The resulting configuration looks like this:
In Figure 11, QM1's key repository contains QM1's certificate and QM2's CA certificate. QM2's key repository contains QM2's certificate and QM1's CA certificate.