In the web.config of a given ASP.NET app, the a connection string is often hardcoded. How can this be parameterized such that we can maintain a single image, but pass DB server name, DB name, and credentials to the container at docker run time?

I was thinking of adding a PS script to the image which gets invoked via CMD or ENTRYPOINT, and have that script accept parameters from docker run, which would update web.config.

Just curious as to what best practice is here. I have similar concerns for the registry, SSL certificates, etc.

Environment variables is a solution. You pass those values at start up time, so nothing being hardcoded into your image and in fact you can host your image in public domain with no security risk. SSL certificates is different story since those can not be passed in environment variables. I imagine solution will be to have them in volume and just import them using DSC at runtime. Again this provides secure solution since those volumes exists only on your host.