Use your own TLS certificates

Mirantis Secure Registry (MSR) services are exposed using HTTPS by default. This ensures encrypted communications between clients and your trusted registry. If you do not pass a PEM-encoded TLS certificate during installation, MSR will generate a self-signed certificate. This leads to an insecure site warning when accessing MSR through a browser. Additionally, MSR includes an HSTS (HTTP Strict-Transport-Security) header in all API responses which can further lead to your browser refusing to load MSR’s web interface.

You can configure MSR to use your own TLS certificates, so that it is automatically trusted by your users’ browser and client tools. As of v2.7, you can also enable user authentication via client certificates provided by your organization’s public key infrastructure (PKI).

You can upload your own TLS certificates and keys using the web interface, or pass them as CLI options when installing or reconfiguring your MSR instance.

Use the web interface to replace the server certificates

  1. Navigate to :samp:https://<msr-url> and log in with your credentials.

  2. Select System from the left-side navigation panel, and scroll down to Domain & Proxies.

    ../../_images/use-your-certificates-1.png
  3. Enter your MSR domain name and upload or copy and paste the certificate details:

    • Load balancer/public address. The domain name clients will use to access MSR.

    • TLS private key. The server private key.

    • TLS certificate chain. The server certificate and any intermediate public certificates from your certificate authority (CA). This certificate needs to be valid for the MSR public address, and have SANs for all addresses used to reach the MSR replicas, including load balancers.

    • TLS CA. The root CA public certificate.

  4. Click Save to apply your changes.

At this point, if you’ve added certificates issued by a globally trusted CA, any web browser or client tool should now trust MSR. If you’re using an internal CA, you will need to configure the client systems to trust that CA.

Use the command line interface to replace the server certificates

See install and reconfigure for TLS certificate options and usage.