: Attempt to retrieve the certificate manually via the CLI to see more detailed error output: request certificate fetch request device-telemetry collect-now Generate a New One-Time Password (OTP) Log in to the Palo Alto Customer Support Portal Device Certificates Generate OTP for your serial number. On the firewall, navigate to Management Device Certificate and use the Get certificate button to input the new OTP. Adjust Management MTU
Alex uploaded his saved configuration XML file. He imported it into the device. Because the TPM had been reset and the config was restored on the same hardware, the device accepted the restore. The firewall rebooted. : Attempt to retrieve the certificate manually via
| Action | Reason | |--------|--------| | – run debug tpm show status and save output | Provides baseline for post-upgrade comparison | | Backup TPM metadata | request tpm backup to tpm-backup.dat (PAN-OS 11.1+) | | Avoid power loss during commit or certificate fetch | TPM write operations are atomic; interruption corrupts NVRAM | | For VM-Series – use hardware TPM passthrough or avoid vTPM snapshots | vTPM state includes PCR registers; snapshots break key attestation | | Do not manually delete device certificate unless you intend to re-fetch immediately | Deleting without resetting TPM state causes mismatch | He imported it into the device
Forcing a configuration commit can sometimes re-trigger the synchronization logic and clear minor software hangs. Manual OTP Re-provisioning: Log into the Palo Alto Customer Support Portal Navigate to Assets > Device Certificates and generate a new One-Time Password (OTP) for your specific serial number. On the firewall, go to Device > Setup > Management > Device Certificate and use the "Get Certificate" option with the new OTP. NTP Synchronization: | Action | Reason | |--------|--------| | –