createdockercerts.sh

#!/bin/bash
IFS=$'\n\t'
set -euxo pipefail

mkdir /etc/ssl/certs/docker
mkdir /etc/ssl/certs/docker/server
mkdir /etc/ssl/certs/docker/client
cd /etc/ssl/certs/docker
echo "$(uuidgen)" > keypass

openssl genrsa -aes256 -passout pass:"$(<keypass)" -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -passin pass:"$(<keypass)" -sha256 -out ca.pem \
  -subj '/CN=*'
openssl genrsa -out server/key.pem 4096
openssl req -subj '/CN=*' -sha256 -new -key server/key.pem -out server/server.csr
echo subjectAltName = IP:0.0.0.0 > server/extfile.cnf
openssl x509 -req -days 365 -sha256 -in server/server.csr -CA ca.pem \
  -CAkey ca-key.pem -passin pass:"$(<keypass)" \
  -CAcreateserial -extfile server/extfile.cnf -out server/cert.pem
chmod 600 keypass server/key.pem ca-key.pem

openssl genrsa -out client/key.pem 4096
openssl req -subj '/CN=client' -new -key client/key.pem -out client/client.csr
echo 'extendedKeyUsage = clientAuth' > client/extfile.cnf
openssl x509 -req -days 365 -sha256 -in client/client.csr \
  -CA ca.pem \
  -CAkey ca-key.pem -passin pass:"$(<keypass)" \
  -CAcreateserial -out client/cert.pem -extfile client/extfile.cnf
chmod 600 client/key.pem

cd client
ln -s ../ca.pem

# Run this script:
# curl <gist-url> | sudo bash

# Grab certs:
# ssh $IP sudo tar -C /etc/ssl/certs/docker/client -ch ca.pem cert.pem key.pem | tar -x

# Add self to docker group:
# sudo usermod -aG docker "$USER"

# Run docker service with these options:
# --tlsverify --tlscacert=/etc/ssl/certs/docker/ca.pem --tlscert=/etc/ssl/certs/docker/server/cert.pem --tlskey=/etc/ssl/certs/docker/server/key.pem --host=tcp://0.0.0.0:2376