diff --git a/operation/docker/ssl/README.md b/operation/docker/ssl/README.md
new file mode 100644
index 00000000..517a9acd
--- /dev/null
+++ b/operation/docker/ssl/README.md
@@ -0,0 +1,25 @@
+# CrateDB with SSL on Docker
+
+## About
+
+A service composition file (Docker or Podman) for running CrateDB
+with SSL enabled.
+
+## Usage
+```shell
+docker compose up
+```
+
+## Rationale
+
+Void of relevant ready-to-run examples.
+
+- https://cratedb.com/docs/guide/install/container/
+- https://cratedb.com/docs/guide/install/container/docker.html
+- https://cratedb.com/docs/crate/reference/en/latest/admin/ssl.html
+
+## Blueprint
+
+`crate-pdo` includes an example setup using Docker Compose.
+
+- https://github.com/crate/crate-pdo/tree/2.2.2/test/provisioning
diff --git a/operation/docker/ssl/compose.yml b/operation/docker/ssl/compose.yml
new file mode 100644
index 00000000..b7673b71
--- /dev/null
+++ b/operation/docker/ssl/compose.yml
@@ -0,0 +1,28 @@
+# Purpose:
+# Start CrateDB with custom parameters and wait for the service being available,
+# even when invoked through `docker compose up --detach`.
+
+services:
+
+  cratedb:
+    image: crate/crate:nightly
+    command: ["crate", "-Cstats.enabled=true"]
+    ports:
+      - 4200:4200
+    volumes:
+      - ./crate.yml:/crate/config/crate.yml
+      - ./keystore:/crate/config/keystore
+      - ./truststore:/crate/config/truststore
+    healthcheck:
+      test: ["CMD", "curl", "--fail", "--insecure", "https://localhost:4200"]
+      start_period: 3s
+      interval: 0.5s
+      retries: 30
+      timeout: 30s
+
+  # https://marcopeg.com/2019/docker-compose-healthcheck/
+  start_dependencies:
+    image: dadarek/wait-for-dependencies
+    depends_on:
+      cratedb:
+        condition: service_healthy
diff --git a/operation/docker/ssl/crate.yml b/operation/docker/ssl/crate.yml
new file mode 100644
index 00000000..a6a23db7
--- /dev/null
+++ b/operation/docker/ssl/crate.yml
@@ -0,0 +1,24 @@
+auth.host_based.enabled: true
+auth:
+  host_based:
+      config:
+        1:
+          user: crate
+          method: trust
+
+        99:
+          method: password
+
+ssl.http.enabled: true
+ssl.psql.enabled: true
+ssl.keystore_filepath: /crate/config/keystore
+ssl.keystore_password: crate.io
+ssl.keystore_key_password: crate.io
+ssl.truststore_filepath: /crate/config/truststore
+ssl.truststore_password: crate.io
+
+path:
+  logs: /var/log/crate
+  data: /data/crate
+
+network.bind_host: 0.0.0.0
diff --git a/operation/docker/ssl/keystore b/operation/docker/ssl/keystore
new file mode 100644
index 00000000..5843e1d4
Binary files /dev/null and b/operation/docker/ssl/keystore differ
diff --git a/operation/docker/ssl/truststore b/operation/docker/ssl/truststore
new file mode 100644
index 00000000..b75fce13
Binary files /dev/null and b/operation/docker/ssl/truststore differ