Home > Storage > PowerStore > Data Protection > Dell PowerStore: Metro Volume > Hostnames and certificates
The SSL certificate for the witness service is setup during installation of the RPM and is using the configured hostname, the primary Ipv4 and Ipv6 (if configured) address as valid names for the generated certificate. For the hostname it’s recommended to use a FQDN (Full Qualified Domain Name) to get the FQDN as valid name into the certificate. For registration and use of a Metro Volume witness service in PowerStore, it’s important to get the correct name or IP address into the certificate subject alternate name (SAN). After installing metro witness service, the openssl tool could be used to verify the SAN of the used certificate.
The example below shows the output for metro witness service running on host “metro-witness.lab”. The valid addresses to register the witness in PowerStore manager are the Ipv4 address 192.168.8.220, the Ipv6 address FE80::FE81:758F, and the DNS name for the server metro-witness.lab. On a shared OS installation or when multiple IP’s or network cards are used, the certificate may not contain a valid IP or DNS name to register the witness service in PowerStore manager successful. The Dell witness service RPM contains the script /opt/dell-witness-service/scripts/replace_certificate.sh which allows to change the certificate SAN entries for the witness service certificate. The following examples shows the command to create SSL certificates for the witness service containing multiple IP and DNS names which could be required when running the witness service in different DNS zones or in a NAT environment.
With that example, PowerStore manager can register the witness service by using one of the entries listed as Subject Alternative Name (SAN) in the output:
metro-witness.lab
For additional reading, full coverage of Metro Volume witness requirements and installation is provided in the document Dell PowerStore: Protecting Your Data.