What is the problem you're trying to solve
In current master code, config.Registry.TLSConfig include field ca_file, key_file and cert_file, but client have usually cert_file, like /etc/docker/cert.d/xxx.domain/xxx.crt in docker, it is not safe that key_file as private key remain in client, and client do not need it yet.

Describe the solution you'd like
like /etc/docker/cert.d/xxx.domain/xxx.crt in docker, add new option CersDir, if it's not given, use default cert file path /etc/containerd/cert.d/

// Registry is registry settings configured
type Registry struct {
// Mirrors are namespace to mirror mapping for all namespaces.
Mirrors map[string]Mirror toml:"mirrors" json:"mirrors"
// Auths are registry endpoint to auth config mapping. The registry endpoint must
// be a valid url with host specified.
Auths map[string]AuthConfig toml:"auths" json:"auths"
// Directory of certification files for registry
CertsDir string toml:"certs_dir" json:"certs_dir"
}

Additional context
And Ctr command 'image pull' add new option --crt-dir, follow the same logic as above