diff --git a/man/systemd-sysctl.service.xml b/man/systemd-sysctl.service.xml
index 751aa2b09e..2313d4c44d 100644
--- a/man/systemd-sysctl.service.xml
+++ b/man/systemd-sysctl.service.xml
@@ -73,6 +73,30 @@
     </variablelist>
   </refsect1>
 
+  <refsect1>
+    <title>Credentials</title>
+
+    <para><command>systemd-sysctl</command> supports the service credentials logic as implemented by
+    <varname>LoadCredential=</varname>/<varname>SetCredential=</varname> (see
+    <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
+    details). The following credentials are used when passed in:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><literal>sysctl.extra</literal></term>
+
+        <listitem><para>The contents of this credential may contain additional lines to operate on. The
+        credential contents should follow the same format as any other <filename>sysctl.d/</filename>
+        drop-in. If this credential is passed it is processed after all of the drop-in files read from the
+        file system. The settings configured in the credential hence take precedence over those in the file
+        system.</para></listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>Note that by default the <filename>systemd-sysctl.service</filename> unit file is set up to inherit
+    the <literal>sysctl.extra</literal> credential from the service manager.</para>
+  </refsect1>
+
   <refsect1>
     <title>Examples</title>
 
@@ -122,7 +146,7 @@ kernel.core_pattern = |/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t %P %I
     <para>
       <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
-      <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
     </para>
   </refsect1>
 
diff --git a/src/sysctl/sysctl.c b/src/sysctl/sysctl.c
index 2b854a7370..e92640d948 100644
--- a/src/sysctl/sysctl.c
+++ b/src/sysctl/sysctl.c
@@ -10,6 +10,7 @@
 #include <sys/types.h>
 
 #include "conf-files.h"
+#include "creds-util.h"
 #include "def.h"
 #include "errno-util.h"
 #include "fd-util.h"
@@ -277,6 +278,25 @@ static int parse_file(OrderedHashmap **sysctl_options, const char *path, bool ig
         return r;
 }
 
+static int read_credential_lines(OrderedHashmap **sysctl_options) {
+        _cleanup_free_ char *j = NULL;
+        const char *d;
+        int r;
+
+        r = get_credentials_dir(&d);
+        if (r == -ENXIO)
+                return 0;
+        if (r < 0)
+                return log_error_errno(r, "Failed to get credentials directory: %m");
+
+        j = path_join(d, "sysctl.extra");
+        if (!j)
+                return log_oom();
+
+        (void) parse_file(sysctl_options, j, /* ignore_enoent= */ true);
+        return 0;
+}
+
 static int help(void) {
         _cleanup_free_ char *link = NULL;
         int r;
@@ -416,6 +436,10 @@ static int run(int argc, char *argv[]) {
                         if (k < 0 && r == 0)
                                 r = k;
                 }
+
+                k = read_credential_lines(&sysctl_options);
+                if (k < 0 && r == 0)
+                        r = k;
         }
 
         k = apply_all(sysctl_options);
diff --git a/test/TEST-54-CREDS/test.sh b/test/TEST-54-CREDS/test.sh
index 3b2c241323..8d5d796cc8 100755
--- a/test/TEST-54-CREDS/test.sh
+++ b/test/TEST-54-CREDS/test.sh
@@ -5,7 +5,7 @@ set -e
 TEST_DESCRIPTION="test credentials"
 NSPAWN_ARGUMENTS="${NSPAWN_ARGUMENTS:-} --set-credential=mynspawncredential:strangevalue"
 QEMU_OPTIONS="${QEMU_OPTIONS:-} -fw_cfg  name=opt/io.systemd.credentials/myqemucredential,string=othervalue"
-KERNEL_APPEND="${KERNEL_APPEND:-} systemd.set_credential=kernelcmdlinecred:uff rd.systemd.import_credentials=no"
+KERNEL_APPEND="${KERNEL_APPEND:-} systemd.set_credential=kernelcmdlinecred:uff systemd.set_credential=sysctl.extra:kernel.domainname=sysctltest rd.systemd.import_credentials=no"
 
 # shellcheck source=test/test-functions
 . "${TEST_BASE_DIR:?}/test-functions"
diff --git a/test/units/testsuite-54.sh b/test/units/testsuite-54.sh
index c5347e351e..06f3beb287 100755
--- a/test/units/testsuite-54.sh
+++ b/test/units/testsuite-54.sh
@@ -33,6 +33,9 @@ elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then
     systemd-detect-virt -q -v
     expected_credential=myqemucredential
     expected_value=othervalue
+
+    # Verify that writing a sysctl via the kernel cmdline worked
+    [ "$(cat /proc/sys/kernel/domainname)" = "sysctltest" ]
 else
     echo "qemu_fw_cfg support missing in kernel. Sniff!"
     expected_credential=""
diff --git a/units/systemd-sysctl.service.in b/units/systemd-sysctl.service.in
index 44b8853521..77793f3894 100644
--- a/units/systemd-sysctl.service.in
+++ b/units/systemd-sysctl.service.in
@@ -21,3 +21,4 @@ Type=oneshot
 RemainAfterExit=yes
 ExecStart={{ROOTLIBEXECDIR}}/systemd-sysctl
 TimeoutSec=90s
+LoadCredential=sysctl.extra