topic Re: Unable to apply Device Certificate in Next-Generation Firewall Discussions

Unable to apply Device Certificate

J.Santos708860 — Wed, 04 Feb 2026 17:15:03 GMT

Hi Everyone, I am following the instructions to apply the device certificate, but I am blocked by the following error:
“Unable to execute OTP install operations command to some firewalls. Please identify the firewalls that failed the process from Panorama and retry OTP.”

I followed the instructions provided in this link:
https://live.paloaltonetworks.com/t5/customer-advisories/update-to-additional-pan-os-certificate-expirations-and-new/ta-p/572158

My setup is as follows:

Panorama: Software version 11.1.6-h3
NGFW: Model PA-850, Software version 11.1.6-h3

The command below shows the following output:

show device-certificate status

Device Certificate Information:

Current device certificate status: Valid
Not valid before: 2025/12/26 05:26:50 CST
Not valid after: 2026/03/26 06:26:49 CDT
Last fetched timestamp: 2026/02/04 10:42:39 CST
Last fetched status: Failure
Last fetched info: Failed to fetch device certificate. OTP is not valid

Has anyone encountered the same issue?

Thank you

Re: Unable to apply Device Certificate

BPry — Fri, 06 Feb 2026 22:20:26 GMT

@J.Santos708860,

At least in the example that you posted, you have an active certificate as of 2025/12/26 and you do not need another one. If you're trying to go through this workflow again with a valid certificate it's going to error, so from what you're showing this is what I would expect and you don't need to take any further action here.

Re: Unable to apply Device Certificate

J.Santos708860 — Mon, 09 Feb 2026 17:55:54 GMT

Hi @BPry
I see. I'm a bit confused about whether I need to do something before the device certificate is enforced, which is why I followed the guide in the link. Is there a way for me to confirm that the certificate will be automatically renewed moving forward?

Re: Unable to apply Device Certificate

DanielS.Romero — Mon, 09 Feb 2026 19:39:42 GMT

Hello @J.Santos708860

Could you try sending the commit force command on both the PA 850's and then retrying the certificate request?

Do you have any DNS proxy or service route configured on the MGT interface?

Best regards,

Re: Unable to apply Device Certificate

J.Santos708860 — Wed, 11 Feb 2026 11:24:35 GMT

Hi @DanielS.Romero ,

I don’t have any pending commits from Panorama, if that’s what you’re referring to. Also, I don’t have a DNS proxy or service route configured on my management interface—it’s directly connected to my ISP with a public IP.

Please let me know if my response doesn’t align with your suggestion. Thank you!

Re: Unable to apply Device Certificate

CosminM — Wed, 11 Feb 2026 11:53:50 GMT

Hello @J.Santos708860

In order to update the device certificate for a manage firewall, you need to follow the steps mentioned here: https://docs.paloaltonetworks.com/panorama/11-1/panorama-admin/manage-firewalls/install-the-device-certificate-for-managed-firewalls/install-the-device-certificate-for-a-managed-firewall

Even the process for OTP generation is between Panorama and Palo Alto Networks CSP, the managed firewall must have an outbound internet connection to successfully install the device certificate. After you upload the OTP from Panorama, the managed firewall connects to the Palo Alto Networks CSP to install the device certificate.

When the manage firewall connects to the Palo Alto Networks, it using the source interface configured under "Palo Alto Networks Services" on Service Route Configuration. By default, is configured to use the MGMT interface of the firewall.

Re: Unable to apply Device Certificate

DanielS.Romero — Wed, 11 Feb 2026 18:28:56 GMT

Hello @J.Santos708860

Can you go to the NGFW's CLI and send the following command?

> commit force

And verify with a ping if every FW's MGT has Internet access for example to a public website as follows:

> ping host paloaltonetworks.com

If the ping is successful, confirm that traffic is allowed from the MGT IP address; if not, check from any security device along the path to the Internet, including the NGFW itself, in its security logs under Monitor > Logs > Traffic, URL Filtering, Threat, Decryption, that the SSL and web browsing traffic is not blocked by any security rules, profiles, or decryption rules. This issue could affect the device certification renewal process.

Also try to restart the MGT server process and make the import device certificate again from Panorama

> debug software restart process management-server
> request certificate fetch

Best Regards,