Add a custom TLS certificate

By default, Mirantis Secure Registry (MSR) services are exposed using HTTPS. This ensures encrypted communications between clients and your trusted registry. If you do not pass a PEM-encoded TLS certificate during installation, MSR will generate a self-signed certificate, which leads to an insecure site warning when accessing MSR through a browser. In addition, MSR includes an HTTP Strict Transport Security (HSTS) header in all API responses, which can cause your browser not to load the MSR web UI.

You can configure MSR to use your own TLS certificates, to ensure that MSR automatically trusts browsers and client tools. You can also enable user authentication through client certificates that your organization Public Key Infrastructure (PKI) provides.

To upload your own TLS certificates and keys, you can use the Helm CLI options to either install or reconfigure your MSR instance.

Customize the WebTLS certificate

  1. Acquire your TLS certificate and key files.


    You can use a previously created CA signed SSL certificate, or you can create a new one. 1

  2. Add the secret to the cluster:

    kubectl create secret tls <secret-name> \
      --key <keyfile>.pem \
      --cert <certfile>.pem
  3. Install the helm chart with the custom certificate:

    helm install msr msr \
      --repo \
      --version 1.0.0 \
      --set-file license=path/to/file/license.lic \
      --set nginx.webtls.secretName="<secret-name>"
  4. Enable port forwarding:

    kubectl port-forward service/msr 8080 8443:443
  5. Log in as an administrator at https://localhost:8443/login.

  6. Verify the presence of a valid certificate by matching the information with that of the generated certificate.


Users who want to create a new self-signed certificate that is valid for the host name can do so using mkcert or openssl.