Adding Custom CA and Client Certificates to Docker Desktop

server certificates) and client certificates (used to authenticate to registries) to your Docker daemon. #### Add custom CA certificates (server side) All trusted CAs (root or intermediate) are supported. Docker Desktop creates a certificate bundle of all user-trusted CAs based on the Mac Keychain, and appends it to Moby trusted certificates. So if an enterprise SSL certificate is trusted by the user on the host, it is trusted by Docker Desktop. To manually add a custom, self-signed certificate, start by adding the certificate to the macOS keychain, which is picked up by Docker Desktop. Here is an example: ```console $ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt ``` Or, if you prefer to add the certificate to your own local keychain only (rather than for all users), run this command instead: ```console $ security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain ca.crt ``` See also, [Directory structures for certificates](#directory-structures-for-certificates). > [!NOTE] > > You need to restart Docker Desktop after making any changes to the keychain or > to the `~/.docker/certs.d` directory in order for the changes to take effect. For a complete explanation of how to do this, see the blog post [Adding Self-signed Registry Certs to Docker & Docker Desktop for Mac](https://blog.container-solutions.com/adding-self-signed-registry-certs-docker-mac). #### Add client certificates You can put your client certificates in `~/.docker/certs.d/<MyRegistry>:<Port>/client.cert` and `~/.docker/certs.d/<MyRegistry>:<Port>/client.key`. When the Docker Desktop application starts, it copies the `~/.docker/certs.d` folder on your Mac to the `/etc/docker/certs.d` directory on Moby (the Docker Desktop `xhyve` virtual machine). > [!NOTE] > > * You need to restart Docker Desktop after making any changes to the keychain > or to the `~/.docker/certs.d` directory in order for the changes to take > effect. > > * The registry cannot be listed as an _insecure registry_. Docker Desktop ignores certificates listed > under insecure registries, and does not send client certificates. Commands > like `docker run` that attempt to pull from the registry produce error > messages on the command line, as well as on the registry. #### Directory structures for certificates If you have this directory structure, you do not need to manually add the CA certificate to your Mac OS system login: ```text /Users/<user>/.docker/certs.d/ └── <MyRegistry>:<Port> ├── ca.crt ├── client.cert └── client.key ``` The following further illustrates and explains a configuration with custom certificates: ```text /etc/docker/certs.d/ <-- Certificate directory └── localhost:5000 <-- Hostname:port ├── client.cert <-- Client certificate ├── client.key <-- Client key └── ca.crt <-- Certificate authority that signed the registry certificate ``` You can also have this directory structure, as long as the CA certificate is also in your keychain. ```text /Users/<user>/.docker/certs.d/ └── <MyRegistry>:<Port> ├── client.cert └── client.key ``` To learn more about how to install a CA root certificate for the registry and how to set the client TLS certificate for verification, see [Verify repository client with certificates](/manuals/engine/security/certificates.md) in the Docker Engine topics.

This section explains how to add custom Certificate Authority (CA) certificates to the Docker daemon by adding them to the macOS keychain. It also covers adding client certificates by placing them in the `~/.docker/certs.d/<MyRegistry>:<Port>/` directory. It is important to restart Docker Desktop after making changes to the keychain or the `~/.docker/certs.d` directory.