Palo Alto Failed To Fetch Device Certificate Tpm Public Key Match Failed [better] Info

A factory reset or re-image of the firewall clears the old certificate references and forces the generation of a new key pair within the TPM during the initial boot process. This is the cleanest solution but results in the loss of configuration, necessitating a rebuild or a careful re-import of the configuration excluding the device certificate settings.

If none of the above steps resolve the issue, it is time to contact Palo Alto Support. When opening a ticket, provide them with the following information:

The device certificate might not be correctly installed or there could be a mismatch with the expected TPM public key. A factory reset or re-image of the firewall

Resetting the certificate enrollment often resolves TPM mismatches. TPM public key match failed - LIVEcommunity - 1239222

: The local certificate store on the firewall has become corrupted after an improper shutdown, power failure, or a failed PAN-OS upgrade/downgrade. When opening a ticket, provide them with the

openssl x509 -in device_cert.pem -noout -pubkey

This error occurs on a (or possibly Panorama) when the device attempts to retrieve its device certificate from the Trusted Platform Module (TPM) . The “public key match failed” part indicates that the TPM-stored key does not match the expected public key for the certificate being requested. openssl x509 -in device_cert

Behind her, General Hollis crossed his arms. “Explain it to me like I’m five.”

Compare the public key hash with what TPM reports (if accessible).

A replacement firewall (RMA) was not properly activated or transferred in the portal.