diff --git a/docker/dist/hpci.sh b/docker/dist/hpci.sh
index 9930502f3..a85a165ca 100644
--- a/docker/dist/hpci.sh
+++ b/docker/dist/hpci.sh
@@ -14,10 +14,15 @@ grep "NAME_COMPATIBILITY=HYBRID" $GSICONF || {
 sudo mkdir -p /etc/grid-security/certificates
 OPWD=$PWD
 cd /etc/grid-security/certificates
-[ -f 61cd35bd.signing_policy ] ||
-	sudo wget https://www.hpci.nii.ac.jp/ca/61cd35bd.signing_policy
-[ -f 61cd35bd.0 ] ||
-	sudo wget https://www.hpci.nii.ac.jp/ca/61cd35bd.0
+HASH=61cd35bd
+for suf in signing_policy 0
+do
+	[ -f $HASH.$suf ] || {
+		[ -f $OPWD/hpci/$HASH.$suf ] &&
+			sudo cp $OPWD/hpci/$HASH.$suf . ||
+			sudo wget https://www.hpci.nii.ac.jp/ca/$HASH.$suf
+	}
+done
 cd $OPWD
 
 [ -f get_gfarm2conf.sh ] ||
@@ -27,7 +32,6 @@ get_gfarm2conf.sh
 [ -f ~/.gfarm2rc.hpci ] ||
 	sh ./get_gfarm2conf.sh -f ~/.gfarm2rc.hpci
 
-
 echo mv ~/.globus ~/.globus.bak
 echo myproxy-logon -s portal.hpci.nii.ac.jp -t 168 -l HPCI-ID
 echo export GFARM_CONFIG_FILE=$HOME/.gfarm2rc.hpci
diff --git a/docker/dist/hpci/.gfarm2rc.hpci b/docker/dist/hpci/.gfarm2rc.hpci
new file mode 100644
index 000000000..406a3c3ed
--- /dev/null
+++ b/docker/dist/hpci/.gfarm2rc.hpci
@@ -0,0 +1,17 @@
+# HPCI shared storage 
+# gfarm version: 2.7.20
+# conf version: 1
+metadb_server_host ms-0.r-ccs.riken.jp
+metadb_server_port 601
+metadb_server_list ms-0.r-ccs.riken.jp:601 ms-1.r-ccs.riken.jp:601 gfm11.hpci.itc.u-tokyo.ac.jp:601 gfm12.hpci.itc.u-tokyo.ac.jp:601
+
+auth enable gsi_auth *
+
+sockopt keepalive
+spool_server_cred_type host
+spool_server_cred_service gfsd
+network_receive_timeout 1200
+
+schedule_busy_load_thresh 4.0
+
+network_send_timeout 60
diff --git a/docker/dist/hpci/61cd35bd.0 b/docker/dist/hpci/61cd35bd.0
new file mode 100644
index 000000000..be740ff8c
--- /dev/null
+++ b/docker/dist/hpci/61cd35bd.0
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVjCCAj6gAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MQswCQYDVQQGEwJKUDEM
+MAoGA1UEChMDTklJMQ0wCwYDVQQLEwRIUENJMRAwDgYDVQQDEwdIUENJIENBMB4X
+DTEyMDgwOTA2MTIyNFoXDTMyMDgwNzAwMDAwMFowPDELMAkGA1UEBhMCSlAxDDAK
+BgNVBAoTA05JSTENMAsGA1UECxMESFBDSTEQMA4GA1UEAxMHSFBDSSBDQTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN264tGoH5JdgQ1qF3/8nA6CB86b
+Rhfa67qlm4RWvAl2BmZ6ws0nuI6cmVcUKfs4HftAJYYN6Ch1p6lGdUwue/5iBliA
+4TS8zi/5WZq5ciH/ffG8NF1+TdEMZ1q9LRkrYSWQHPrzo1QY/5IX7QvOakeHyMTA
+s+Irr1mRz2OwHj6Nu9fCAg1D3d1a36fEuKs3krM5yYSz9cBbinNNMe+HoV7YcjJ9
+1lJhBVD7gCHOOjS0DXb2ed/kjjW+I9w7h9XS6Xl14yXik0GRMSeaBKbEK8E9npgg
+GvZZtItLOTFcJQVz3vkS8ZEOuxPgGgiio32a5gnSKCnDOSVp1FluZwRo7fUCAwEA
+AaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw
+FoAUoD6uD5bj/URTMLH+Tg+eZRLcTZUwHQYDVR0OBBYEFKA+rg+W4/1EUzCx/k4P
+nmUS3E2VMA0GCSqGSIb3DQEBCwUAA4IBAQB2H9BiPQ9pO+NUKmQnt12e6N0wH5kC
+WBZ0TXnuPSdCTNtaV87lLPwjsMXdc5TpiEGNCl80Q9w62M32y/JwDgNhNFp6pho/
+A21kyquiLU3+vitbCIYHmkz8Z5T1+mmVAAIBllUWgnQTyvs5kQLsHaOJQOkgkuOo
+ANVOjj1H72lpUzLIRe+yF2T4JaA5YV6uN4uyBfYQKdUav/ekBEAEupOCvaHUCJWZ
+FyqX3mIQ3Q+LuD9Lnvs0efFmeoKmUcu4qws6DeGogQ7se/WWLJbZzm12ySS/YZI3
+EoqLKab2QLw3C0J8rSiLDkS95kK3fmsYfXekPkKAVacslboj1INFL3z9
+-----END CERTIFICATE-----
diff --git a/docker/dist/hpci/61cd35bd.signing_policy b/docker/dist/hpci/61cd35bd.signing_policy
new file mode 100644
index 000000000..3f261b9cf
--- /dev/null
+++ b/docker/dist/hpci/61cd35bd.signing_policy
@@ -0,0 +1,33 @@
+# ca-signing-policy.conf, see ca-signing-policy.doc for more information
+#
+# This is the configuration file describing the policy for what CAs are
+# allowed to sign whoses certificates.
+#
+# This file is parsed from start to finish with a given CA and subject
+# name.
+# subject names may include the following wildcard characters:
+#    *    Matches any number of characters.
+#    ?    Matches any single character.
+#
+# CA names must be specified (no wildcards). Names containing whitespaces
+# must be included in single quotes, e.g. 'Certification Authority'. 
+# Names must not contain new line symbols. 
+# The value of condition attribute is represented as a set of regular 
+# expressions. Each regular expression must be included in double quotes.  
+#
+# This policy file dictates the following policy:
+#   -The Globus CA can sign Globus certificates
+#
+# Format:
+#------------------------------------------------------------------------
+#  token type  | def.authority |                value              
+#--------------|---------------|-----------------------------------------
+# EACL entry #1|
+
+ access_id_CA      X509         '/C=JP/O=NII/OU=HPCI/CN=HPCI CA'
+
+ pos_rights        globus        CA:sign
+
+ cond_subjects     globus       '"/C=JP/O=NII/OU=HPCI/*"'
+
+# end of EACL