This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

TPM public key match failed

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

TPM public key match failed

Go to solution
S.Hodgson131490
L0 Member

‎10-01-2025 11:20 AM - edited ‎10-01-2025 11:32 AM

I have two PA-400 series devices that failed to renew their device certificates and now I get "TPM public key match failed" when trying to renew their certs.  Any way to fix this on my own?  I see some posts saying PA support had to fix it, but as of now my 3rd party support provider is being unresponsive 😒

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
S.Hodgson131490
L0 Member

‎10-06-2025 06:04 AM

I had already tried a commit force and it changed nothing.  Ultimately, I was able to convince Palo Alto to handle my case directly since my provider is still dragging their feet.

Indeed Palo Alto support must go through a challenge/response process to gain root access to the device in order to clear out the old cert and generate a new one.  I asked and this seems to be a regular problem.  I'm not sure why Palo Alto wouldn't prioritize a proper fix for this issue both to alleviate support load and to enable their customers to continue working.  Since the device certificate was preventing a successful CIE sync, all VPN user/group addition/removals were blocked until we could get support's attention to fix the issue.  This should not be an acceptable bug to leave in the product.

View solution in original post

2 REPLIES 2

Go to solution
kiwi
Community Team Member

‎10-03-2025 06:43 AM

Hi @S.Hodgson131490 ,

 

You could try with a commit force.  I've seen reports where it resolved this issue.

 

Worst case you'll have to connect with support in order for them to root into the device to erase/remove the existing invalid device certificate and then re-generate the device certificate with a new OTP.

 

Hope this works !

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Go to solution
S.Hodgson131490
L0 Member

‎10-06-2025 06:04 AM

I had already tried a commit force and it changed nothing.  Ultimately, I was able to convince Palo Alto to handle my case directly since my provider is still dragging their feet.

Indeed Palo Alto support must go through a challenge/response process to gain root access to the device in order to clear out the old cert and generate a new one.  I asked and this seems to be a regular problem.  I'm not sure why Palo Alto wouldn't prioritize a proper fix for this issue both to alleviate support load and to enable their customers to continue working.  Since the device certificate was preventing a successful CIE sync, all VPN user/group addition/removals were blocked until we could get support's attention to fix the issue.  This should not be an acceptable bug to leave in the product.

  • 1 accepted solution
  • 247 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks