diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h
index 54546d197..ac50a4607 100644
--- a/include/haproxy/listener-t.h
+++ b/include/haproxy/listener-t.h
@@ -115,6 +115,7 @@ enum li_status {
 
 /* flags used with bind_conf->options */
 #define BC_O_USE_SSL            0x00000001 /* SSL is being used on this bind_conf */
+#define BC_O_GENERATE_CERTS     0x00000002 /* 1 if generate-certificates option is set, else 0 */
 
 
 /* flags used with bind_conf->ssl_options */
@@ -181,7 +182,6 @@ struct bind_conf {
 	const struct mux_proto_list *mux_proto; /* the mux to use for all incoming connections (specified by the "proto" keyword) */
 	struct xprt_ops *xprt;     /* transport-layer operations for all listeners */
 	uint options;              /* set of BC_O_* flags */
-	int generate_certs;        /* 1 if generate-certificates option is set, else 0 */
 	int level;                 /* stats access level (ACCESS_LVL_*) */
 	int severity_output;       /* default severity output format in cli feedback messages */
 	struct list listeners;     /* list of listeners using this bind config */
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 33d0bdb92..fad0828f2 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -1151,7 +1151,7 @@ static int bind_parse_pcc(char **args, int cur_arg, struct proxy *px, struct bin
 static int bind_parse_generate_certs(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
 #if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES)
-	conf->generate_certs = 1;
+	conf->options |= BC_O_GENERATE_CERTS;
 #else
 	memprintf(err, "%sthis version of openssl cannot generate SSL certificates.\n",
 		  err && *err ? *err : "");
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 507bc0ce3..472bf55b4 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2557,7 +2557,7 @@ int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
 	struct bind_conf *s = priv;
 	(void)al; /* shut gcc stupid warning */
 
-	if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) || s->generate_certs)
+	if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) || (s->options & BC_O_GENERATE_CERTS))
 		return SSL_TLSEXT_ERR_OK;
 	return SSL_TLSEXT_ERR_NOACK;
 }
@@ -2664,7 +2664,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 		servername_len = len;
 	} else {
 #if (!defined SSL_NO_GENERATE_CERTIFICATES)
-		if (s->generate_certs && ssl_sock_generate_certificate_from_conn(s, ssl)) {
+		if (s->options & BC_O_GENERATE_CERTS && ssl_sock_generate_certificate_from_conn(s, ssl)) {
 			goto allow_early;
 		}
 #endif
@@ -2827,7 +2827,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 
 	HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock);
 #if (!defined SSL_NO_GENERATE_CERTIFICATES)
-	if (s->generate_certs && ssl_sock_generate_certificate(trash.area, s, ssl)) {
+	if (s->options & BC_O_GENERATE_CERTS && ssl_sock_generate_certificate(trash.area, s, ssl)) {
 		/* switch ctx done in ssl_sock_generate_certificate */
 		goto allow_early;
 	}
@@ -2897,7 +2897,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
 	servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
 	if (!servername) {
 #if (!defined SSL_NO_GENERATE_CERTIFICATES)
-		if (s->generate_certs && ssl_sock_generate_certificate_from_conn(s, ssl))
+		if (s->options & BC_O_GENERATE_CERTS && ssl_sock_generate_certificate_from_conn(s, ssl))
 			return SSL_TLSEXT_ERR_OK;
 #endif
 		if (s->strict_sni)
@@ -2939,7 +2939,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
 	}
 	if (!node) {
 #if (!defined SSL_NO_GENERATE_CERTIFICATES)
-		if (s->generate_certs && ssl_sock_generate_certificate(servername, s, ssl)) {
+		if (s->options & BC_O_GENERATE_CERTS && ssl_sock_generate_certificate(servername, s, ssl)) {
 			/* switch ctx done in ssl_sock_generate_certificate */
 			HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock);
 			return SSL_TLSEXT_ERR_OK;
@@ -5453,7 +5453,7 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf)
 		return 0;
 	}
 	if (!bind_conf->default_ctx) {
-		if (bind_conf->strict_sni && !bind_conf->generate_certs) {
+		if (bind_conf->strict_sni && !(bind_conf->options & BC_O_GENERATE_CERTS)) {
 			ha_warning("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d], ssl connections will fail (use 'crt').\n",
 				   px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
 		}
@@ -5606,7 +5606,7 @@ ssl_sock_load_ca(struct bind_conf *bind_conf)
 	int ret = 0;
 	char *err = NULL;
 
-	if (!bind_conf->generate_certs)
+	if (!(bind_conf->options & BC_O_GENERATE_CERTS))
 		return ret;
 
 #if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES)
@@ -5657,7 +5657,7 @@ ssl_sock_load_ca(struct bind_conf *bind_conf)
 		free(ckch);
 	}
 
-	bind_conf->generate_certs = 0;
+	bind_conf->options &= ~BC_O_GENERATE_CERTS;
 	ret++;
 	return ret;
 }