If this is the cause, a reboot of the firewall will clear the temporary directory, allowing a fresh fetch attempt. The permanent fix is to upgrade to a PAN-OS version where PAN-313623 is resolved.
: The firewall is running an older PAN-OS version that lacks the updated root and intermediate certificates required to validate the cloud server's identity. Step-by-Step Resolution Protocol
to gain root access, which allows them to manually erase the invalid certificate from the local filesystem and reset the TPM association so a new certificate can be generated. Palo Alto Networks LIVEcommunity CLI commands If this is the cause, a reboot of
Run request certificate device-certificate generate and monitor. If error persists, engage TAC with debug tpm outputs.
To understand the gravity of a "public key match failure," one must first understand the role of the TPM. The TPM is a microcontroller that stores RSA cryptographic keys specific to the host hardware. In a Palo Alto firewall, the TPM is utilized to anchor the device’s identity. When the device is booted or when it attempts to establish a secure channel (such as SSL decryption or management plane communication), it relies on a device certificate. Step-by-Step Resolution Protocol to gain root access, which
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.
If this error happens on a newly installed RMA replacement firewall, the cloud backend still associates your license with the old hardware TPM chip. Log into the CSP. To understand the gravity of a "public key
The error "Failed to fetch device certificate. TPM public key match failed"