diff --git a/app.go b/app.go
index 79b7145..00e7d6d 100644
--- a/app.go
+++ b/app.go
@@ -11,6 +11,7 @@
 package writefreely
 
 import (
+	"crypto/tls"
 	"database/sql"
 	"fmt"
 	"html/template"
@@ -39,6 +40,7 @@ import (
 	"github.com/writeas/writefreely/key"
 	"github.com/writeas/writefreely/migrations"
 	"github.com/writeas/writefreely/page"
+	"golang.org/x/crypto/acme/autocert"
 )
 
 const (
@@ -390,9 +392,29 @@ func Serve(app *App, r *mux.Router) {
 		}()
 
 		log.Info("Serving on https://%s:443", bindAddress)
-		log.Info("---")
-		err = http.ListenAndServeTLS(
-			fmt.Sprintf("%s:443", bindAddress), app.cfg.Server.TLSCertPath, app.cfg.Server.TLSKeyPath, r)
+		if app.cfg.Server.Autocert {
+			log.Info("Using autocert")
+			m := &autocert.Manager{
+				Prompt:     autocert.AcceptTOS,
+				Cache:      autocert.DirCache(app.cfg.Server.TLSCertPath),
+				HostPolicy: autocert.HostWhitelist(app.cfg.App.Host),
+			}
+			s := &http.Server{
+				Addr:    ":https",
+				Handler: r,
+				TLSConfig: &tls.Config{
+					GetCertificate: m.GetCertificate,
+				},
+			}
+			s.SetKeepAlivesEnabled(false)
+
+			log.Info("---")
+			err = s.ListenAndServeTLS("", "")
+		} else {
+			log.Info("Using manual certificates")
+			log.Info("---")
+			err = http.ListenAndServeTLS(fmt.Sprintf("%s:443", bindAddress), app.cfg.Server.TLSCertPath, app.cfg.Server.TLSKeyPath, r)
+		}
 	} else {
 		log.Info("Serving on http://%s:%d\n", bindAddress, app.cfg.Server.Port)
 		log.Info("---")
diff --git a/config/config.go b/config/config.go
index 8009208..58486b0 100644
--- a/config/config.go
+++ b/config/config.go
@@ -35,6 +35,7 @@ type (
 
 		TLSCertPath string `ini:"tls_cert_path"`
 		TLSKeyPath  string `ini:"tls_key_path"`
+		Autocert    bool   `ini:"autocert"`
 
 		TemplatesParentDir string `ini:"templates_parent_dir"`
 		StaticParentDir    string `ini:"static_parent_dir"`