DKER-EE-003930 - Docker Trusted Registry (DTR) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.


Both the Universal Control Plane (UCP) and DTR components of Docker Enterprise leverage the same authentication and authorization backplane known as eNZi. The eNZi backplane includes its own managed user database, and also allows for LDAP integration in UCP and DTR. To meet the requirements of this control, configure LDAP integration. UCP also includes two certificate authorities for establishing root of trust. One CA is used to sign client bundles and the other is used for TLS communication between UCP components and nodes. Both of these CAs should be integrated with an external, trusted CA. DTR should be integrated with this same external, trusted CA as well.


This fix only applies to the DTR component of Docker Enterprise.

Integrate DTR with a trusted CA.

via UI:

In the DTR web console, navigate to 'System' | 'General' and click on the 'Show TLS Settings' link in the 'Domain & Proxies' section. Fill in the 'TLS Root CA' field with the contents of the trusted CA certificate. Assuming the user has generated a server certificate from that CA for DTR, also fill in the 'TLS Certificate Chain' and 'TLS Private Key' fields with the contents of the public/private certificates respectively. The 'TLS Certificate Chain' field must include both the DTR server certificate and any intermediate certificates. Click on the 'Save' button.

via CLI:

Linux: Execute the following command as a superuser on one of the UCP Manager nodes in the cluster:

docker run -it --rm docker/dtr:[dtr_version] reconfigure --dtr-ca '$(cat [ca.pem])' --dtr-cert '$(cat [dtr_cert.pem])' --dtr-key '$(cat [dtr_private_key.pem])'

Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.