02-04-2026 09:15 AM
Hi Everyone, I am following the instructions to apply the device certificate, but I am blocked by the following error:
“Unable to execute OTP install operations command to some firewalls. Please identify the firewalls that failed the process from Panorama and retry OTP.”
I followed the instructions provided in this link:
https://live.paloaltonetworks.com/t5/customer-advisories/update-to-additional-pan-os-certificate-exp...
My setup is as follows:
Panorama: Software version 11.1.6-h3
NGFW: Model PA-850, Software version 11.1.6-h3
The command below shows the following output:
show device-certificate status
Device Certificate Information:
Current device certificate status: Valid
Not valid before: 2025/12/26 05:26:50 CST
Not valid after: 2026/03/26 06:26:49 CDT
Last fetched timestamp: 2026/02/04 10:42:39 CST
Last fetched status: Failure
Last fetched info: Failed to fetch device certificate. OTP is not valid
Has anyone encountered the same issue?
Thank you
02-06-2026 02:20 PM
At least in the example that you posted, you have an active certificate as of 2025/12/26 and you do not need another one. If you're trying to go through this workflow again with a valid certificate it's going to error, so from what you're showing this is what I would expect and you don't need to take any further action here.
02-09-2026 09:55 AM
Hi @BPry
I see. I'm a bit confused about whether I need to do something before the device certificate is enforced, which is why I followed the guide in the link. Is there a way for me to confirm that the certificate will be automatically renewed moving forward?
02-09-2026 11:39 AM
Hello @J.Santos708860
Could you try sending the commit force command on both the PA 850's and then retrying the certificate request?
Do you have any DNS proxy or service route configured on the MGT interface?
Best regards,
02-11-2026 03:24 AM
Hi @DanielS.Romero ,
I don’t have any pending commits from Panorama, if that’s what you’re referring to. Also, I don’t have a DNS proxy or service route configured on my management interface—it’s directly connected to my ISP with a public IP.
Please let me know if my response doesn’t align with your suggestion. Thank you!
02-11-2026 03:53 AM
Hello @J.Santos708860
In order to update the device certificate for a manage firewall, you need to follow the steps mentioned here: https://docs.paloaltonetworks.com/panorama/11-1/panorama-admin/manage-firewalls/install-the-device-c...
Even the process for OTP generation is between Panorama and Palo Alto Networks CSP, the managed firewall must have an outbound internet connection to successfully install the device certificate. After you upload the OTP from Panorama, the managed firewall connects to the Palo Alto Networks CSP to install the device certificate.
When the manage firewall connects to the Palo Alto Networks, it using the source interface configured under "Palo Alto Networks Services" on Service Route Configuration. By default, is configured to use the MGMT interface of the firewall.
02-11-2026 10:28 AM
Hello @J.Santos708860
Can you go to the NGFW's CLI and send the following command?
> commit force
And verify with a ping if every FW's MGT has Internet access for example to a public website as follows:
> ping host paloaltonetworks.com
If the ping is successful, confirm that traffic is allowed from the MGT IP address; if not, check from any security device along the path to the Internet, including the NGFW itself, in its security logs under Monitor > Logs > Traffic, URL Filtering, Threat, Decryption, that the SSL and web browsing traffic is not blocked by any security rules, profiles, or decryption rules. This issue could affect the device certification renewal process.
Also try to restart the MGT server process and make the import device certificate again from Panorama
> debug software restart process management-server
> request certificate fetch
Best Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
