Yes, so as I said earlier, the onboarding was quite simple and a new onboarding process has been made to be more secure.
The new process involves an authentication key used by the managed device to authenticate itself to Panorama. With this authkey, there is a mutual authentication in place : the Panorama needs to know the device serial number, and the device needs to know the authkey.
The second change is about the certificate used to secure the communication between the Panorama and the managed device. Instead of using the default certificate on the system, the Panorama derives a new CA certificate, and it will use this CA certificate to issue a certificate for each managed device.
So the big change here is that a device associated with company A’s Panorama, if it needs to be managed by another company B’s Panorama, it will require a new certificate from company B’s Panorama.
There is really no common certificate between company A and company B.
Finally, you onboard your device to the Active Panorama : you only work on the Active Panorama and the device to onboard, if you have a High Availability Panorama setup, there is nothing to do on the Passive Panorama.