diff --git a/Changes.rst b/Changes.rst
index b9fe6d51..3d164b94 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -105,6 +105,18 @@ Behavioral changes
 - Do not randomize resolving of IP addresses in getaddr()
 
 
+Version 2.3.18
+==============
+
+Deprecated features
+-------------------
+- ``--ns-cert-type`` is deprecated.  Use ``--remote-cert-tls`` instead.
+  The nsCertType x509 extension is very old, and barely used.
+  ``--remote-cert-tls`` uses the far more common keyUsage and extendedKeyUsage
+  extension instead.  Make sure your certificates carry these to be able to
+  use ``--remote-cert-tls``.
+
+
 Version 2.3.17
 ==============
 
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 109afe66..c6389f1c 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -324,7 +324,7 @@ http-proxy-retry
 persist-key
 persist-tun
 pkcs12 client.p12
-ns-cert-type server
+remote-cert-tls server
 verb 3
 .in -4
 .ft
@@ -5094,7 +5094,11 @@ options can be defined to track multiple attributes.
 Not available with PolarSSL.
 .\"*********************************************************
 .TP
-.B \-\-ns\-cert\-type client|server
+.B \-\-ns\-cert\-type client|server (DEPRECATED)
+This option is deprecated.  Use the more modern equivalent
+.B \-\-remote\-cert\-tls
+instead.  This option will be removed in OpenVPN 2.5.
+
 Require that peer certificate was signed with an explicit
 .B nsCertType
 designation of "client" or "server".
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index c6546e69..f676b512 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2591,6 +2591,10 @@ do_option_warnings (struct context *c)
       && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
       && !o->remote_cert_eku)
     msg (M_WARN, "WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.");
+  if (o->ns_cert_type)
+    {
+      msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.");
+    }
 #endif
 #endif
 
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 6faa2808..20ca37ee 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -622,8 +622,8 @@ static const char usage_message[] =
   "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
   "                  DN name. The remote host must also pass all other tests\n"
   "                  of verification.\n"
-  "--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
-  "                  nsCertType designation t = 'client' | 'server'.\n"
+  "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
+  "                  an explicit nsCertType designation t = 'client' | 'server'.\n"
 #ifdef ENABLE_X509_TRACK
   "--x509-track x  : Save peer X509 attribute x in environment for use by\n"
   "                  plugins and management interface.\n"
diff --git a/tests/t_client.rc-sample b/tests/t_client.rc-sample
index 59f34c7f..78b0ebbc 100644
--- a/tests/t_client.rc-sample
+++ b/tests/t_client.rc-sample
@@ -39,7 +39,7 @@ TEST_RUN_LIST="1 2"
 #
 OPENVPN_BASE_P2MP="--client --ca $CA_CERT \
 	--cert $CLIENT_CERT --key $CLIENT_KEY \
-	--ns-cert-type server --nobind --comp-lzo --verb 3"
+	--remote-cert-tls server --nobind --comp-lzo --verb 3"
 
 # base config for p2p tests
 #