containers-certs.d(5) storing containers-certs.d(5)

containers-certs.d - Directory for storing custom container-registry TLS configurations

A custom TLS configuration for a container registry can be configured by creating a directory under $HOME/.config/containers/certs.d or /etc/containers/certs.d. The name of the directory must correspond to the host[:port] of the registry (e.g., my-registry.com:5000).

The port part presence / absence must precisely match the port usage in image references, e.g. to affect podman pull registry.example/foo, use a directory named registry.example, not registry.example:443. registry.example:443 would affect podman pull registry.example:443/foo.

A certs directory can contain one or more files with the following extensions:

  • *.crt files with this extensions will be interpreted as CA certificates
  • *.cert files with this extensions will be interpreted as client certificates
  • *.key files with this extensions will be interpreted as client keys

Note that the client certificate-key pair will be selected by the file name (e.g., client.{cert,key}). An exemplary setup for a registry running at my-registry.com:5000 may look as follows:

/etc/containers/certs.d/    <- Certificate directory
└── my-registry.com:5000    <- Hostname[:port]
   ├── client.cert          <- Client certificate
   ├── client.key           <- Client key
   └── ca.crt               <- Certificate authority that signed the registry certificate

Feb 2019, Originally compiled by Valentin Rothberg rothberg@redhat.com ⟨mailto:rothberg@redhat.com⟩

Directory for