To configure HTTPS, you must create SSL certificates. You can use certificates that are signed by a trusted third-party CA, or you can use self-signed certificates. This section describes how to use OpenSSL to create a CA, and how to use your CA to sign a server certificate and a client certificate. You can use other CA providers, for example .

The procedures below assume that your Harbor registry’s hostname is , and that its DNS record points to the host on which you are running Harbor.

In a production environment, you should obtain a certificate from a CA. In a test or development environment, you can generate your own CA. To generate a CA certficate, run the following commands.

  1. Generate a CA certificate private key.

  2. Generate the CA certificate.

    Adapt the values in the -subj option to reflect your organization. If you use an FQDN to connect your Harbor host, you must specify it as the common name (CN) attribute.

    1. openssl req -x509 -new -nodes -sha512 -days 3650 \
    2.  -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
    3.  -key ca.key \
    4.  -out ca.crt

Generate a Server Certificate

The certificate usually contains a .crt file and a .key file, for example, yourdomain.com.crt and yourdomain.com.key.

  1. Generate a private key.

    1. openssl genrsa -out yourdomain.com.key 4096

  2. Generate a certificate signing request (CSR).

    Adapt the values in the -subj option to reflect your organization. If you use an FQDN to connect your Harbor host, you must specify it as the common name (CN) attribute and use it in the key and CSR filenames.

    1. openssl req -sha512 -new \
    2.     -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
    3.     -key yourdomain.com.key \

  3. Generate an x509 v3 extension file.

    1. cat > v3.ext <<-EOF
    2. authorityKeyIdentifier=keyid,issuer
    3. basicConstraints=CA:FALSE
    5. extendedKeyUsage = serverAuth
    6. subjectAltName = @alt_names
    8. [alt_names]
    9. DNS.1=yourdomain.com
    10. DNS.2=yourdomain
    11. DNS.3=hostname
    12. EOF

  4. Use the v3.ext file to generate a certificate for your Harbor host.

    Replace the yourdomain.com in the CRS and CRT file names with the Harbor host name.

After generating the ca.crt, yourdomain.com.crt, and yourdomain.com.key files, you must provide them to Harbor and to Docker, and reconfigure Harbor to use them.

  1. Copy the server certificate and key into the certficates folder on your Harbor host.

    1. cp yourdomain.com.crt /data/cert/
    2. cp yourdomain.com.key /data/cert/

  2. Copy the server certificate, key and CA files into the Docker certificates folder on the Harbor host. You must create the appropriate folders first.

    1. cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
    3. cp ca.crt /etc/docker/certs.d/yourdomain.com/

    If you mapped the default nginx port 443 to a different port, create the folder /etc/docker/certs.d/yourdomain.com:port, or /etc/docker/certs.d/harbor_IP:port.

  3. Restart Docker Engine.

    1. systemctl restart docker

You might also need to trust the certificate at the OS level. See for more information.

The following example illustrates a configuration that uses custom certificates.

Deploy or Reconfigure Harbor

If you already deployed Harbor with HTTP and want to reconfigure it to use HTTPS, perform the following steps.

  1. Run the prepare script to enable HTTPS.

    Harbor uses an nginx instance as a reverse proxy for all services. You use the prepare script to configure nginx to use HTTPS. The prepare is in the Harbor installer bundle, at the same level as the install.sh script.

    1. ./prepare

  2. If Harbor is running, stop and remove the existing instance.

    Your image data remains in the file system, so no data is lost.

    1. docker-compose down -v

  3. Restart Harbor:

    1. docker-compose up -d

After setting up HTTPS for Harbor, you can verify the HTTPS connection by performing the following steps.

  • Open a browser and enter . It should display the Harbor interface.

    Some browsers might show a warning stating that the Certificate Authority (CA) is unknown. This happens when using a self-signed CA that is not from a trusted third-party CA. You can import the CA to the browser to remove the warning.

  • On a machine that runs the Docker daemon, check the /etc/docker/daemon.json file to make sure that the -insecure-registry option is not set for https://yourdomain.com.

  • Log into Harbor from the Docker client.

    1. docker login yourdomain.com

What to Do Next