diff --git a/server/auth.go b/server/auth.go
index dcef5bf9c..726070674 100644
--- a/server/auth.go
+++ b/server/auth.go
@@ -50,7 +50,7 @@ func (r registryChallenge) URL() (*url.URL, error) {
 	return redirectURL, nil
 }
 
-func getAuthorizationToken(ctx context.Context, challenge registryChallenge) (string, error) {
+func getAuthorizationToken(ctx context.Context, challenge registryChallenge, regOpts *registryOptions) (string, error) {
 	redirectURL, err := challenge.URL()
 	if err != nil {
 		return "", err
@@ -67,7 +67,7 @@ func getAuthorizationToken(ctx context.Context, challenge registryChallenge) (st
 
 	headers.Add("Authorization", signature)
 
-	response, err := makeRequest(ctx, http.MethodGet, redirectURL, headers, nil, &registryOptions{})
+	response, err := makeRequest(ctx, http.MethodGet, redirectURL, headers, nil, regOpts)
 	if err != nil {
 		return "", err
 	}
diff --git a/server/download.go b/server/download.go
index 42d713c09..e143e51c8 100644
--- a/server/download.go
+++ b/server/download.go
@@ -2,6 +2,7 @@ package server
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -282,7 +283,7 @@ func (b *blobDownload) run(ctx context.Context, requestURL *url.URL, opts *regis
 			var err error
 			for try := 0; try < maxRetries; try++ {
 				w := io.NewOffsetWriter(file, part.StartsAt())
-				err = b.downloadChunk(inner, directURL, w, part)
+				err = b.downloadChunk(inner, directURL, w, part, opts)
 				switch {
 				case errors.Is(err, context.Canceled), errors.Is(err, syscall.ENOSPC):
 					// return immediately if the context is canceled or the device is out of space
@@ -326,7 +327,7 @@ func (b *blobDownload) run(ctx context.Context, requestURL *url.URL, opts *regis
 	return nil
 }
 
-func (b *blobDownload) downloadChunk(ctx context.Context, requestURL *url.URL, w io.Writer, part *blobDownloadPart) error {
+func (b *blobDownload) downloadChunk(ctx context.Context, requestURL *url.URL, w io.Writer, part *blobDownloadPart, opts *registryOptions) error {
 	g, ctx := errgroup.WithContext(ctx)
 	g.Go(func() error {
 		req, err := http.NewRequestWithContext(ctx, http.MethodGet, requestURL.String(), nil)
@@ -334,7 +335,20 @@ func (b *blobDownload) downloadChunk(ctx context.Context, requestURL *url.URL, w
 			return err
 		}
 		req.Header.Set("Range", fmt.Sprintf("bytes=%d-%d", part.StartsAt(), part.StopsAt()-1))
-		resp, err := http.DefaultClient.Do(req)
+
+		// Use custom HTTP client with insecure TLS if needed
+		httpClient := http.DefaultClient
+		if opts != nil && opts.Insecure {
+			tr := http.DefaultTransport.(*http.Transport).Clone()
+			tr.TLSClientConfig = &tls.Config{
+				InsecureSkipVerify: true,
+			}
+			httpClient = &http.Client{
+				Transport: tr,
+			}
+		}
+
+		resp, err := httpClient.Do(req)
 		if err != nil {
 			return err
 		}
diff --git a/server/images.go b/server/images.go
index 951f7ac6e..16501648d 100644
--- a/server/images.go
+++ b/server/images.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/sha256"
+	"crypto/tls"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
@@ -739,7 +740,7 @@ func makeRequestWithRetry(ctx context.Context, method string, requestURL *url.UR
 
 			// Handle authentication error with one retry
 			challenge := parseRegistryChallenge(resp.Header.Get("www-authenticate"))
-			token, err := getAuthorizationToken(ctx, challenge)
+			token, err := getAuthorizationToken(ctx, challenge, regOpts)
 			if err != nil {
 				return nil, err
 			}
@@ -816,10 +817,20 @@ func makeRequest(ctx context.Context, method string, requestURL *url.URL, header
 		req.ContentLength = contentLength
 	}
 
-	c := &http.Client{
-		CheckRedirect: regOpts.CheckRedirect,
+	c := &http.Client{}
+
+	if regOpts != nil && regOpts.CheckRedirect != nil {
+		c.CheckRedirect = regOpts.CheckRedirect
 	}
-	if testMakeRequestDialContext != nil {
+
+	// Configure TLS to skip certificate verification if insecure mode is enabled
+	if regOpts != nil && regOpts.Insecure {
+		tr := http.DefaultTransport.(*http.Transport).Clone()
+		tr.TLSClientConfig = &tls.Config{
+			InsecureSkipVerify: true,
+		}
+		c.Transport = tr
+	} else if testMakeRequestDialContext != nil {
 		tr := http.DefaultTransport.(*http.Transport).Clone()
 		tr.DialContext = testMakeRequestDialContext
 		c.Transport = tr
diff --git a/server/upload.go b/server/upload.go
index 312545eec..966a6ca6e 100644
--- a/server/upload.go
+++ b/server/upload.go
@@ -279,7 +279,7 @@ func (b *blobUpload) uploadPart(ctx context.Context, method string, requestURL *
 	case resp.StatusCode == http.StatusUnauthorized:
 		w.Rollback()
 		challenge := parseRegistryChallenge(resp.Header.Get("www-authenticate"))
-		token, err := getAuthorizationToken(ctx, challenge)
+		token, err := getAuthorizationToken(ctx, challenge, opts)
 		if err != nil {
 			return err
 		}