diff --git a/ansible/roles/common/tasks/FreeBSD_pki.yml b/ansible/roles/common/tasks/FreeBSD_pki.yml
index 6842810..aa1d599 100644
--- a/ansible/roles/common/tasks/FreeBSD_pki.yml
+++ b/ansible/roles/common/tasks/FreeBSD_pki.yml
@@ -85,6 +85,7 @@
     VAULT_ADDR: https://vault.service.masked.name:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
+    VAULT_CACERT: /etc/ssl/certs/MaskedName_Root_CA.crt
   register: cert_data
   when: exp.rc != 0
 
diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml
index 91a7171..f391c12 100644
--- a/ansible/roles/docker/tasks/main.yml
+++ b/ansible/roles/docker/tasks/main.yml
@@ -31,4 +31,15 @@
       - docker-ce
       - docker-ce-cli
       - containerd.io
+
+- name: ensure docker certs directory exists
+  file:
+    path: /etc/docker/certs.d/docker.service.{{ consul_domain }}:8082
+    state: directory
+
+- name: symlink ca cert
+  file:
+    src: /etc/pki/certs/{{ vault_ca_cert_name }}
+    dest: /etc/docker/certs.d/docker.service.{{ consul_domain }}:8082/ca.crt
+    state: link
 ...