Palo Alto Failed To Fetch Device Certificate Tpm Public Key Match Failed Guide

This is the crux of the issue. The TPM contains a private key. The system attempted to fetch a certificate that corresponds to that private key. However, the inside the certificate (or the certificate’s signature) does not match the public key derived from the TPM’s private key. In simpler terms: The certificate and the TPM’s key pair are mismatched.

If the TPM mismatch persists, Palo Alto TAC must often use a challenge/response process to gain root access and manually erase the invalid certificate. Install a Device Certificate - Palo Alto Networks This is the crux of the issue