diff --git a/configuration.nix b/configuration.nix
index 0e645a2..77c128f 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -141,6 +141,11 @@
   # Trust the WNTRMUTE issuing CA for all Metacircular services.
   security.pki.certificateFiles = [ ./certs/wntrmute-ca.pem ];
 
+  # Trust the WNTRMUTE CA for podman/skopeo registry connections (MCR).
+  # Podman uses /etc/containers/certs.d/<registry:port>/ca.crt, not the
+  # system CA bundle.
+  environment.etc."containers/certs.d/mcr.svc.mcp.metacircular.net:8443/ca.crt".source = ./certs/wntrmute-ca.pem;
+
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
   nix.settings.trusted-users = ["kyle"];