- #. Upload the VSP to the VF (see steps 3 to 5 in (TBD)Update a VF [optional]).
- #. Update the VF version in services that include the VF (see step 4 in (TBD) Update a service [optional]).
+
+ #. Upload the VSP to the Vf/PNF
+ (see steps 3 to 5 in :ref:`doc_guide_user_des_vf-cre`).
+ #. Update the VF/PNF version in services that include the VF/PNF (see step 4
+ in :ref:`doc_guide_user_des_ser-des`).
+
+.. _doc_guide_user_des_res-onb_pre-install_root_certificate:
+
+Pre-Install Root Certificate in SDC [only needed for secure package]
+--------------------------------------------------------------------
+SDC supports the onboarding of packages that are secured according to security option 2 in ETSI NFV-SOL 004v2.6.1.
+
+During onboarding, SDC will validate the authenticity and integrity of a secure package. To enable this validation,
+the root certificate corresponding to the certificate included in the package needs to be available to SDC.
+This is currently done by uploading the root certificate to the following default directory location::
+
+ /dockerdata-nfs/{{ .Release.Name }}/sdc/onbaording/cert
+
+.. note::
+ The directory listed above is mapped to the following directory in the onboarding pod (sdc-onboarding-be)
+ ::
+
+ /var/lib/jetty/cert
+
+ so it is also possible to copy the root certificate directly to this directory in the pod.
+
+The location where the root certificate is uploaded is configurable. The relevant parameters are described in
+the *cert* block in the following values file::
+
+ <path_to_oom_kubernetes>/sdc/charts/sdc-onboarding-be/values.yaml