oc-mirror in a disconnected environment fails with error "x509: certificate signed by unknown authority"

Solution Verified - Updated -


  • "oc-mirror" references the host's system Certificate Keyring. It's inconvenient that a system-wide certificate must be installed since in typical cases users don't have the privilege of such operations
  • Trying to use "oc-mirror" against a private registry with custom CA certificate returns x509: certificate signed by unknown authority
  • I am running as a rootless user on my environment and can't run update-ca-trust commands like shown in How to install a CA certificate on Red Hat Enterprise Linux 7 and later?


  • Red Hat OpenShift Container Platform (RHOCP)
    • >= 4.9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content