diff --git a/keystoneclient/session.py b/keystoneclient/session.py
index aab90f94a..e453ba5d2 100644
--- a/keystoneclient/session.py
+++ b/keystoneclient/session.py
@@ -144,6 +144,8 @@ class Session(object):
         # so we need to actually check that this is False.
         if self.verify is False:
             string_parts.append('--insecure')
+        elif isinstance(self.verify, six.string_types):
+            string_parts.append('--cacert "%s"' % self.verify)
 
         if method:
             string_parts.extend(['-X', method])
diff --git a/keystoneclient/tests/test_session.py b/keystoneclient/tests/test_session.py
index 6a9d4080d..8aa5a1ee4 100644
--- a/keystoneclient/tests/test_session.py
+++ b/keystoneclient/tests/test_session.py
@@ -172,6 +172,16 @@ class SessionTests(utils.TestCase):
             self.assertEqual(v, resp.headers[k])
             self.assertNotIn(v, self.logger.output)
 
+    def test_logging_cacerts(self):
+        path_to_certs = '/path/to/certs'
+        session = client_session.Session(verify=path_to_certs)
+
+        self.stub_url('GET', text='text')
+        session.get(self.TEST_URL)
+
+        self.assertIn('--cacert', self.logger.output)
+        self.assertIn(path_to_certs, self.logger.output)
+
     def test_connect_retries(self):
 
         def _timeout_error(request, context):