diff --git a/manila/share/drivers/netapp/dataontap/client/client_cmode.py b/manila/share/drivers/netapp/dataontap/client/client_cmode.py
index 86550a2a45..2c5808d941 100644
--- a/manila/share/drivers/netapp/dataontap/client/client_cmode.py
+++ b/manila/share/drivers/netapp/dataontap/client/client_cmode.py
@@ -52,16 +52,24 @@
     cfg.ListOpt(
         "cifs_cert_pem_paths",
         default=[
-            "/etc/ssl/certs/SAPNetCA_G2.pem",
-            "/etc/ssl/certs/SAP_Global_Root_CA.pem",
-            "/etc/ssl/certs/SAP_Global_Sub_CA_02.pem",
+            "/etc/ssl/certs/ca-certificates.crt",
+            # "/etc/ssl/certs/SAPNetCA_G2.pem",
+            # "/etc/ssl/certs/SAP_Global_Root_CA.pem",
+            # "/etc/ssl/certs/SAP_Global_Sub_CA_02.pem",
+            # "/etc/ssl/certs/DigiCert_Global_Root_CA.pem",
+            # "/etc/ssl/certs/DigiCert_Global_Root_G2.pem",
+            ],
+        help="Path to the x509 certificate used for secure ldap "
+             "connections."),
+    cfg.ListOpt(
+        "cifs_cert_pem_paths_expiring_soon",
+        default=[
             "/etc/ssl/certs/SAP_Global_Sub_CA_04.pem",
             "/etc/ssl/certs/SAP_Global_Sub_CA_05.pem",
-            "/etc/ssl/certs/DigiCert_Global_Root_CA.pem",
-            "/etc/ssl/certs/DigiCert_Global_Root_G2.pem",
             ],
         help="Path to the x509 certificate used for secure ldap "
-             "connections.")
+             "connections, that are soon expiring. You may keep certs here in "
+             "the last 60 days of validity"),
 ]
 
 CONF.register_opts(client_cmode_opts)
diff --git a/manila/tests/share/drivers/netapp/dataontap/client/test_client_cmode.py b/manila/tests/share/drivers/netapp/dataontap/client/test_client_cmode.py
index fc37ffb6e2..9bb143227d 100644
--- a/manila/tests/share/drivers/netapp/dataontap/client/test_client_cmode.py
+++ b/manila/tests/share/drivers/netapp/dataontap/client/test_client_cmode.py
@@ -20,6 +20,7 @@
 from unittest import mock
 
 import ddt
+from oslo_config import cfg
 from oslo_log import log
 import six
 
@@ -31,6 +32,7 @@
 from manila import test
 from manila.tests.share.drivers.netapp.dataontap.client import fakes as fake
 
+CONF = cfg.CONF
 
 @ddt.ddt
 class NetAppClientCmodeTestCase(test.TestCase):
@@ -2663,12 +2665,17 @@ def __call__(self, *args, **kwargs):
             mock.call('export-rule-create', export_rule_create_args),
             mock.call('export-rule-create', export_rule_create_args2)])
 
-    def test_configure_certificates(self):
+    @ddt.data(
+        (CONF.cifs_cert_pem_paths, 60), # fail if expiring in 60 days
+        (CONF.cifs_cert_pem_paths_expiring_soon, -30) # fail if exp 30 days ago
+    )
+    @ddt.unpack
+    def test_configure_certificates(self, cert_pem_paths, expiry_threshold):
         from cryptography import x509
         import datetime
         import os
 
-        for cert_pem_path in self.client._cert_pem_paths:
+        for cert_pem_path in cert_pem_paths:
             self.assertTrue(os.path.exists(cert_pem_path),
                             f'{cert_pem_path} not found')
 
@@ -2689,7 +2696,7 @@ def test_configure_certificates(self):
             until_expiry = cert_will_expire_at - datetime.datetime.utcnow()
 
             self.assertTrue(
-                until_expiry > datetime.timedelta(days=60),
+                until_expiry > datetime.timedelta(days=expiry_threshold),
                 f'cert {cert_pem_path} will expire in {until_expiry} '
                 f'at {cert_will_expire_at}')