By default, Docker / Notary generates new self-signed certificates whenever it pushes to a repo / GUN for the first time. Is there any way to change this behavior, in particular to make the certificates be issued by a user-specified CA?
Trust-pinning allows pulling clients to validate any certificates used to sign digests read from Notary against a specified CA. This would be incredibly useful in ensuring the integrity of pulls from Notary, but only if there is some way for the pushing clients to sign the certificates in the first place
Thanks for any insight.