diff --git a/go.mod b/go.mod
index 0e35662ef..36457f424 100644
--- a/go.mod
+++ b/go.mod
@@ -18,7 +18,7 @@ require (
 	github.com/klauspost/compress v1.7.1-0.20190613161414-0b31f265a57b
 	github.com/klauspost/cpuid v1.2.1
 	github.com/lucas-clemente/quic-go v0.7.1-0.20190908032346-fc962d18373a
-	github.com/mholt/certmagic v0.7.1
+	github.com/mholt/certmagic v0.7.2
 	github.com/muhammadmuzzammil1998/jsonc v0.0.0-20190902132743-e4903c4dea48
 	github.com/rs/cors v1.6.0
 	github.com/russross/blackfriday/v2 v2.0.1
diff --git a/go.sum b/go.sum
index da08824cb..77d3eaf65 100644
--- a/go.sum
+++ b/go.sum
@@ -158,8 +158,8 @@ github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzp
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/mholt/certmagic v0.7.1 h1:nbSSVwvlDE3+vttD/RBikBIkxrlKVkIQOz449gCrG5Q=
-github.com/mholt/certmagic v0.7.1/go.mod h1:hqHzDsY32TwZpj/KswVylheSISjquF/eOVOaJTYV15w=
+github.com/mholt/certmagic v0.7.2 h1:i4FRZyM33Ke6UdTrq69hLSRq1xvqS83JQTkzzUWtuF4=
+github.com/mholt/certmagic v0.7.2/go.mod h1:hqHzDsY32TwZpj/KswVylheSISjquF/eOVOaJTYV15w=
 github.com/miekg/dns v1.1.15 h1:CSSIDtllwGLMoA6zjdKnaE6Tx6eVUxQ29LUgGetiDCI=
 github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index df4631c46..1f05c1df5 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -18,7 +18,9 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
+	"log"
 	"net/http"
+	"sync"
 	"time"
 
 	"github.com/caddyserver/caddy/v2"
@@ -40,6 +42,8 @@ type TLS struct {
 	certificateLoaders []CertificateLoader
 	certCache          *certmagic.Cache
 	ctx                caddy.Context
+	storageCleanTicker *time.Ticker
+	storageCleanStop   chan struct{}
 }
 
 // CaddyModule returns the Caddy module information.
@@ -121,6 +125,9 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 		}
 	}
 
+	t.storageCleanTicker = time.NewTicker(storageCleanInterval)
+	t.storageCleanStop = make(chan struct{})
+
 	return nil
 }
 
@@ -140,16 +147,25 @@ func (t *TLS) Start() error {
 	}
 	t.Certificates = nil // allow GC to deallocate
 
+	t.keepStorageClean()
+
 	return nil
 }
 
 // Stop stops the TLS module and cleans up any allocations.
 func (t *TLS) Stop() error {
+	// stop the certificate cache
 	if t.certCache != nil {
-		// TODO: ensure locks are cleaned up too... maybe in certmagic though
 		t.certCache.Stop()
 	}
+
+	// stop the session ticket rotation goroutine
 	t.SessionTickets.stop()
+
+	// stop the storage cleaner goroutine and ticker
+	close(t.storageCleanStop)
+	t.storageCleanTicker.Stop()
+
 	return nil
 }
 
@@ -200,12 +216,60 @@ func (t *TLS) getAutomationPolicyForName(name string) AutomationPolicy {
 	return AutomationPolicy{Management: new(ACMEManagerMaker)}
 }
 
-// CertificatesForSAN returns the list of all certificates in
+// AllMatchingCertificates returns the list of all certificates in
 // the cache which could be used to satisfy the given SAN.
 func (t *TLS) AllMatchingCertificates(san string) []certmagic.Certificate {
 	return t.certCache.AllMatchingCertificates(san)
 }
 
+// keepStorageClean immediately cleans up all known storage units
+// if it was not recently done, and starts a goroutine that runs
+// the operation at every tick from t.storageCleanTicker.
+func (t *TLS) keepStorageClean() {
+	go func() {
+		for {
+			select {
+			case <-t.storageCleanStop:
+				return
+			case <-t.storageCleanTicker.C:
+				t.cleanStorageUnits()
+			}
+		}
+	}()
+	t.cleanStorageUnits()
+}
+
+func (t *TLS) cleanStorageUnits() {
+	storageCleanMu.Lock()
+	defer storageCleanMu.Unlock()
+
+	if !storageClean.IsZero() && time.Since(storageClean) < storageCleanInterval {
+		return
+	}
+
+	options := certmagic.CleanStorageOptions{
+		OCSPStaples:            true,
+		ExpiredCerts:           true,
+		ExpiredCertGracePeriod: 24 * time.Hour * 14,
+	}
+
+	// start with the default storage
+	certmagic.CleanStorage(t.ctx.Storage(), options)
+
+	// then clean each storage defined in ACME automation policies
+	for _, ap := range t.Automation.Policies {
+		if acmeMgmt, ok := ap.Management.(ACMEManagerMaker); ok {
+			if acmeMgmt.storage != nil {
+				certmagic.CleanStorage(acmeMgmt.storage, options)
+			}
+		}
+	}
+
+	storageClean = time.Now()
+
+	log.Println("[INFO] tls: Cleaned up storage unit(s)")
+}
+
 // CertificateLoader is a type that can load certificates.
 // Certificates can optionally be associated with tags.
 type CertificateLoader interface {
@@ -301,4 +365,12 @@ var (
 	}
 )
 
+// Variables related to storage cleaning.
+var (
+	storageCleanInterval = 12 * time.Hour
+
+	storageClean   time.Time
+	storageCleanMu sync.Mutex
+)
+
 const automateKey = "automate"