Secure Docker Daemon with TLS

generate_certs.sh

openssl genrsa -out ca-key.pem 4096

openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj '/CN=docker-CA'

openssl genrsa -out key.pem 4096

openssl req -new -key key.pem -out cert.csr -subj '/CN=docker-client' -config openssl.cnf

openssl x509 -req -in cert.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -days 365 -extensions v3_req -extfile openssl.cnf

openssl.cnf

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = docker.local
IP.1 = 172.17.8.101
IP.2 = 127.0.0.1

systemd_docker-external.conf

# /etc/systemd/system/docker.service.d/docker-external.conf

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/cert.pem --tlskey=/etc/docker/key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock