Have you checked if your can successfully ping certificates.paloaltonetworks.com ?
If the auto-fetch fails, manually trigger the request and sync telemetry to force a re-evaluation of the certificate status. Run the command: request certificate fetch .
While the TPM error suggests a hardware-related issue, it's important to rule out environmental factors. If the firewall cannot reach the Palo Alto Networks Customer Support Portal (CSP) due to DNS or routing problems, the fetch process will fail. Similarly, if the system clock is out of sync, it can cause time-based certificate validations to fail.
Guide you to the to generate a new OTP. Let me know how you'd like to proceed with the fix . TPM public key match failed - LIVEcommunity - 1239222 Have you checked if your can successfully ping certificates
: Connectivity issues to the Customer Support Portal (CSP) can cause fetch failures. Try lowering the Management Interface MTU size (e.g., to 1374) to ensure the certificate packets are not being dropped due to fragmentation.
On Windows endpoint (with TPM):
This error typically indicates a mismatch between the hardware-backed public key on your firewall and the certificate stored in the Palo Alto Networks backend . This can occur due to a known bug (PAN-313623), improper disk cleanup, or backend synchronization issues. Immediate Workarounds While the TPM error suggests a hardware-related issue,
If you suspect the disk partition full bug, examine the temporary directory:
If numerous .pub_pem files exist, a reboot will clear them and restore functionality. For environments where reboots are problematic, engage Palo Alto TAC to assist with file cleanup while the firewall remains operational.
If the firewall clock shifts even slightly out of sync with the CSP servers, the OTP or TPM handshake will fail immediately. Ensure your management plane is synchronized to an authoritative NTP pool: Guide you to the to generate a new OTP
In some cases, the firewall's configuration state is out of sync. Forcing a commit can re-initialize the management plane's certificate handler. configure -> commit force . 3. Adjust Management MTU
For firewalls managed by Panorama, device certificate operations are coordinated through the management server. If Panorama has stale certificate data, or if the managed firewall's local certificate state is inconsistent, the OTP installation command may fail.
"TPM public key match failed" means that the public key of the certificate being fetched from the Palo Alto Support Portal does not match the public key derived from the private key stored inside the hardware TPM chip. Primary Causes: