To work with container images in the embedded Harbor Registry using Docker, you must add the registry certificate to your Docker client. The certificate is used to authenticate to Docker during login.

Configure your Docker client to interact with the embedded Harbor Registry. This task is required in preparation for using the Docker Credential Helper that vSphere provides to connect and interact with the embedded Harbor Registry.


This task assumes that the embedded Harbor Registry is enabled and that you can log in:

In addition, the instructions assume that you are using a Linux host (Ubuntu) on which the Docker daemon is installed. To verify that Docker is installed and that you can pull images from the Docker hub, run the following command:
docker run hello-world
Expected result:
Hello from Docker!
This message shows that your installation appears to be working correctly.
Note: These instructions are verified using Ubuntu 20.04 and Docker 19.03.


  1. Download the embedded Harbor Registry certificate root-certificate.txt. See Download and Install the Embedded Harbor Registry Certificate.
  2. Change the name of the certificate to ca.crt.
  3. Securely copy the ca.crt file to your Docker host.
  4. On the Docker host, create a directory path for the private registry using the Harbor IP address.
    For example:
    mkdir /etc/docker/certs.d/
  5. Move the ca.crt to this directory.
    For example:
     mv ca.crt /etc/docker/certs.d/
  6. Restart the Docker daemon.
    sudo systemctl restart docker.service
  7. Log in to the embedded Harbor Registry using your Docker client.
    docker login
    You should see the following message:
    WARNING! Your password will be stored unencrypted in /home/ubuntu/.docker/config.json.
    Configure a credential helper to remove this warning. See
    Login Succeeded

What to do next

As indicated by the message, for security purposes, download and install the vSphere Docker Credential Helper. See Install the vSphere Docker Credential Helper and Connect to the Registry.