If using AD CS with TPM templates:
Then, force re-enrollment:
certreq -resubmit -machine -q <OldRequestID>
Below are ordered diagnostics from least to most intrusive. Always back up your TPM owner password and certificate chains before proceeding. If using AD CS with TPM templates:
| Action | Reason |
|--------|--------|
| Before PAN-OS upgrade – run debug tpm show status and save output | Provides baseline for post-upgrade comparison |
| Backup TPM metadata | request tpm backup to tpm-backup.dat (PAN-OS 11.1+) |
| Avoid power loss during commit or certificate fetch | TPM write operations are atomic; interruption corrupts NVRAM |
| For VM-Series – use hardware TPM passthrough or avoid vTPM snapshots | vTPM state includes PCR registers; snapshots break key attestation |
| Do not manually delete device certificate unless you intend to re-fetch immediately | Deleting without resetting TPM state causes mismatch |
Elias froze. A "public key mismatch" usually meant one of two things, both disastrous: Below are ordered diagnostics from least to most intrusive
He thought back to the maintenance window three hours prior. The team had performed a content update. The process had hung, and a junior admin had force-rebooted the device. That’s it, Elias realized. A dirty shutdown during a write process.
When the firewall writes to its secure storage, it updates the device certificate. If the power cuts or the process is killed mid-write, the certificate file becomes incomplete or zeroed out. The TPM, however, is hardware-hardened; it remembered the correct key. The software file, however, now expected a different (corrupted) key. seeing a smudged photo
The firewall was essentially looking at its own ID card, seeing a smudged photo, and refusing to believe it was itself.
When the firewall came back online, the error logs were gone. The device reached out to the Palo Alto licensing servers. This time, the handshake was perfect:
The "Updated" message finally meant what it was supposed to: Success.