"Failed to fetch device certificate: TPM public key match failed"
Then manually install a locally signed device certificate (e.g., from your CA). ⚠️ This reduces security – private key stored in flash, not TPM.
If a network transit path clips large certificate validation strings, lowering the Maximum Transmission Unit (MTU) on your firewall's management interface will prevent packet fragmentation: Fetch Device Certificate failure "Failed to fetch device certificate: TPM public key
Check the Web UI under to see if the device certificate successfully triggers a background refresh. 2. Address Network MTU Limitations
: Some environments require lowering the management interface MTU (e.g., to 1374 ) to allow the certificate payload to pass through without fragmentation. Select the failed certificate and delete it
: In the Firewall GUI, go to Device > Certificate Management > Device Certificate . Select the failed certificate and delete it.
This is a well-documented bug affecting firewalls with TPM support. The issue occurs when temporary .pub_pem files accumulate in the /opt/pancfg/mgmt/ssl/private/ directory. These files are generated when the show device-certificate status command is executed, but due to a bug, they are never deleted. Over time, this accumulation can fill the disk partition to 100%, completely preventing the firewall from fetching new device certificates. On certain PAN-OS 12.1.x versions, this remains a known issue. but due to a bug
files to accumulate in the management directory until the disk partition is full, preventing successful certificate operations. Provisioning Glitches: