0 +1,24 @@
+[ req ]
+default_bits        = 2048
+default_keyfile     = ../self-signed/badssl.key
+distinguished_name  = req_distinguished_name
+encrypt_key         = no
+prompt              = no
+req_extensions      = req_v3_usr
+
+[ req_distinguished_name ]
+countryName         = US
+stateOrProvinceName = California
+localityName        = San Francisco
+organizationName    = BadSSL
+commonName          = must-staple.badssl.com
+
+[ req_v3_usr ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+1.3.6.1.5.5.7.1.24 = DER:30:03:02:01:05
+
+[ alt_names ]
+DNS.1 = must-staple.badssl.com
+DNS.2 = must-staple-no-ocsp.badssl.com
diff --git a/certs/cert-generator/cert-generator.sh b/certs/cert-generator/cert-generator.sh
index ebd0bfd1..6634e5e0 100755
--- a/certs/cert-generator/cert-generator.sh
+++ b/certs/cert-generator/cert-generator.sh
@@ -231,6 +231,24 @@ cat out.pem ../self-signed/badssl-intermediate.pem ../self-signed/badssl-root.pe
 rm out.pem
 echo
 
+echo "Generating BadSSL.com must-staple Certificate Signing Request"
+openssl req -new \
+  -key ../self-signed/badssl.com.key \
+  -out badssl-must-staple.csr \
+  -config badssl-must-staple.conf
+
+echo "Signing BadSSL.com must-staple Certificate"
+openssl x509 -req -days 730 -sha256 -CAcreateserial \
+  -in badssl-must-staple.csr \
+  -CA ../self-signed/badssl-intermediate.pem \
+  -CAkey ../self-signed/badssl-intermediate.key \
+  -extfile badssl-must-staple.conf \
+  -extensions req_v3_usr \
+  -out out.pem
+cat out.pem ../self-signed/badssl-intermediate.pem ../self-signed/badssl-root.pem > ../self-signed/must-staple.badssl.com.pem
+rm out.pem
+echo
+
 # Generate the Diffie-Hellman primes
 if [[ $regen =~ ^[Yy]$ ]]; then
   openssl dhparam -out ../self-signed/dh480.pem 480