The set up is this: 2 Amazon EC2 instances, lets call them .101 and .102. I followed Protect the Docker daemon socket | Docker Docs to create certificates on each of them. So each one has the following:
ca.pem
ca-key.pem
server-cert.pem
server-key.pem
cert.pem
key.pem

they are all in the /certs directory

after starting docker service like this:
/usr/bin/docker daemon --tlsverify --tlscacert=/certs/ca.pem --tlscert=/certs/server-cert.pem --tlskey=/certs/server-key.pem -H=0.0.0.0:2376

Once I copied {cert,ca,key}.pem from .101 to .102, I can communicate from .102 to .101, no problem with a command like this

sudo docker --host=tcp://10.0.0.101:2376 --tlsverify --tlscacert=/tmp/ca.pem --tlscert=/tmp/cert.pem --tlskey=/tmp/key.pem images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
registry 2 5dfdbfb4ed57 8 days ago 224.5 MB

the problem now is that if I start a container for the registry on .101 as in Registry | Docker Docs I’m not exactly sure what certs are equivalent to domain.crt and domain.key as in this command from that page:

sudo docker --host=tcp://10.0.0.101:2376 --tlsverify --tlscacert=/tmp/ca.pem --tlscert=/tmp/cert.pem --tlskey=/tmp/key.pem
run -d -p 5000:5000 --restart=always --name registry
-v /certs:/certs
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key
registry:2

Is domain.crt → server-cert.pem (for .101) and domain.key → server-key.pem (for .101)?
or is domain.crt → cert.pem (for .101) and domain.key → key.pem (for .101)?

I’ve been trying to think this through but its getting cloudy now, and I have no one to bounce the ideas off of. Can anyone help me get this registry working with TLS?