Replying to my own post since no one else is. :-)
I had copied the new certificate over the old one expecting the gitlab-ctl reconfigure would pick it up. I was wrong. Even renaming the cert failed.
The solution was to change the name of the file in gitlab.rb to a file that didn't exist and run reconfigure. Of course, the restart failed. Then I fixed the file name in gitlab.rb and ran reconfigure. Boom! New cert! Now docker login works and I can use the registry.
I hope this helps someone else.