diff --git a/agents/openstack/fence_openstack.py b/agents/openstack/fence_openstack.py
index c2d9df16..36b353b5 100755
--- a/agents/openstack/fence_openstack.py
+++ b/agents/openstack/fence_openstack.py
@@ -1,296 +1,302 @@
 #!@PYTHON@ -tt
 
 import atexit
 import logging
 import sys
 
 import urllib3
 
 sys.path.append("@FENCEAGENTSLIBDIR@")
 from fencing import *
 from fencing import fail_usage, run_delay
 
 try:
     from novaclient import client
     from novaclient.exceptions import Conflict, NotFound
 except ImportError:
     pass
 
 urllib3.disable_warnings(urllib3.exceptions.SecurityWarning)
 
 
 def translate_status(instance_status):
     if instance_status == "ACTIVE":
         return "on"
     elif instance_status == "SHUTOFF":
         return "off"
     return "unknown"
 
 
 def get_nodes_list(conn, options):
     logging.info("Running %s action", options["--action"])
     result = {}
     response = conn.servers.list(detailed=True)
     if response is not None:
         for item in response:
             instance_id = item.id
             instance_name = item.name
             instance_status = item.status
             result[instance_id] = (instance_name, translate_status(instance_status))
     return result
 
 
 def get_power_status(conn, options):
     logging.info("Running %s action on %s", options["--action"], options["--plug"])
     server = None
     try:
         server = conn.servers.get(options["--plug"])
     except NotFound as e:
         fail_usage("Failed: Not Found: " + str(e))
     if server is None:
         fail_usage("Server %s not found", options["--plug"])
     state = server.status
     status = translate_status(state)
     logging.info("get_power_status: %s (state: %s)" % (status, state))
     return status
 
 
 def set_power_status(conn, options):
     logging.info("Running %s action on %s", options["--action"], options["--plug"])
     action = options["--action"]
     server = None
     try:
         server = conn.servers.get(options["--plug"])
     except NotFound as e:
         fail_usage("Failed: Not Found: " + str(e))
     if server is None:
         fail_usage("Server %s not found", options["--plug"])
     if action == "on":
         logging.info("Starting instance " + server.name)
         try:
             server.start()
         except Conflict as e:
             fail_usage(e)
         logging.info("Called start API call for " + server.id)
     if action == "off":
         logging.info("Stopping instance " + server.name)
         try:
             server.stop()
         except Conflict as e:
             fail_usage(e)
         logging.info("Called stop API call for " + server.id)
     if action == "reboot":
         logging.info("Rebooting instance " + server.name)
         try:
             server.reboot("HARD")
         except Conflict as e:
             fail_usage(e)
         logging.info("Called reboot hard API call for " + server.id)
 
 
 def nova_login(username, password, projectname, auth_url, user_domain_name,
                project_domain_name, ssl_insecure, cacert, apitimeout):
     legacy_import = False
 
     try:
         from keystoneauth1 import loading
         from keystoneauth1 import session as ksc_session
         from keystoneauth1.exceptions.discovery import DiscoveryFailure
         from keystoneauth1.exceptions.http import Unauthorized
     except ImportError:
         try:
             from keystoneclient import session as ksc_session
             from keystoneclient.auth.identity import v3
 
             legacy_import = True
         except ImportError:
             fail_usage("Failed: Keystone client not found or not accessible")
 
     if not legacy_import:
         loader = loading.get_plugin_loader("password")
         auth = loader.load_from_options(
             auth_url=auth_url,
             username=username,
             password=password,
             project_name=projectname,
             user_domain_name=user_domain_name,
             project_domain_name=project_domain_name,
         )
     else:
         auth = v3.Password(
             auth_url=auth_url,
             username=username,
             password=password,
             project_name=projectname,
             user_domain_name=user_domain_name,
             project_domain_name=project_domain_name,
             cacert=cacert,
         )
 
-    session = ksc_session.Session(auth=auth, verify=False if ssl_insecure else cacert, timeout=apitimeout)
+    caverify=True
+    if ssl_insecure:
+        caverify=False
+    elif cacert:
+        caverify=cacert
+
+    session = ksc_session.Session(auth=auth, verify=caverify, timeout=apitimeout)
     nova = client.Client("2", session=session, timeout=apitimeout)
     apiversion = None
     try:
         apiversion = nova.versions.get_current()
     except DiscoveryFailure as e:
         fail_usage("Failed: Discovery Failure: " + str(e))
     except Unauthorized as e:
         fail_usage("Failed: Unauthorized: " + str(e))
     except Exception as e:
         logging.error(e)
     logging.debug("Nova version: %s", apiversion)
     return nova
 
 
 def define_new_opts():
     all_opt["auth-url"] = {
         "getopt": ":",
         "longopt": "auth-url",
         "help": "--auth-url=[authurl]           Keystone Auth URL",
         "required": "1",
         "shortdesc": "Keystone Auth URL",
         "order": 2,
     }
     all_opt["project-name"] = {
         "getopt": ":",
         "longopt": "project-name",
         "help": "--project-name=[project]       Tenant Or Project Name",
         "required": "1",
         "shortdesc": "Keystone Project",
         "default": "admin",
         "order": 3,
     }
     all_opt["user-domain-name"] = {
         "getopt": ":",
         "longopt": "user-domain-name",
         "help": "--user-domain-name=[domain]    Keystone User Domain Name",
         "required": "0",
         "shortdesc": "Keystone User Domain Name",
         "default": "Default",
         "order": 4,
     }
     all_opt["project-domain-name"] = {
         "getopt": ":",
         "longopt": "project-domain-name",
         "help": "--project-domain-name=[domain] Keystone Project Domain Name",
         "required": "0",
         "shortdesc": "Keystone Project Domain Name",
         "default": "Default",
         "order": 5,
     }
     all_opt["uuid"] = {
         "getopt": ":",
         "longopt": "uuid",
         "help": "--uuid=[uuid]                  Replaced by -n, --plug",
         "required": "0",
         "shortdesc": "Replaced by port/-n/--plug",
         "order": 6,
     }
     all_opt["cacert"] = {
         "getopt": ":",
         "longopt": "cacert",
-        "help": "--cacert=[cacert]              Path to the PEM file with trusted authority certificates",
+        "help": "--cacert=[cacert]              Path to the PEM file with trusted authority certificates (override global CA trust)",
         "required": "0",
         "shortdesc": "SSL X.509 certificates file",
-        "default": "/etc/pki/tls/certs/ca-bundle.crt",
+        "default": "",
         "order": 7,
     }
     all_opt["apitimeout"] = {
         "getopt": ":",
         "type": "second",
         "longopt": "apitimeout",
         "help": "--apitimeout=[seconds]         Timeout to use for API calls",
         "shortdesc": "Timeout in seconds to use for API calls, default is 60.",
         "required": "0",
         "default": 60,
         "order": 8,
     }
 
 
 def main():
     conn = None
 
     device_opt = [
         "login",
         "passwd",
         "auth-url",
         "project-name",
         "user-domain-name",
         "project-domain-name",
         "port",
         "no_port",
         "uuid",
         "ssl_insecure",
         "cacert",
         "apitimeout",
     ]
 
     atexit.register(atexit_handler)
 
     define_new_opts()
 
     all_opt["port"]["required"] = "0"
     all_opt["port"]["help"] = "-n, --plug=[UUID]              UUID of the node to be fenced"
     all_opt["port"]["shortdesc"] = "UUID of the node to be fenced."
     all_opt["power_timeout"]["default"] = "60"
 
     options = check_input(device_opt, process_input(device_opt))
 
     # workaround to avoid regressions
     if "--uuid" in options:
         options["--plug"] = options["--uuid"]
         del options["--uuid"]
     elif ("--help" not in options
           and options["--action"] in ["off", "on", "reboot", "status", "validate-all"]
           and "--plug" not in options):
         stop_after_error = False if options["--action"] == "validate-all" else True
         fail_usage(
             "Failed: You have to enter plug number or machine identification",
             stop_after_error,
         )
 
     docs = {}
     docs["shortdesc"] = "Fence agent for OpenStack's Nova service"
     docs["longdesc"] = "fence_openstack is a Fencing agent \
 which can be used with machines controlled by the Openstack's Nova service. \
 This agent calls the python-novaclient and it is mandatory to be installed "
     docs["vendorurl"] = "https://wiki.openstack.org/wiki/Nova"
     show_docs(options, docs)
 
     run_delay(options)
 
     username = options["--username"]
     password = options["--password"]
     projectname = options["--project-name"]
     auth_url = None
     try:
         auth_url = options["--auth-url"]
     except KeyError:
         fail_usage("Failed: You have to set the Keystone service endpoint for authorization")
     user_domain_name = options["--user-domain-name"]
     project_domain_name = options["--project-domain-name"]
     ssl_insecure = "--ssl-insecure" in options
     cacert = options["--cacert"]
     apitimeout = options["--apitimeout"]
     try:
         conn = nova_login(
             username,
             password,
             projectname,
             auth_url,
             user_domain_name,
             project_domain_name,
             ssl_insecure,
             cacert,
             apitimeout,
         )
     except Exception as e:
         fail_usage("Failed: Unable to connect to Nova: " + str(e))
 
     # Operate the fencing device
     result = fence_action(conn, options, set_power_status, get_power_status, get_nodes_list)
     sys.exit(result)
 
 
 if __name__ == "__main__":
     main()
diff --git a/tests/data/metadata/fence_openstack.xml b/tests/data/metadata/fence_openstack.xml
index 926d18c3..c8dc2e60 100644
--- a/tests/data/metadata/fence_openstack.xml
+++ b/tests/data/metadata/fence_openstack.xml
@@ -1,204 +1,204 @@
 <?xml version="1.0" ?>
 <resource-agent name="fence_openstack" shortdesc="Fence agent for OpenStack's Nova service" >
 <longdesc>fence_openstack is a Fencing agent which can be used with machines controlled by the Openstack's Nova service. This agent calls the python-novaclient and it is mandatory to be installed </longdesc>
 <vendor-url>https://wiki.openstack.org/wiki/Nova</vendor-url>
 <parameters>
 	<parameter name="action" unique="0" required="1">
 		<getopt mixed="-o, --action=[action]" />
 		<content type="string" default="reboot"  />
 		<shortdesc lang="en">Fencing action</shortdesc>
 	</parameter>
 	<parameter name="login" unique="0" required="1" deprecated="1">
 		<getopt mixed="-l, --username=[name]" />
 		<content type="string"  />
 		<shortdesc lang="en">Login name</shortdesc>
 	</parameter>
 	<parameter name="passwd" unique="0" required="0" deprecated="1">
 		<getopt mixed="-p, --password=[password]" />
 		<content type="string"  />
 		<shortdesc lang="en">Login password or passphrase</shortdesc>
 	</parameter>
 	<parameter name="passwd_script" unique="0" required="0" deprecated="1">
 		<getopt mixed="-S, --password-script=[script]" />
 		<content type="string"  />
 		<shortdesc lang="en">Script to run to retrieve password</shortdesc>
 	</parameter>
 	<parameter name="password" unique="0" required="0" obsoletes="passwd">
 		<getopt mixed="-p, --password=[password]" />
 		<content type="string"  />
 		<shortdesc lang="en">Login password or passphrase</shortdesc>
 	</parameter>
 	<parameter name="password_script" unique="0" required="0" obsoletes="passwd_script">
 		<getopt mixed="-S, --password-script=[script]" />
 		<content type="string"  />
 		<shortdesc lang="en">Script to run to retrieve password</shortdesc>
 	</parameter>
 	<parameter name="plug" unique="0" required="0" obsoletes="port">
 		<getopt mixed="-n, --plug=[UUID]" />
 		<content type="string"  />
 		<shortdesc lang="en">UUID of the node to be fenced.</shortdesc>
 	</parameter>
 	<parameter name="port" unique="0" required="0" deprecated="1">
 		<getopt mixed="-n, --plug=[UUID]" />
 		<content type="string"  />
 		<shortdesc lang="en">UUID of the node to be fenced.</shortdesc>
 	</parameter>
 	<parameter name="ssl_insecure" unique="0" required="0">
 		<getopt mixed="--ssl-insecure" />
 		<content type="boolean"  />
 		<shortdesc lang="en">Use SSL connection without verifying certificate</shortdesc>
 	</parameter>
 	<parameter name="username" unique="0" required="1" obsoletes="login">
 		<getopt mixed="-l, --username=[name]" />
 		<content type="string"  />
 		<shortdesc lang="en">Login name</shortdesc>
 	</parameter>
 	<parameter name="auth-url" unique="0" required="1" deprecated="1">
 		<getopt mixed="--auth-url=[authurl]" />
 		<content type="string"  />
 		<shortdesc lang="en">Keystone Auth URL</shortdesc>
 	</parameter>
 	<parameter name="auth_url" unique="0" required="1" obsoletes="auth-url">
 		<getopt mixed="--auth-url=[authurl]" />
 		<content type="string"  />
 		<shortdesc lang="en">Keystone Auth URL</shortdesc>
 	</parameter>
 	<parameter name="project-name" unique="0" required="1" deprecated="1">
 		<getopt mixed="--project-name=[project]" />
 		<content type="string" default="admin"  />
 		<shortdesc lang="en">Keystone Project</shortdesc>
 	</parameter>
 	<parameter name="project_name" unique="0" required="1" obsoletes="project-name">
 		<getopt mixed="--project-name=[project]" />
 		<content type="string" default="admin"  />
 		<shortdesc lang="en">Keystone Project</shortdesc>
 	</parameter>
 	<parameter name="user-domain-name" unique="0" required="0" deprecated="1">
 		<getopt mixed="--user-domain-name=[domain]" />
 		<content type="string" default="Default"  />
 		<shortdesc lang="en">Keystone User Domain Name</shortdesc>
 	</parameter>
 	<parameter name="user_domain_name" unique="0" required="0" obsoletes="user-domain-name">
 		<getopt mixed="--user-domain-name=[domain]" />
 		<content type="string" default="Default"  />
 		<shortdesc lang="en">Keystone User Domain Name</shortdesc>
 	</parameter>
 	<parameter name="project-domain-name" unique="0" required="0" deprecated="1">
 		<getopt mixed="--project-domain-name=[domain]" />
 		<content type="string" default="Default"  />
 		<shortdesc lang="en">Keystone Project Domain Name</shortdesc>
 	</parameter>
 	<parameter name="project_domain_name" unique="0" required="0" obsoletes="project-domain-name">
 		<getopt mixed="--project-domain-name=[domain]" />
 		<content type="string" default="Default"  />
 		<shortdesc lang="en">Keystone Project Domain Name</shortdesc>
 	</parameter>
 	<parameter name="uuid" unique="0" required="0">
 		<getopt mixed="--uuid=[uuid]" />
 		<content type="string"  />
 		<shortdesc lang="en">Replaced by port/-n/--plug</shortdesc>
 	</parameter>
 	<parameter name="cacert" unique="0" required="0">
 		<getopt mixed="--cacert=[cacert]" />
-		<content type="string" default="/etc/pki/tls/certs/ca-bundle.crt"  />
+		<content type="string" default=""  />
 		<shortdesc lang="en">SSL X.509 certificates file</shortdesc>
 	</parameter>
 	<parameter name="apitimeout" unique="0" required="0">
 		<getopt mixed="--apitimeout=[seconds]" />
 		<content type="second" default="60"  />
 		<shortdesc lang="en">Timeout in seconds to use for API calls, default is 60.</shortdesc>
 	</parameter>
 	<parameter name="quiet" unique="0" required="0">
 		<getopt mixed="-q, --quiet" />
 		<content type="boolean"  />
 		<shortdesc lang="en">Disable logging to stderr. Does not affect --verbose or --debug-file or logging to syslog.</shortdesc>
 	</parameter>
 	<parameter name="verbose" unique="0" required="0">
 		<getopt mixed="-v, --verbose" />
 		<content type="boolean"  />
 		<shortdesc lang="en">Verbose mode. Multiple -v flags can be stacked on the command line (e.g., -vvv) to increase verbosity.</shortdesc>
 	</parameter>
 	<parameter name="verbose_level" unique="0" required="0">
 		<getopt mixed="--verbose-level" />
 		<content type="integer"  />
 		<shortdesc lang="en">Level of debugging detail in output. Defaults to the number of --verbose flags specified on the command line, or to 1 if verbose=1 in a stonith device configuration (i.e., on stdin).</shortdesc>
 	</parameter>
 	<parameter name="debug" unique="0" required="0" deprecated="1">
 		<getopt mixed="-D, --debug-file=[debugfile]" />
 		<content type="string"  />
 		<shortdesc lang="en">Write debug information to given file</shortdesc>
 	</parameter>
 	<parameter name="debug_file" unique="0" required="0" obsoletes="debug">
 		<getopt mixed="-D, --debug-file=[debugfile]" />
 		<content type="string"  />
 		<shortdesc lang="en">Write debug information to given file</shortdesc>
 	</parameter>
 	<parameter name="version" unique="0" required="0">
 		<getopt mixed="-V, --version" />
 		<content type="boolean"  />
 		<shortdesc lang="en">Display version information and exit</shortdesc>
 	</parameter>
 	<parameter name="help" unique="0" required="0">
 		<getopt mixed="-h, --help" />
 		<content type="boolean"  />
 		<shortdesc lang="en">Display help and exit</shortdesc>
 	</parameter>
 	<parameter name="separator" unique="0" required="0">
 		<getopt mixed="-C, --separator=[char]" />
 		<content type="string" default=","  />
 		<shortdesc lang="en">Separator for CSV created by 'list' operation</shortdesc>
 	</parameter>
 	<parameter name="delay" unique="0" required="0">
 		<getopt mixed="--delay=[seconds]" />
 		<content type="second" default="0"  />
 		<shortdesc lang="en">Wait X seconds before fencing is started</shortdesc>
 	</parameter>
 	<parameter name="disable_timeout" unique="0" required="0">
 		<getopt mixed="--disable-timeout=[true/false]" />
 		<content type="string"  />
 		<shortdesc lang="en">Disable timeout (true/false) (default: true when run from Pacemaker 2.0+)</shortdesc>
 	</parameter>
 	<parameter name="login_timeout" unique="0" required="0">
 		<getopt mixed="--login-timeout=[seconds]" />
 		<content type="second" default="5"  />
 		<shortdesc lang="en">Wait X seconds for cmd prompt after login</shortdesc>
 	</parameter>
 	<parameter name="power_timeout" unique="0" required="0">
 		<getopt mixed="--power-timeout=[seconds]" />
 		<content type="second" default="60"  />
 		<shortdesc lang="en">Test X seconds for status change after ON/OFF</shortdesc>
 	</parameter>
 	<parameter name="power_wait" unique="0" required="0">
 		<getopt mixed="--power-wait=[seconds]" />
 		<content type="second" default="0"  />
 		<shortdesc lang="en">Wait X seconds after issuing ON/OFF</shortdesc>
 	</parameter>
 	<parameter name="shell_timeout" unique="0" required="0">
 		<getopt mixed="--shell-timeout=[seconds]" />
 		<content type="second" default="3"  />
 		<shortdesc lang="en">Wait X seconds for cmd prompt after issuing command</shortdesc>
 	</parameter>
 	<parameter name="stonith_status_sleep" unique="0" required="0">
 		<getopt mixed="--stonith-status-sleep=[seconds]" />
 		<content type="second" default="1"  />
 		<shortdesc lang="en">Sleep X seconds between status calls during a STONITH action</shortdesc>
 	</parameter>
 	<parameter name="retry_on" unique="0" required="0">
 		<getopt mixed="--retry-on=[attempts]" />
 		<content type="integer" default="1"  />
 		<shortdesc lang="en">Count of attempts to retry power on</shortdesc>
 	</parameter>
 </parameters>
 <actions>
 	<action name="on" automatic="0"/>
 	<action name="off" />
 	<action name="reboot" />
 	<action name="status" />
 	<action name="list" />
 	<action name="list-status" />
 	<action name="monitor" />
 	<action name="metadata" />
 	<action name="manpage" />
 	<action name="validate-all" />
 </actions>
 </resource-agent>