diff --git a/doc/common/section_cli_keystone_credentials.xml b/doc/common/section_cli_keystone_credentials.xml
index 0e03ab1469..f162bec1ea 100644
--- a/doc/common/section_cli_keystone_credentials.xml
+++ b/doc/common/section_cli_keystone_credentials.xml
@@ -72,8 +72,7 @@
Export the URL of the keystone auth server, for
- example http://localhost:5000/v2.0', to the
+ example http://localhost:5000/v2.0, to the
OS_AUTH_URL environment
variable:$export OS_AUTH_URL="<authServerURL>"
@@ -117,4 +116,22 @@
+
+ To configure the keystone client to verify the TLS (HTTPS) server certificate
+
+ Define the OS_CACERT environment variable to set the location for the
+ CA trust store (PEM formatted) for this client:
+ $export OS_CACERT=/path/to/cacertFile
+
+ Alternatively, you can specify these parameters
+ on any keystone client command:
+
+ --os-cacert
+ OS_CACERT.
+ CA bundle file to use in verifying a TLS
+ (HTTPS) server certificate. Defaults to
+ env[OS_CACERT].
+
+
+
diff --git a/doc/common/section_cli_openrc.xml b/doc/common/section_cli_openrc.xml
index 99e98f4bfb..a0dae9b8bb 100644
--- a/doc/common/section_cli_openrc.xml
+++ b/doc/common/section_cli_openrc.xml
@@ -90,7 +90,8 @@ export OS_TENANT_NAME=projectName
export OS_AUTH_URL=https://identityHost:portNumber/v2.0
# The following lines can be omitted
export OS_TENANT_ID=tenantIDString
-export OS_REGION_NAME=regionName
+export OS_REGION_NAME=regionName
+export OS_CACERT=/path/to/cacertFileOn any shell from which you want to run
@@ -115,6 +116,13 @@ export OS_REGION_NAME=regionName
parameter with OpenStack client commands
instead.
+
+ You must set the OS_CACERT environment variable when
+ using the https protocol in the OS_AUTH_URL environment setting because
+ the verification process for the TLS (HTTPS) server certificate uses
+ the one indicated in the environment. This certificate will be used when
+ verifying the TLS (HTTPS) server certificate.
+ Override environment variable values