Home Explore Blog CI



docker
1st chunk of `content/manuals/engine/security/certificates.md`
5a60248bedc965570909414f9c23b592b12025b35f98f69c0000000100000818
---
description: How to set up and use certificates with a registry to verify access
keywords: Usage, registry, repository, client, root, certificate, docker, apache,
  ssl, tls, documentation, examples, articles, tutorials
title: Verify repository client with certificates
aliases:
- /articles/certificates/
- /engine/articles/certificates/
---

In [Running Docker with HTTPS](protect-access.md), you learned that, by default,
Docker runs via a non-networked Unix socket and TLS must be enabled in order
to have the Docker client and the daemon communicate securely over HTTPS.  TLS ensures authenticity of the registry endpoint and that traffic to/from registry is encrypted.

This article demonstrates how to ensure the traffic between the Docker registry
server and the Docker daemon (a client of the registry server) is encrypted and
properly authenticated using certificate-based client-server authentication.

We show you how to install a Certificate Authority (CA) root certificate
for the registry and how to set the client TLS certificate for verification.

## Understand the configuration

A custom certificate is configured by creating a directory under
`/etc/docker/certs.d` using the same name as the registry's hostname, such as
`localhost`. All `*.crt` files are added to this directory as CA roots.

> [!NOTE]
>
> On Linux any root certificates authorities are merged with the system defaults,
> including the host's root CA set. If you are running Docker on Windows Server,
> or Docker Desktop for Windows with Windows containers, the system default
> certificates are only used when no custom root certificates are configured.

The presence of one or more `<filename>.key/cert` pairs indicates to Docker
that there are custom certificates required for access to the desired
repository.

> [!NOTE]
>
> If multiple certificates exist, each is tried in alphabetical
> order. If there is a 4xx-level or 5xx-level authentication error, Docker
> continues to try with the next certificate.

The following illustrates a configuration with custom certificates:
Title: Verifying Repository Client with Certificates
Summary
This document explains how to ensure secure and authenticated communication between the Docker registry server and the Docker daemon using certificate-based client-server authentication. It details how to install a Certificate Authority (CA) root certificate for the registry and set the client TLS certificate for verification. Custom certificates are configured in the `/etc/docker/certs.d` directory, named after the registry's hostname, with `.crt` files for CA roots and `<filename>.key/cert` pairs for client authentication.