diff --git a/api/v1beta1/moduleimagesconfig_types.go b/api/v1beta1/moduleimagesconfig_types.go
index 51d0a1dcf..d43ebde07 100644
--- a/api/v1beta1/moduleimagesconfig_types.go
+++ b/api/v1beta1/moduleimagesconfig_types.go
@@ -49,6 +49,10 @@ type ModuleImageSpec struct {
 	// Sign contains sign instructions, in case image needs signing
 	// +optional
 	Sign *Sign `json:"sign,omitempty"`
+
+	// +optional
+	// RegistryTLS set the TLS configs for accessing the registry of the image.
+	RegistryTLS *TLSOptions `json:"registryTLS,omitempty"`
 }
 
 // ModuleImagesConfigSpec describes the images of the Module whose status needs to be verified
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
index eacc99e86..00e218e53 100644
--- a/api/v1beta1/zz_generated.deepcopy.go
+++ b/api/v1beta1/zz_generated.deepcopy.go
@@ -470,6 +470,11 @@ func (in *ModuleImageSpec) DeepCopyInto(out *ModuleImageSpec) {
 		*out = new(Sign)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.RegistryTLS != nil {
+		in, out := &in.RegistryTLS, &out.RegistryTLS
+		*out = new(TLSOptions)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ModuleImageSpec.
diff --git a/config/crd/bases/kmm.sigs.x-k8s.io_modulebuildsignconfigs.yaml b/config/crd/bases/kmm.sigs.x-k8s.io_modulebuildsignconfigs.yaml
index 4528347ef..a026e63c2 100644
--- a/config/crd/bases/kmm.sigs.x-k8s.io_modulebuildsignconfigs.yaml
+++ b/config/crd/bases/kmm.sigs.x-k8s.io_modulebuildsignconfigs.yaml
@@ -164,6 +164,19 @@ spec:
                     kernelVersion:
                       description: kernel version for which this image is targeted
                       type: string
+                    registryTLS:
+                      description: RegistryTLS set the TLS configs for accessing the
+                        registry of the image.
+                      properties:
+                        insecure:
+                          description: If Insecure is true, the operator will be able
+                            to access a registry in an insecure (plain HTTP) protocol.
+                          type: boolean
+                        insecureSkipTLSVerify:
+                          description: If InsecureSkipTLSVerify, the operator will
+                            accept any certificate provided by the registry.
+                          type: boolean
+                      type: object
                     sign:
                       description: Sign contains sign instructions, in case image
                         needs signing
diff --git a/config/crd/bases/kmm.sigs.x-k8s.io_moduleimagesconfigs.yaml b/config/crd/bases/kmm.sigs.x-k8s.io_moduleimagesconfigs.yaml
index afe820453..a48c738df 100644
--- a/config/crd/bases/kmm.sigs.x-k8s.io_moduleimagesconfigs.yaml
+++ b/config/crd/bases/kmm.sigs.x-k8s.io_moduleimagesconfigs.yaml
@@ -159,6 +159,19 @@ spec:
                     kernelVersion:
                       description: kernel version for which this image is targeted
                       type: string
+                    registryTLS:
+                      description: RegistryTLS set the TLS configs for accessing the
+                        registry of the image.
+                      properties:
+                        insecure:
+                          description: If Insecure is true, the operator will be able
+                            to access a registry in an insecure (plain HTTP) protocol.
+                          type: boolean
+                        insecureSkipTLSVerify:
+                          description: If InsecureSkipTLSVerify, the operator will
+                            accept any certificate provided by the registry.
+                          type: boolean
+                      type: object
                     sign:
                       description: Sign contains sign instructions, in case image
                         needs signing
diff --git a/internal/controllers/module_reconciler.go b/internal/controllers/module_reconciler.go
index 18465382f..ebad64d9c 100644
--- a/internal/controllers/module_reconciler.go
+++ b/internal/controllers/module_reconciler.go
@@ -353,6 +353,7 @@ func (mrh *moduleReconcilerHelper) handleMIC(ctx context.Context, mod *kmmv1beta
 			KernelVersion: mld.KernelVersion,
 			Build:         mld.Build,
 			Sign:          mld.Sign,
+			RegistryTLS:   mld.RegistryTLS,
 		}
 		images = append(images, mis)
 	}
diff --git a/internal/controllers/module_reconciler_test.go b/internal/controllers/module_reconciler_test.go
index d4d3efdc2..59bc4c9f6 100644
--- a/internal/controllers/module_reconciler_test.go
+++ b/internal/controllers/module_reconciler_test.go
@@ -475,12 +475,14 @@ var _ = Describe("handleMIC", func() {
 			Build:          &kmmv1beta1.Build{},
 			Sign:           &kmmv1beta1.Sign{},
 			KernelVersion:  "some version",
+			RegistryTLS:    &kmmv1beta1.TLSOptions{},
 		}
 		expectedSpec := kmmv1beta1.ModuleImageSpec{
 			Image:         img,
 			KernelVersion: "some version",
 			Build:         mld.Build,
 			Sign:          mld.Sign,
+			RegistryTLS:   mld.RegistryTLS,
 		}
 		mockKernelMapper.EXPECT().GetModuleLoaderDataForKernel(mod, gomock.Any()).Return(mld, nil)
 		mockMICAPI.EXPECT().CreateOrPatch(ctx, mod.Name, mod.Namespace, []kmmv1beta1.ModuleImageSpec{expectedSpec}, mod.Spec.ImageRepoSecret, mod).Return(nil)