diff --git a/monascaclient/common/http.py b/monascaclient/common/http.py
index 720ca62..51d388b 100644
--- a/monascaclient/common/http.py
+++ b/monascaclient/common/http.py
@@ -69,7 +69,7 @@ class HTTPClient(object):
         self.key_file = kwargs.get('key_file')
 
         self.ssl_connection_params = {
-            'ca_file': kwargs.get('ca_file'),
+            'os_cacert': kwargs.get('os_cacert'),
             'cert_file': kwargs.get('cert_file'),
             'key_file': kwargs.get('key_file'),
             'insecure': kwargs.get('insecure'),
@@ -80,7 +80,7 @@ class HTTPClient(object):
             if kwargs.get('insecure'):
                 self.verify_cert = False
             else:
-                self.verify_cert = kwargs.get('ca_file', get_system_ca_file())
+                self.verify_cert = kwargs.get('os_cacert', get_system_ca_file())
 
     def replace_token(self, token):
         self.auth_token = token
@@ -96,7 +96,7 @@ class HTTPClient(object):
         conn_params_fmt = [
             ('key_file', '--key %s'),
             ('cert_file', '--cert %s'),
-            ('ca_file', '--cacert %s'),
+            ('os_cacert', '--cacert %s'),
         ]
         for (key, fmt) in conn_params_fmt:
             value = self.ssl_connection_params.get(key)
diff --git a/monascaclient/shell.py b/monascaclient/shell.py
index 5eedc05..e64df02 100644
--- a/monascaclient/shell.py
+++ b/monascaclient/shell.py
@@ -91,11 +91,13 @@ class MonascaShell(object):
                             'This option is not necessary if your key is'
                             ' prepended to your cert file.')
 
-        parser.add_argument('--ca-file',
-                            help='Path of CA SSL certificate(s) used to verify'
-                            ' the remote server\'s certificate. Without this'
-                            ' option the client looks'
-                            ' for the default system CA certificates.')
+        parser.add_argument('--os-cacert',
+                            default=utils.env('OS_CACERT'),
+                            help='Specify a CA bundle file to use in verifying'
+                            ' a TLS (https) server certificate. Defaults to'
+                            ' env[OS_CACERT]. Without either of these, the'
+                            ' client looks for the default system CA'
+                            ' certificates.')
 
         parser.add_argument('--timeout',
                             default=600,
@@ -260,6 +262,8 @@ class MonascaShell(object):
         kc_args = {'auth_url': kwargs.get('auth_url'),
                    'insecure': kwargs.get('insecure')}
 
+        if kwargs.get('os_cacert'):
+            kc_args['cacert'] = kwargs.get('os_cacert')
         if kwargs.get('project_id'):
             kc_args['project_id'] = kwargs.get('project_id')
         elif kwargs.get('project_name'):
@@ -377,6 +381,7 @@ class MonascaShell(object):
             'auth_url': args.os_auth_url,
             'service_type': args.os_service_type,
             'endpoint_type': args.os_endpoint_type,
+            'os_cacert': args.os_cacert,
             'project_id': args.os_project_id,
             'project_name': args.os_project_name,
             'domain_id': args.os_domain_id,
@@ -397,7 +402,7 @@ class MonascaShell(object):
                 'token': token,
                 'insecure': args.insecure,
                 'timeout': args.timeout,
-                'ca_file': args.ca_file,
+                'os_cacert': args.os_cacert,
                 'cert_file': args.cert_file,
                 'key_file': args.key_file,
                 'username': args.os_username,