Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Using SSL to protect connections to Red Hat Quay

This document assumes you have deployed Red Hat Quay in a single-node or highly available deployment.

To configure Quay with a self-signed certificate, you need to create a Certificate Authority (CA), then generate the required key and certificate files. You then enter those files using the Red Hat Quay config UI or command line.

1.1. Create a CA and sign a certificate
Copy link

  1. Create a root CA. 

    $ openssl genrsa -out rootCA.key 2048
$ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
    Copy to Clipboard Toggle word wrap

  2. Create an openssl.cnf file. Replacing DNS.1 and IP.1 with the hostname and IP of the Quay server:

    openssl.cnf 

    [req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = reg.example.com
IP.1 = 12.345.678.9
    Copy to Clipboard Toggle word wrap

  3. Create key and certificates. The following set of shell commands invoke the openssl utility to create a key for Quay, generate a request for an Authority to sign a new certificate, and finally generate a certificate for Quay signed by the CA created earlier.

    Make sure the CA certificate file rootCA.pem and the openssl.cnf config file are both available. 

    $ openssl genrsa -out ssl.key 2048
$ openssl req -new -key ssl.key -out ssl.csr -subj "/CN=quay-enterprise" -config openssl.cnf
$ openssl x509 -req -in ssl.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ssl.cert -days 356 -extensions v3_req -extfile openssl.cnf
    Copy to Clipboard Toggle word wrap

1.2. Configure Quay to use the new certificate
Copy link

The next step can be accomplished either in the Red Hat Quay superuser panel, or from the terminal.

1.2.1. Configure with the superuser GUI in Quay
Copy link

  1. Set the Server Hostname to the appropriate value and check the Enable SSL then upload the ssl.key and ssl.cert files: Enable SSL
  2. Save the configuration. Red Hat Quay will automatically validate the SSL certificate: validating SSL
  3. Restart the container restart the container

1.2.2. Configure with the command line
Copy link

By not using the web interface the configuration checking mechanism built into Red Hat Quay is unavailable. It is suggested to use the web interface if possible.

  1. Copy the ssl.key and ssl.cert into the specified config directory. In this example, the config directory for Quay is on a host named reg.example.com in a directory named /mnt/quay/config.

    Note

    The certificate/key files must be named ssl.key and ssl.cert 

    $ ls
ssl.cert  ssl.key
$ scp ssl.* root@reg.example.com:/mnt/quay/config/
[root@reg.example.com ~]$ ls /mnt/quay/config/
config.yaml  ssl.cert  ssl.key
    Copy to Clipboard Toggle word wrap

  2. Modify the PREFERRED_URL_SCHEME: parameter in config.yaml from http to https 

    PREFERRED_URL_SCHEME: https
    Copy to Clipboard Toggle word wrap

  3. Restart the Red Hat Quay container: 

    $ docker ps
CONTAINER ID  IMAGE               COMMAND                CREATED       STATUS      PORTS                   NAMES
eaf45a4aa12d  quay.io/quay/redis  "/usr/bin/redis-serve" 22 hours ago  Up 22 hours 0.0.0.0:6379->6379/tcp  dreamy...
cbe7b0fa39d8  quay.io/coreos/quay "/sbin/my_init"        22 hours ago  Up one hour 80/tcp,443/tcp,8443/tcp ferv...
705fe7311940  mysql:5.7          "/entrypoint.sh mysql"  23 hours ago  Up 22 hours 0.0.0.0:3306->3306/tcp  mysql

$ docker restart cbe7b0fa39d8
    Copy to Clipboard Toggle word wrap

1.2.3. Test the secure connection
Copy link

Confirm the configuration by visiting the URL from a browser https://reg.example.com/ restart the container "Your Connection is not secure" means the CA is untrusted but confirms that SSL is functioning properly. Check Google for how to configure your operating system and web browser to trust your new CA.

Docker requires that custom certs be installed to /etc/docker/certs.d/ under a directory with the same name as the hostname private registry. It is also required for the cert to be called ca.crt. Here is how to do that:

  1. Copy the rootCA file. 

    $ cp tmp/rootCA.pem /etc/docker/certs.d/reg.example.com/ca.crt
    Copy to Clipboard Toggle word wrap

  2. After you have copied the rootCA.pem file, docker login should authenticate successfully and pushing to the repository should succeed. 

    $ sudo docker push reg.example.com/kbrwn/hello
The push refers to a repository [reg.example.com/kbrwn/hello]
5f70bf18a086: Layer already exists
e493e9cb9dac: Pushed
1770dbc4af14: Pushed
a7bb4eb71da7: Pushed
9fad7adcbd46: Pushed
2cec07a74a9f: Pushed
f342e0a3e445: Pushed
b12f995330bb: Pushed
2016366cdd69: Pushed
a930437ab3a5: Pushed
15eb0f73cd14: Pushed
latest: digest: sha256:c24be6d92b0a4e2bb8a8cc7c9bd044278d6abdf31534729b1660a485b1cd315c size: 7864
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat