Comment 2 for bug 1887392

Debugged this with Bart.

'docker pull registry.central:9001/busybox:latest' WORKS.
'crictl pull registry.central:9001/busybox:latest' does NOT work.

Docker client checks here for registry certs that should be TRUSTED.
/etc/docker/<hostname>[:<port>]/<name>.crt
could be several.
E.g. on subcloud,
/etc/docker/certs.d/registry.local\:9001/registry-cert.crt
/etc/docker/certs.d/registry.central\:9001/registry-cert.crt

crictl uses the entries in the config.toml file for specifying certs that should be TRUSTED:
e.g.
[plugins.cri.registry.configs."registry.local:9001".tls]
      ca_file = "/etc/docker/certs.d/registry.local:9001/registry-cert.crt"

However on subcloud there is ONLY an entry for registry.local ...
i.e. there is NO ENTRY for registry.central ... where there SHOULD be
e.g.
[plugins.cri.registry.configs."registry.central:9001".tls]
      ca_file = "/etc/docker/certs.d/registry.central:9001/registry-cert.crt"