Install this plugin:

apt-get install ruby ruby-sinatra
mkdir -p /etc/docker/plugins

addgroup --system docker-ca
adduser --system --no-create-home --ingroup docker-ca docker-auth-crl

cp docker-auth-crl.spec /etc/docker/plugins/
cp docker-auth-crl.service /etc/systemd/system/
systemctl enable docker-auth-crl.service

Install easy-rsa:

mkdir /etc/docker-ca
cd /etc/docker-ca
git clone https://github.com/OpenVPN/easy-rsa.git
cd /etc/docker-ca/easy-rsa/easyrsa3
bash ./easyrsa init-pki
chmod 750 pki
chgrp docker-ca pki
bash ./easyrsa build-ca nopass
bash ./easyrsa build-server-full YOUR-HOSTNAME nopass
bash ./easyrsa build-client-full client1 nopass
bash ./easyrsa build-client-full client2 nopass
bash ./easyrsa gen-crl
chmod 644 pki/crl.pem

Configure docker:

systemctl edit docker.service

Set ExecStart:

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --authorization-plugin=docker-auth-crl --host tcp://0.0.0.0:2367 --tlsverify --tlscacert /etc/docker-ca/easy-rsa/easyrsa3/pki/ca.crt --tlscert /etc/docker-ca/easy-rsa/easyrsa3/pki/issued/YOUR-HOSTNAME.crt --tlskey /etc/docker-ca/easy-rsa/easyrsa3/pki/private/YOUR-HOSTNAME.key

Restart docker:

systemctl restart docker.service

Deny access for client1:

cd /etc/docker-ca/easy-rsa/easyrsa3
bash ./easyrsa revoke client1
bash ./easyrsa gen-crl
chmod 644 pki/crl.pem
systemctl restart docker-auth-crl