topic TPM public key match failed in General Topics

TPM public key match failed

S.Hodgson131490 — Wed, 01 Oct 2025 18:32:02 GMT

I have two PA-400 series devices that failed to renew their device certificates and now I get "TPM public key match failed" when trying to renew their certs. Any way to fix this on my own? I see some posts saying PA support had to fix it, but as of now my 3rd party support provider is being unresponsive 😒

Re: TPM public key match failed

kiwi — Fri, 03 Oct 2025 13:43:38 GMT

Hi @S.Hodgson131490 ,

You could try with a commit force. I've seen reports where it resolved this issue.

Worst case you'll have to connect with support in order for them to root into the device to erase/remove the existing invalid device certificate and then re-generate the device certificate with a new OTP.

Hope this works !

-Kim.

Re: TPM public key match failed

S.Hodgson131490 — Mon, 06 Oct 2025 13:04:11 GMT

I had already tried a commit force and it changed nothing. Ultimately, I was able to convince Palo Alto to handle my case directly since my provider is still dragging their feet.

Indeed Palo Alto support must go through a challenge/response process to gain root access to the device in order to clear out the old cert and generate a new one. I asked and this seems to be a regular problem. I'm not sure why Palo Alto wouldn't prioritize a proper fix for this issue both to alleviate support load and to enable their customers to continue working. Since the device certificate was preventing a successful CIE sync, all VPN user/group addition/removals were blocked until we could get support's attention to fix the issue. This should not be an acceptable bug to leave in the product.