.nh
.TH containers-certs.d 5 Directory for storing custom container-registry TLS configurations

.SH NAME
containers-certs.d \- Directory for storing custom container-registry TLS configurations


.SH DESCRIPTION
A custom TLS configuration for a container registry can be configured by creating a directory under \fB$HOME/.config/containers/certs.d\fR or \fB/etc/containers/certs.d\fR\&.
The name of the directory must correspond to the \fBhost\fR[\fB:port\fR] of the registry (e.g., \fBmy-registry.com:5000\fR).

.PP
The port part presence / absence must precisely match the port usage in image references,
e.g. to affect \fBpodman pull registry.example/foo\fR,
use a directory named \fBregistry.example\fR, not \fBregistry.example:443\fR\&.
\fBregistry.example:443\fR would affect \fBpodman pull registry.example:443/foo\fR\&.

.SH Directory Structure
A certs directory can contain one or more files with the following extensions:
.IP \(bu 2
\fB*.crt\fR  files with this extensions will be interpreted as CA certificates
.IP \(bu 2
\fB*.cert\fR files with this extensions will be interpreted as client certificates
.IP \(bu 2
\fB*.key\fR  files with this extensions will be interpreted as client keys

.PP
Note that the client certificate-key pair will be selected by the file name (e.g., \fBclient.{cert,key}\fR).
An exemplary setup for a registry running at \fBmy-registry.com:5000\fR may look as follows:

.EX
/etc/containers/certs.d/    <- Certificate directory
└── my-registry.com:5000    <- Hostname[:port]
   ├── client.cert          <- Client certificate
   ├── client.key           <- Client key
   └── ca.crt               <- Certificate authority that signed the registry certificate
.EE


.SH HISTORY
Feb 2019, Originally compiled by Valentin Rothberg rothberg@redhat.com
\[la]mailto:rothberg@redhat.com\[ra]