This forces the firewall to re-generate the device identity and request a new cert from Palo Alto’s internal CA (or Panorama).
If the auto-fetch fails, manually trigger the request and sync telemetry to force a re-evaluation of the certificate status. Run the command: request certificate fetch .
The certificate on the portal has been updated, but the TPM chip is still holding keys from an older, invalid, or replaced certificate. This forces the firewall to re-generate the device
Open the CLI and run the following command with the new OTP: request certificate fetch otp Verify the status: show device-certificate status Palo Alto Networks LIVEcommunity 🔍 Additional Troubleshooting Steps (Updated 2026) Commit Force: In some cases, a commit force can resolve internal key mismatches. Lower Management MTU:
This reuses the existing TPM owner and storage hierarchy but regenerates only the device-cert key. The certificate on the portal has been updated,
: The firewall was re-imaged or reset, generating a new TPM key, but the old one remains in the CSP.
The public key match failure error indicates that the device is unable to retrieve the public key associated with the device certificate from the TPM. This can happen due to various reasons, including: : The firewall was re-imaged or reset, generating
If the fetch command simply times out without a clear "match failed" error, MTU is a likely culprit. set deviceconfig system mtu 1374 Follow this with a commit and retry the fetch. 4. Clear Existing Certificate State (Requires TAC)