Creating a CA-signed certificate for the Quorum Witness server

The Certificate Authority (CA) signed certificate is used to connect to the Quorum Witness (QW) server. Perform this procedure on the server where you will install the Quorum Witness software. The OpenSSL commands used in this procedure are examples only.

Passphrases are not supported.


Access to OpenSSL 1.0 or later or another tool for securing TLS and SSL protocol.


Quorum Witness server

  1. Log in as the root user to the Quorum Witness server.
  2. Confirm that you are in the /root directory using the pwd command.
  3. Identify the FQDN of the server as the variable SYSTEM_QW.

    For example:

  4. Generate a private key for the server certificate.
    For example: openssl genrsa -out ${SYSTEM_QW}-server.key.pem 2048
    Generating RSA private key, 2048 bit long modulus
    e is 65537 (0x10001)
  5. Generate a certificate signing request (CSR) using the server key. Replace the information between the quotes with your location.

    openssl req -key ${SYSTEM_QW}-server.key.pem -new -sha256 -subj "/C=Country or region/ST=State/L=Location/O=Organization/OU=Organizational Unit/CN=${SYSTEM_QW}" -out ${SYSTEM_QW}-server-csr.pem

    For example: openssl req -key ${SYSTEM_QW}-server.key.pem -new -sha256 -subj "/C=US/ST=CA/L=Los Angeles/O=HPE/OU=DEV/CN=${SYSTEM_QW}" -out ${SYSTEM_QW}-server-csr.pem

  6. Confirm that two files are listed in the /root directory.
    ls -l *.pem
    ls -l *.pem
    -rw-r--r-- 1 root root 1021 May 23 09:17
    -rw-r--r-- 1 root root 1675 May 23 09:11

Certificate Authority Tool

  1. Access the CA tool.
  2. Request a CA-signed certificate using the .csr.pem file.
  3. When you receive the CA-signed certificate for the QW server:
    1. Make sure that the CA-signed certificates are compliant to X.509 certificate format and PEM encoding.
    2. Move the CA-signed, QW server certificate to your predefined CA-signed certificates folder.
      For example: certificate is located in C:\qw-secure\certs.