diff --git a/contrib/tempest/tempest/api/share/test_rules.py b/contrib/tempest/tempest/api/share/test_rules.py
index 30b051479c..2644914b2f 100644
--- a/contrib/tempest/tempest/api/share/test_rules.py
+++ b/contrib/tempest/tempest/api/share/test_rules.py
@@ -156,6 +156,49 @@ class ShareUserRulesForCIFSTest(ShareUserRulesForNFSTest):
         _create_delete_ro_access_rule(self)
 
 
+class ShareCertRulesForGLUSTERFSTest(base.BaseSharesTest):
+    protocol = "glusterfs"
+
+    @classmethod
+    def resource_setup(cls):
+        super(ShareCertRulesForGLUSTERFSTest, cls).resource_setup()
+        if (cls.protocol not in CONF.share.enable_protocols or
+                cls.protocol not in
+                CONF.share.enable_cert_rules_for_protocols):
+            msg = "Cert rule tests for %s protocol are disabled" % cls.protocol
+            raise cls.skipException(msg)
+        cls.share = cls.create_share(cls.protocol)
+        cls.access_type = "cert"
+        # Provide access to a client identified by a common name (CN) of the
+        # certificate that it possesses.
+        cls.access_to = "client1.com"
+
+    @test.attr(type=["gate", ])
+    def test_create_delete_cert_rule(self):
+
+        # create rule
+        rule = self.shares_client.create_access_rule(
+            self.share["id"], self.access_type, self.access_to)
+        self.assertEqual('rw', rule['access_level'])
+        self.shares_client.wait_for_access_rule_status(
+            self.share["id"], rule["id"], "active")
+
+        # delete rule
+        self.shares_client.delete_access_rule(self.share["id"], rule["id"])
+
+    @test.attr(type=["gate", ])
+    @testtools.skipIf(
+        "glusterfs" not in CONF.share.enable_ro_access_level_for_protocols,
+        "RO access rule tests are disabled for GLUSTERFS protocol.")
+    def test_create_delete_cert_ro_access_rule(self):
+        rule = self.shares_client.create_access_rule(
+            self.share["id"], 'cert', 'client2.com', 'ro')
+        self.assertEqual('ro', rule['access_level'])
+        self.shares_client.wait_for_access_rule_status(
+            self.share["id"], rule["id"], "active")
+        self.shares_client.delete_access_rule(self.share["id"], rule["id"])
+
+
 class ShareRulesTest(base.BaseSharesTest):
 
     @classmethod
@@ -164,6 +207,8 @@ class ShareRulesTest(base.BaseSharesTest):
         if not (any(p in CONF.share.enable_ip_rules_for_protocols
                     for p in cls.protocols) or
                 any(p in CONF.share.enable_user_rules_for_protocols
+                    for p in cls.protocols) or
+                any(p in CONF.share.enable_cert_rules_for_protocols
                     for p in cls.protocols)):
             cls.message = "Rule tests are disabled"
             raise cls.skipException(cls.message)
@@ -182,6 +227,10 @@ class ShareRulesTest(base.BaseSharesTest):
             self.access_type = "user"
             self.access_to = CONF.share.username_for_user_rules
             protocol = CONF.share.enable_user_rules_for_protocols[0]
+        elif CONF.share.enable_cert_rules_for_protocols:
+            self.access_type = "cert"
+            self.access_to = "client3.com"
+            protocol = CONF.share.enable_cert_rules_for_protocols[0]
         else:
             raise self.skipException(self.message)
         self.shares_client.protocol = protocol
diff --git a/contrib/tempest/tempest/api/share/test_rules_negative.py b/contrib/tempest/tempest/api/share/test_rules_negative.py
index 148b603ac0..c9579ff71d 100644
--- a/contrib/tempest/tempest/api/share/test_rules_negative.py
+++ b/contrib/tempest/tempest/api/share/test_rules_negative.py
@@ -198,6 +198,60 @@ class ShareUserRulesForCIFSNegativeTest(ShareUserRulesForNFSNegativeTest):
     protocol = "cifs"
 
 
+class ShareCertRulesForGLUSTERFSNegativeTest(base.BaseSharesTest):
+    protocol = "glusterfs"
+
+    @classmethod
+    def resource_setup(cls):
+        super(ShareCertRulesForGLUSTERFSNegativeTest, cls).resource_setup()
+        if not (cls.protocol in CONF.share.enable_protocols and
+                cls.protocol in CONF.share.enable_cert_rules_for_protocols):
+            msg = "CERT rule tests for %s protocol are disabled" % cls.protocol
+            raise cls.skipException(msg)
+        # create share
+        cls.share = cls.create_share(cls.protocol)
+        if CONF.share.run_snapshot_tests:
+            # create snapshot
+            cls.snap = cls.create_snapshot_wait_for_active(cls.share["id"])
+
+    @test.attr(type=["negative", "gate", ])
+    def test_create_access_rule_cert_with_empty_common_name(self):
+        self.assertRaises(lib_exc.BadRequest,
+                          self.shares_client.create_access_rule,
+                          self.share["id"], "cert", "")
+
+    @test.attr(type=["negative", "gate", ])
+    def test_create_access_rule_cert_with_whitespace_common_name(self):
+        self.assertRaises(lib_exc.BadRequest,
+                          self.shares_client.create_access_rule,
+                          self.share["id"], "cert", " ")
+
+    @test.attr(type=["negative", "gate", ])
+    def test_create_access_rule_cert_with_too_big_common_name(self):
+        # common name cannot be more than 64 characters long
+        self.assertRaises(lib_exc.BadRequest,
+                          self.shares_client.create_access_rule,
+                          self.share["id"], "cert", "a" * 65)
+
+    @test.attr(type=["negative", "gate", ])
+    @testtools.skipUnless(CONF.share.run_snapshot_tests,
+                          "Snapshot tests are disabled.")
+    def test_create_access_rule_cert_to_snapshot(self):
+        self.assertRaises(lib_exc.NotFound,
+                          self.shares_client.create_access_rule,
+                          self.snap["id"],
+                          access_type="cert",
+                          access_to="fakeclient1.com")
+
+    @test.attr(type=["negative", "gate", ])
+    def test_create_access_rule_cert_with_wrong_share_id(self):
+        self.assertRaises(lib_exc.NotFound,
+                          self.shares_client.create_access_rule,
+                          "wrong_share_id",
+                          access_type="cert",
+                          access_to="fakeclient2.com")
+
+
 class ShareRulesNegativeTest(base.BaseSharesTest):
     # Tests independent from rule type and share protocol
 
@@ -207,6 +261,8 @@ class ShareRulesNegativeTest(base.BaseSharesTest):
         if not (any(p in CONF.share.enable_ip_rules_for_protocols
                     for p in cls.protocols) or
                 any(p in CONF.share.enable_user_rules_for_protocols
+                    for p in cls.protocols) or
+                any(p in CONF.share.enable_cert_rules_for_protocols
                     for p in cls.protocols)):
             cls.message = "Rule tests are disabled"
             raise cls.skipException(cls.message)
diff --git a/contrib/tempest/tempest/config_share.py b/contrib/tempest/tempest/config_share.py
index c3927c6188..6a82221d79 100644
--- a/contrib/tempest/tempest/config_share.py
+++ b/contrib/tempest/tempest/config_share.py
@@ -70,6 +70,9 @@ ShareGroup = [
                 default=[],
                 help="Selection of protocols, that should "
                      "be covered with user rule tests"),
+    cfg.ListOpt("enable_cert_rules_for_protocols",
+                default=["glusterfs", ],
+                help="Protocols that should be covered with cert rule tests."),
     cfg.StrOpt("username_for_user_rules",
                default="Administrator",
                help="Username, that will be used in user tests."),