diff --git a/api/server/server_unix.go b/api/server/server_unix.go
index c3d4def870..60fd23af63 100644
--- a/api/server/server_unix.go
+++ b/api/server/server_unix.go
@@ -3,6 +3,7 @@
 package server
 
 import (
+	"crypto/tls"
 	"fmt"
 	"net"
 	"net/http"
@@ -24,7 +25,7 @@ func (s *Server) newServer(proto, addr string) ([]*HTTPServer, error) {
 	)
 	switch proto {
 	case "fd":
-		ls, err = listenFD(addr)
+		ls, err = listenFD(addr, s.cfg.TLSConfig)
 		if err != nil {
 			return nil, err
 		}
@@ -84,9 +85,17 @@ func allocateDaemonPort(addr string) error {
 
 // listenFD returns the specified socket activated files as a slice of
 // net.Listeners or all of the activated files if "*" is given.
-func listenFD(addr string) ([]net.Listener, error) {
+func listenFD(addr string, tlsConfig *tls.Config) ([]net.Listener, error) {
+	var (
+		err       error
+		listeners []net.Listener
+	)
 	// socket activation
-	listeners, err := systemdActivation.Listeners(false)
+	if tlsConfig != nil {
+		listeners, err = systemdActivation.TLSListeners(false, tlsConfig)
+	} else {
+		listeners, err = systemdActivation.Listeners(false)
+	}
 	if err != nil {
 		return nil, err
 	}
diff --git a/hack/vendor.sh b/hack/vendor.sh
index 92808ca599..efdc297cab 100755
--- a/hack/vendor.sh
+++ b/hack/vendor.sh
@@ -52,7 +52,7 @@ clone git github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c
 # update next time
 clone git github.com/opencontainers/runc 1349b37bd56f4f5ce2690b5b2c0f53f88a261c67 # libcontainer
 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json)
-clone git github.com/coreos/go-systemd v3
+clone git github.com/coreos/go-systemd v4
 clone git github.com/godbus/dbus v2
 clone git github.com/syndtr/gocapability 66ef2aa7a23ba682594e2b6f74cf40c0692b49fb
 clone git github.com/golang/protobuf 655cdfa588ea
diff --git a/vendor/src/github.com/coreos/go-systemd/activation/listeners.go b/vendor/src/github.com/coreos/go-systemd/activation/listeners.go
index a30cb89395..df27c29e9e 100644
--- a/vendor/src/github.com/coreos/go-systemd/activation/listeners.go
+++ b/vendor/src/github.com/coreos/go-systemd/activation/listeners.go
@@ -15,6 +15,7 @@
 package activation
 
 import (
+	"crypto/tls"
 	"net"
 )
 
@@ -35,3 +36,27 @@ func Listeners(unsetEnv bool) ([]net.Listener, error) {
 	}
 	return listeners, nil
 }
+
+// TLSListeners returns a slice containing a net.listener for each matching TCP socket type
+// passed to this process.
+// It uses default Listeners func and forces TCP sockets handlers to use TLS based on tlsConfig.
+func TLSListeners(unsetEnv bool, tlsConfig *tls.Config) ([]net.Listener, error) {
+	listeners, err := Listeners(unsetEnv)
+
+	if listeners == nil || err != nil {
+		return nil, err
+	}
+
+	if tlsConfig != nil && err == nil {
+		tlsConfig.NextProtos = []string{"http/1.1"}
+
+		for i, l := range listeners {
+			// Activate TLS only for TCP sockets
+			if l.Addr().Network() == "tcp" {
+				listeners[i] = tls.NewListener(l, tlsConfig)
+			}
+		}
+	}
+
+	return listeners, err
+}