Add a custom TLS certificate¶
Mirantis Secure Registry (MSR) services are exposed using HTTPS by default, which ensures encrypted communications between clients and your trusted registry. If you do not pass a PEM-encoded TLS certificate during installation, MSR generates a self-signed certificate, which can lead to an insecure site warning whenever you access MSR through a browser. In addition, MSR includes an HTTP Strict Transport Security (HSTS) header in all API responses, which can cause your browser not to load the MSR web UI.
You can configure MSR to use your own TLS certificates, so that it is automatically trusted by your browsers and client tools. You can also enable user authentication using the client certificates provided by your organization Public Key Infrastructure (PKI).
You can upload your own TLS certificates and keys using the MSR web UI, or you can pass them as CLI options during installation or whenever you reconfigure your MSR instance.
To replace the server certificates using the MSR web UI:
Log in at
In the left-side navigation panel, navigate to System and scroll down to Domain & Proxies.
Enter your MSR domain name and upload or copy and paste the certificate information:
Load balancer/public address
The domain name for accessing MSR.
TLS private key
The server private key.
TLS certificate chain
The server certificate and any intermediate public certificates from your certificate authority (CA). The certificate must be valid for the MSR public address and have SANs for all addresses that are used to reach the MSR replicas, including load balancers.
The root CA public certificate.
At this point, if youy have added certificates issued by a globally trusted CA, any web browser or client tool should trust MSR. If you are using an internal CA, you must configure the client systems to trust that CA.
To replace the server certificates using the CLI: