Copy the package installer unit file to /etc where changes will not be overwritten on an upgrade:
cp /lib/systemd/system/docker.service /etc/systemd/system/docker.service
Update /etc/systemd/system/docker.service with your options on ExecStart:
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376 \ --tlsverify --tlscacert=/etc/docker/certs/ca.pem \ --tlskey=/etc/docker/certs/key.pem \ --tlscert=/etc/docker/certs/cert.pem
dockerd is the 1.12 daemon name, prior it was
docker daemon. Also note that 2376 is dockers standard TLS port, 2375 is the standard unencrypted port. See this page for steps to create your own TLS self signed CA, cert, and key.
After making changes to the systemd unit files, run the following to reload the systemd config:
And then run the following to restart docker:
systemctl restart docker
It's a bad idea to skip TLS encryption when exposing the Docker port since anyone with network access to this port effectively has full root access on the host.