# Enable Docker Remote API with TLS client verification
Docker's Remote API can be secured via TLS and client certificate verification.
First of all you need a few certificates and keys:
+ CA certificate
+ Server certificate
+ Server key
+ Client certificate
+ Client key
## Create certificate files
You can create these files as described in the official docs in [Protect the Docker daemon socket](https://docs.docker.com/engine/security/https/).
You can also use my [create-certs.sh](https://github.com/kekru/linux-utils/blob/master/cert-generate/create-certs.sh) script to create them.
Download the script and run like this:
1. Create a CA with the password `yourSecretPassword` and `900` days until it wil expire. The cert files will be in the directory `./certs`.
```bash
./create-certs.sh -m ca -pw yourSecretPassword -t certs -e 900
```
2. Create server certificate and key with the password of step 1 `yourSecretPassword`, with the servername `myserver.example.com` and `365` days until it wil expire. The cert files will be in the directory `./certs`.
```bash
./create-certs.sh -m server -h myserver.example.com -pw yourSecretPassword -t certs -e 365
```
3. Create client certificate and key with the password of step 1 `yourSecretPassword`, with the clientname `testClient` (the name is interesting if you want to use authorization plugins later) and `365` days until it wil expire. The cert files will be in the directory `./certs`.
```bash
./create-certs.sh -m client -h testClient -pw yourSecretPassword -t certs -e 365
```
Now you have a directory `./certs` with certificates and keys for CA, server and client.
# Enable Remote API with TLS
Make sure, you have a ca certificate and a server certificate with a server key.
Open or create the file `/etc/docker/daemon.json`. This is the main configuration file for Docker.
Take the content of the 2-daemon.json file of this gist and write it to /etc/docker/daemon.json. Edit the paths to your ca and server certificate files.
Restart your Docker engine with `sudo service docker restart`.
The Docker Remote API is ready to use. You can run Docker commands from a remote device by using the ca.pem and the client certificate and key. Read [Run commands on remote Docker host](https://gist.github.com/kekru/4e6d49b4290a4eebc7b597c07eaf61f2) for more information.