6.5.2 Setting up Transport Layer Security for the Docker Registry

The registry host requires a valid X.509 certificate and private key to enable Transport Layer Security (TLS) with the registry, similar to using TLS for a web server. This section discusses adding the host's X.509 certificate and private key to Docker.

If the host already has an X.509 certificate, you can use that with Docker.

If the host does not have an X.509 certificate, you can create a self-signed, private certificate for testing purposes. For information on creating a self-signed certificate and private key, see Oracle® Linux: Managing Certificates and Public Key Infrastructure.

If you want to disable X.509 certificate validation for testing purposes, see Section 4.6, “Setting Container Registry Options”.

To use the X.509 Certificate with Docker:

  1. If the host's X.509 certificate was issued by an intermediate Certificate Authority (CA), you must combine the host's certificate with the intermediate CA's certificate to create a chained certificate so that Docker can verify the host's X.509 certificate. For example:

    # cat registry.example.com.crt intermediate-ca.pem > domain.crt
  2. Create the /var/lib/registry/conf.d directory, into which you need to copy the certificate and private key.

    # mkdir -p /var/lib/registry/conf.d
  3. Copy the certificate and private key to the /var/lib/registry/conf.d directory.

    # cp certfile /var/lib/registry/conf.d/domain.crt
    # cp keyfile /var/lib/registry/conf.d/domain.key

    where certfile is the full path to the host's X.509 certificate, and keyfile is the full path to the host's private key. For example:

    # cp /etc/pki/tls/certs/registry.example.com.crt \
    # cp /etc/pki/tls/private/registry.example.com.key \
  4. Make sure the file permissions are correct for the private key:

    # chmod 600 /var/lib/registry/conf.d/domain.key