Palo Alto Failed To Fetch Device Certificate Tpm Public Key Match Failed Updated May 2026

The paloalto-shared-services application must be allowed in security policies to reach the certificate servers. Step-by-Step Resolution Guide 1. Regenerate a Fresh OTP

The firewall's hardware TPM generates a public key that must match the record in the Support Portal. If the device was previously registered or had a certificate that wasn't cleared properly, the portal may reject new fetch requests. If the device was previously registered or had

Before attempting advanced fixes, ensure you are using a valid, unexpired OTP. Select Generate OTP for your specific serial number

Log into the Customer Support Portal and navigate to . Select Generate OTP for your specific serial number. ensure you are using a valid

Device certificate OTPs have a 60-minute lifetime . If the fetch fails once, the OTP often expires immediately and must be regenerated.

The existing invalid certificate must be manually removed from the device's root directory, which is inaccessible to standard administrators.

If the "TPM public key match failed" error persists, it usually indicates a "stuck" certificate state that cannot be cleared through the standard GUI or CLI.