I haven’t found a way to set up CA certificates for HTTPS, but you should be able to use the standard method to access a Docker registry with a private CA:
write_files:
- content: |+
-----BEGIN CERTIFICATE-----
[CA cert/chain here]
-----END CERTIFICATE-----
owner: root
path: /etc/docker/certs.d/registry.domain.name/ca.crt
permissions: "0644"
Repeat as necessary for each external repository.