the certificates in the specified location (`/etc/certs`).
2. Create a `docker-container` builder that uses this configuration:
```console
$ docker buildx create --use --bootstrap \
--name mybuilder \
--driver docker-container \
--config /etc/buildkitd.toml
```
3. Inspect the builder's configuration file (`/etc/buildkit/buildkitd.toml`), it
shows that the certificate configuration is now configured in the builder.
```console
$ docker exec -it buildx_buildkit_mybuilder0 cat /etc/buildkit/buildkitd.toml
```
```toml
debug = true
[registry]
[registry."myregistry.com"]
ca = ["/etc/buildkit/certs/myregistry.com/myregistry.pem"]
[[registry."myregistry.com".keypair]]
cert = "/etc/buildkit/certs/myregistry.com/myregistry_cert.pem"
key = "/etc/buildkit/certs/myregistry.com/myregistry_key.pem"
```
4. Verify that the certificates are inside the container:
```console
$ docker exec -it buildx_buildkit_mybuilder0 ls /etc/buildkit/certs/myregistry.com/
myregistry.pem myregistry_cert.pem myregistry_key.pem
```
Now you can push to the registry using this builder, and it will authenticate
using the certificates:
```console
$ docker buildx build --push --tag myregistry.com/myimage:latest .
```
## CNI networking
CNI networking for builders can be useful for dealing with network port
contention during concurrent builds. CNI is [not yet](https://github.com/moby/buildkit/issues/28)
available in the default BuildKit image. But you can create your own image that
includes CNI support.
The following Dockerfile example shows a custom BuildKit image with CNI support.
It uses the [CNI config for integration tests](https://github.com/moby/buildkit/blob/master//hack/fixtures/cni.json)
in BuildKit as an example. Feel free to include your own CNI configuration.
```dockerfile
# syntax=docker/dockerfile:1
ARG BUILDKIT_VERSION=v{{% param "buildkit_version" %}}
ARG CNI_VERSION=v1.0.1
FROM --platform=$BUILDPLATFORM alpine AS cni-plugins