diff --git a/roles/docker-distribution-proxy/defaults/main.yml b/roles/docker-distribution-proxy/defaults/main.yml
index d983dc1bde..47001f6f26 100644
--- a/roles/docker-distribution-proxy/defaults/main.yml
+++ b/roles/docker-distribution-proxy/defaults/main.yml
@@ -3,7 +3,7 @@
 #
 servername: "registry.example.com"
 ssl:
-  destdir: "/etc/pki/docker-registry/"
+  destdir: "/etc/pki/docker-registry"
   certfile_src: "ssl.cert"
   certfile_dest: "ssl.cert"
   keyfile_src: "ssl.key"
@@ -12,8 +12,12 @@ ssl:
 auth:
   type: basic
   basic:
-    dest_dir:
-    userfile_src: /etc/httpd/users.htpasswd
-    userfile_dest: /etc/httpd/users.htpasswd
+    dest_dir: "/etc/httpd"
+    userfile_src: users.htpasswd
+    userfile_dest: users.htpasswd
+  ssl:
+    dest_dir: "/etc/pki/docker-registry"
+    authca_dest: "/etc/pki/docker-registry/authca.cert"
+
 
 
diff --git a/roles/docker-distribution-proxy/tasks/main.yml b/roles/docker-distribution-proxy/tasks/main.yml
index 6c9a2a19bb..989573dc44 100644
--- a/roles/docker-distribution-proxy/tasks/main.yml
+++ b/roles/docker-distribution-proxy/tasks/main.yml
@@ -37,6 +37,18 @@
     dest: "{{ auth.basic.destdir }}/{{ auth.basic.userfile_dest }}"
   when: auth.type == "basic"
 
+- name: ensure ssl auth dest dir exists
+  file:
+    path: "{{ auth.ssl.destdir }}"
+    state: directory
+  when: auth.type == "ssl"
+
+- name: place authca file
+  copy:
+    src: "{{ auth.ssl.authca_src }}"
+    dest: "{{ auth.ssl.destdir }}/{{ auth.ssl.authca_dest }}"
+  when: auth.type == "ssl"
+
 - name: Configure the vhost
   template:
     src: "docker-registry-vhost.conf.j2"
diff --git a/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2 b/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2
index 0814b67d44..90814fa006 100644
--- a/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2
+++ b/roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2
@@ -39,6 +39,10 @@
     Allow from all
   </Location>
 
+{% if auth.type == "ssl" %}
+    SSLVerifyClient none
+    SSLCACertificateFile {{ auth.ssl.authca_dest }}
+{% endif %}
   <Location /v2>
     Order deny,allow
     Allow from all
@@ -47,6 +51,10 @@
     AuthType basic
     AuthUserFile {{ auth.basic.userfile_dest }}
 {% endif %}
+{% if auth.type == "ssl" %}
+    SSLVerifyClient require
+    SSLVerifyDepth 1
+{% endif %}
 
     ## Read access to authentified users
     #<Limit GET HEAD>