...
Create a terminal with a known serial number in CAS. CAS will know that the terminal is expected to start talking to him. Generate VPN configuration for the terminal if you expect it to use built-in OpenVPN client (Deployment Scenario A).
Terminal with serial number XYZ sends a request for pairing to the gate service along with its client certificate (Terminal Certificate Fingerprint). Gate service is accessible only if you temporarily open its TCP port 7741 accessible from Internet.
Gate service checks whether such a terminal with a particular fingerprint is already trusted. When already trusted it sends terminal VPN configuration and IP of the master service.
In case cases where the terminal is not yet trusted the pairing code is displayed on the terminal screen and the pairing request is added to the list of paring requests in server admin.
Operator The operator is expected to review the pairing request in CAS and call the location contact person to read him the pairing code (or at least pieces of it). This step is needed to be sure that it is really the location’s genuine machine connecting to your server and not the attacker’s. It should be also the operator’s staff that should be calling the location contact to prevent other scam vectors when an attacker is calling the operator to add his machine to CAS.
Once the pairing code matches on screen and in the CAS operator can click on APPROVE. Only users with 2FA can perform such an operation.
Once pairing is approved the Terminal Certificate Fingerprint is stored in the database and the terminal is paired - trusted.
Here are some pictures from the pairing process
...
How to break trust?
In CAS you can unpair terminal causing server to forget Terminal Certificate Fingerprint.
Or factory reset the terminal.
...