diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index bfe805f49..78a85633b 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -3195,6 +3195,49 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
     return 0;
 }
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+/* RFC 8446 section 4.2.10
+ *
+ * struct {
+ *   select ( Handshake.msg_type ) {
+ *     case new_session_ticket:   uint32 max_early_data_size;
+ *     ...
+ *   };
+ * } EarlyDataIndication;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_early_data_ext_of_nst(mbedtls_ssl_context *ssl,
+                                                 unsigned char *buf,
+                                                 const unsigned char *end,
+                                                 size_t *out_len)
+{
+    unsigned char *p = buf;
+    *out_len = 0;
+
+    if ((ssl->session->ticket_flags &
+         MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA) == 0) {
+        MBEDTLS_SSL_DEBUG_MSG(
+            4, ("Skip early_data extension in NST for it is not allowed."));
+        return 0;
+    }
+
+    MBEDTLS_SSL_CHK_BUF_PTR(p, end, 8);
+
+    MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EARLY_DATA, p, 0);
+    MBEDTLS_PUT_UINT16_BE(4, p, 2);
+    MBEDTLS_PUT_UINT32_BE(ssl->conf->max_early_data_size, p, 4);
+    MBEDTLS_SSL_DEBUG_MSG(
+        4, ("Sent max_early_data_size=%u",
+            (unsigned int) ssl->conf->max_early_data_size));
+
+    *out_len = 8;
+
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_EARLY_DATA);
+
+    return 0;
+}
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
 /* This function creates a NewSessionTicket message in the following format:
  *
  * struct {
@@ -3232,10 +3275,20 @@ static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
     mbedtls_ssl_session *session = ssl->session;
     size_t ticket_len;
     uint32_t ticket_lifetime;
+    unsigned char *p_extensions_len;
+    size_t output_len;
+
+    ((void) output_len);
 
     *out_len = 0;
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write NewSessionTicket msg"));
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
+        session->ticket_flags |= MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA;
+    }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
     /*
      *    ticket_lifetime   4 bytes
      *    ticket_age_add    4 bytes
@@ -3293,15 +3346,25 @@ static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
 
     /* Ticket Extensions
      *
-     * Note: We currently don't have any extensions.
-     * Set length to zero.
+     * Extension extensions<0..2^16-2>;
      */
     ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
 
     MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
-    MBEDTLS_PUT_UINT16_BE(0, p, 0);
+    p_extensions_len = p;
     p += 2;
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    if ((ret = ssl_tls13_write_early_data_ext_of_nst(
+             ssl, p, end, &output_len)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_early_data_ext_of_nst", ret);
+        return ret;
+    }
+    p += output_len;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+    MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);
+
     *out_len = p - buf;
     MBEDTLS_SSL_DEBUG_BUF(4, "ticket", buf, *out_len);
     MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));