Here are some simple instructions for configuring a local docker engine to use TLS encryption and self-signed certificates. Next steps will be to create a Linux based CA, free IPA, and integrate it all with Docker

Step 1: Generate the certificates that you need. Replace <username> with your local, NON-ROOT, user that you have granted access to the docker group.

1. mkdir -m 700 ~<username>/TLS
2. cd ~<username>/TLS
3. openssl genrsa -aes256 -out ca-key.pem 2048
4. openssl req -new -x509 -days 900 -key ca-key.pem -sha256 -out ca.pem
5. openssl genrsa -out server-key.pem 2048
6. openssl req -subj "/CN=$(hostname)" -new -key server-key.pem -out server.csr
7. echo "subjectAltName = IP:127.0.0.1,IP:$(hostname -i)" > extfile.cnf
8. openssl x509 -req -days 900 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
9. openssl genrsa -out client-key.pem 2048
10. openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
11. echo "extendedKeyUsage = clientAuth" > extfile2.cnf
12. openssl x509 -req -days 900 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile2.cnf
13. openssl x509 -text -in server-cert.pem

Step 2: start the docker service, and verify that it runs okay with these certificates.

1. sudo su -
2. systemctl stop docker
3. cd ~<username>/TLS
4. dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem

Step 3: Open another terminal window. You will need it for the testing.  Connect to the same server using the user account

1. mkdir ~/.docker
2. cd ~/TLS
3. mv ca.pem ~/.docker
4. mv client-cert.pem ~/.docker/cert.pem
5. mv client-key.pem ~/.docker/key.pem
6. docker -H tcp://127.0.0.1:2376 --tlsverify info (should now give you the expected result)

Step 4: Now, go back to the previous terminal window, and ctrl-c to terminate docker. Now you will have to modify the daemon service file to tell docker to start using these certificates.

1. systemctl stop docker.service
2. cd ~<username>/TLS
3. mkdir /etc/docker
4. cp *.pem /etc/docker/.
5. cd /etc/docker
6. chmod 400 *
7. cd /usr/lib/systemd/system
8. vim docker.service.  Change the ExecStartline to this:
   1. ExecStart=/usr/bin/dockerd -H=0.0.0.0:2376 –tlsverify –tlscacert=/etc/docker/ca.pem –tlscert=/etc/docker/server-cert.pem –tlskey=/etc/docker/server-key.pem –containerd=/run/containerd/containerd.sock
9. systemctl daemon-reload
10. systemctl start docker.service
11. You have just setup the docker service to start up in TLS only mode.  Verify that it works by going to the <username> user and typing docker info.  You should not get any result. Don’t worry, this is expected. We will solve this in the next step.

Now, you have to add the environment variables for all users to point to the right TCP port, and use TLS.

1. As root, cd /etc/profile.d.  && vim docker.sh
2. add the following lines to the file and write/quit.
   1. DOCKER_HOST=127.0.0.1:2376
   2. DOCKER_TLS_VERIFY=1
3. reboot the system.  upon first login with non-root user, you should be able to run docker info from the bash prompt, and get a positive result.