diff --git a/ceilometerclient/client.py b/ceilometerclient/client.py
index c65c214c..e65c6276 100644
--- a/ceilometerclient/client.py
+++ b/ceilometerclient/client.py
@@ -21,6 +21,7 @@ def _get_ksclient(**kwargs):
             * username: name of user
             * password: user's password
             * auth_url: endpoint to authenticate against
+            * cacert: path of CA TLS certificate
             * insecure: allow insecure SSL (no cert verification)
             * tenant_{name|id}: name or ID of tenant
     """
@@ -30,6 +31,7 @@ def _get_ksclient(**kwargs):
                            tenant_name=kwargs.get('tenant_name'),
                            auth_url=kwargs.get('auth_url'),
                            region_name=kwargs.get('region_name'),
+                           cacert=kwargs.get('cacert'),
                            insecure=kwargs.get('insecure'))
 
 
@@ -52,6 +54,7 @@ def get_client(api_version, **kwargs):
             * os_username: name of user
             * os_password: user's password
             * os_auth_url: endpoint to authenticate against
+            * os_cacert: path of CA TLS certificate
             * insecure: allow insecure SSL (no cert verification)
             * os_tenant_{name|id}: name or ID of tenant
     """
@@ -72,6 +75,7 @@ def get_client(api_version, **kwargs):
             'region_name': kwargs.get('os_region_name'),
             'service_type': kwargs.get('os_service_type'),
             'endpoint_type': kwargs.get('os_endpoint_type'),
+            'cacert': kwargs.get('os_cacert'),
             'insecure': kwargs.get('insecure'),
         }
         _ksclient = _get_ksclient(**ks_kwargs)
@@ -86,7 +90,7 @@ def get_client(api_version, **kwargs):
         'token': token,
         'insecure': kwargs.get('insecure'),
         'timeout': kwargs.get('timeout'),
-        'ca_file': kwargs.get('ca_file'),
+        'cacert': kwargs.get('cacert'),
         'cert_file': kwargs.get('cert_file'),
         'key_file': kwargs.get('key_file'),
     }
diff --git a/ceilometerclient/common/http.py b/ceilometerclient/common/http.py
index a0e03f43..b53bb988 100644
--- a/ceilometerclient/common/http.py
+++ b/ceilometerclient/common/http.py
@@ -63,7 +63,7 @@ class HTTPClient(object):
 
         if parts.scheme == 'https':
             _class = VerifiedHTTPSConnection
-            _kwargs['ca_file'] = kwargs.get('ca_file', None)
+            _kwargs['ca_cert'] = kwargs.get('cacert', None)
             _kwargs['cert_file'] = kwargs.get('cert_file', None)
             _kwargs['key_file'] = kwargs.get('key_file', None)
             _kwargs['insecure'] = kwargs.get('insecure', False)
@@ -93,7 +93,7 @@ class HTTPClient(object):
         conn_params_fmt = [
             ('key_file', '--key %s'),
             ('cert_file', '--cert %s'),
-            ('ca_file', '--cacert %s'),
+            ('cacert', '--cacert %s'),
         ]
         for (key, fmt) in conn_params_fmt:
             value = self.connection_params[2].get(key)
@@ -215,21 +215,21 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
     """
 
     def __init__(self, host, port, key_file=None, cert_file=None,
-                 ca_file=None, timeout=None, insecure=False):
+                 cacert=None, timeout=None, insecure=False):
         httplib.HTTPSConnection.__init__(self, host, port, key_file=key_file,
                                          cert_file=cert_file)
         self.key_file = key_file
         self.cert_file = cert_file
-        if ca_file is not None:
-            self.ca_file = ca_file
+        if cacert is not None:
+            self.cacert = cacert
         else:
-            self.ca_file = self.get_system_ca_file()
+            self.cacert = self.get_system_ca_file()
         self.timeout = timeout
         self.insecure = insecure
 
     def connect(self):
         """Connect to a host on a given (SSL) port.
-        If ca_file is pointing somewhere, use it to check Server Certificate.
+        If cacert is pointing somewhere, use it to check Server Certificate.
 
         Redefined/copied and extended from httplib.py:1105 (Python 2.6.x).
         This is needed to pass cert_reqs=ssl.CERT_REQUIRED as parameter to
@@ -245,7 +245,7 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
         if self.insecure is True:
             kwargs = {'cert_reqs': ssl.CERT_NONE}
         else:
-            kwargs = {'cert_reqs': ssl.CERT_REQUIRED, 'ca_certs': self.ca_file}
+            kwargs = {'cert_reqs': ssl.CERT_REQUIRED, 'ca_certs': self.cacert}
 
         if self.cert_file:
             kwargs['certfile'] = self.cert_file
diff --git a/ceilometerclient/shell.py b/ceilometerclient/shell.py
index 3ea531a2..b6d3939b 100644
--- a/ceilometerclient/shell.py
+++ b/ceilometerclient/shell.py
@@ -76,11 +76,17 @@ class CeilometerShell(object):
                             ' This option is not necessary if your key is '
                             'prepended to your cert file.')
 
-        parser.add_argument('--ca-file',
-                            help='Path of CA SSL certificate(s) used to verify'
-                            ' the remote server certificate. Without this '
+        parser.add_argument('--os-cacert',
+                            metavar='<ca-certificate-file>',
+                            dest='os_cacert',
+                            default=utils.env('OS_CACERT'),
+                            help='Path of CA TLS certificate(s) used to verify'
+                            'the remote server\'s certificate. Without this '
                             'option ceilometer looks for the default system '
                             'CA certificates.')
+        parser.add_argument('--ca-file',
+                            dest='os_cacert',
+                            help='DEPRECATED! Use --os-cacert.')
 
         parser.add_argument('--timeout',
                             default=600,