diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml
index 2f6ee5fda5..c667d07c3c 100644
--- a/playbooks/groups/osbs-cluster.yml
+++ b/playbooks/groups/osbs-cluster.yml
@@ -250,6 +250,13 @@
         docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org",
       when: env == "staging"
     }
+    - {
+      role: "manage-container-images",
+        cert_dest_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org",
+        cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem",
+        key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key",
+      when: env == "staging"
+    }
     - {
       role: push-docker,
         docker_cert_name: "containerbuild",
diff --git a/roles/manage-container-images/tasks/main.yml b/roles/manage-container-images/tasks/main.yml
new file mode 100644
index 0000000000..0dca948270
--- /dev/null
+++ b/roles/manage-container-images/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+# tasks file for push-docker
+#
+- name: install necessary packages
+  package:
+    name: "{{item}}"
+    state: present
+  with_items:
+    - skopeo
+
+- name: ensure cert dir exists
+  file:
+    path: "{{container_dest_dir}}"
+    state: directory
+
+- name: install docker client cert for registry
+  copy:
+    src: "{{cert_src}}"
+    dest: "{{container_dest_dir}}/client.cert"
+    owner: root
+    mode: 0600
+
+- name: install docker client key for registry
+  copy:
+    src: "{{key_src}}"
+    dest: "{{container_dest_dir}}/client.key"
+    owner: root
+    mode: 0600