SZTP process

  1. Ensure the device has a Nokia CA-signed IDevID certificate in the TPM on each control card.
  2. Ensure the Nokia OV trust anchor is available on the CPM so the device can validate the Ownership Voucher.
  3. Obtain an Ownership Voucher (OV) by submitting a request to Nokia Support. The request must include the Pinned Domain Certificate (PDC), a trusted digital certificate issued by the customer and provided to Nokia during the OV request, along with the order details containing the router serial numbers.
  4. Ensure that the DHCP server and the SZTP (RESTCONF) bootstrap server are configured in the network.
  1. The CPM initializes the secure bootstrapping process, as defined in the SZTP process (RFC 8572).
  2. The CPM verifies the digital signature of the acquired bootstrapping data. The CPM starts by validating the signature of the CMS structure of the Ownership Voucher against the Nokia trust anchor stored on the CPM. If the signature is valid, the contents of the OV can be trusted.
  3. The CPM extracts the PDC from the validated OV. It then verifies that the Ownership Certificate's chain of trust leads to that PDC. After transferring trust to the customer, the CPM uses the Ownership Certificate to validate the onboarding information within the conveyed-information structure.
  4. Note: The CPM must only use the onboarding information when digital signatures are verified.
    After the trust is established, the CPM uses the onboarding data to upgrade or download the software, apply the base configuration, and execute any scripts referenced in the onboarding information.