Where does Docker get certificates from on Ubuntu?

Attempting to log into Docker,

$ docker login product.artifactory.company.com
Username (russell.bateman):
Password:

I only get

Error response from daemon: Get https://product.artifactory.company.com/v2/: x509: certificate signed by unknown authority

I have dropped my certificates into /usr/local/share/ca-certificates:

+-- product-sha256.pem
`-- ca-o-matic
     `-- ca-o-matic-SHA256.crt

and run

# update-ca-certificates

which says,

Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Replacing debian:ca-o-matic-SHA256.pem
done.
done.

In ~/.docker/config.json, I have:

{
  "auths":
  {
    "auth": "blahblah...blah==",
    "email": "russell.bateman@domain.com"
  }
}

Then, I verify

# openssl verify product-sha256.pem: OK
product-sha256.pem: OK

I’m pretty unfamiliar with the nitty-gritty of certificates. Why the error response? Why does docker login ask me for username and password when I’ve got ~/.docker/config.json?

The answers turn out to be that our artifactory does not support username/password log-in, but only certificate-based access. The certificate wasn’t really known (making docker login resort to asking for username and password), but I should not have been attempting to log in. It appears that after installing the new certificate (only the root certificate is needed, not the other one), the Docker daemon must be bounced. So, once Docker was bounced, the certificate worked, docker pull (not docker login) worked fine.