6.5.5 Distributing X.509 Certificates

If the registry host uses a self-signed X.509 certificate, you must distribute the certificate to all hosts in your deployment that you intend to use the local Docker registry.

Perform the following steps on each host that needs to access the local registry. Substitute registry_hostname with the name of the registry host, and port with the port number you selected for your Docker registry server (5000 by default).

To distribute a self signed X.509 certificate:

  1. Create the /etc/docker/certs.d/registry_hostname:port directory.

    # mkdir -p /etc/docker/certs.d/registry_hostname:port
  2. Copy the X.509 certificate from the registry host using:

    # scp root@registry_hostname:/var/lib/registry/conf.d/domain.crt \
    /etc/docker/certs.d/registry_hostname:port/ca.crt
  3. Restart the docker service.

    # systemctl restart docker.service