If the above steps fail, the issue is likely a "dirty" state in the device's root filesystem that users cannot access. Palo Alto Support must perform a to gain root access and manually erase the invalid certificate data from the internal TPM storage before a new fetch can succeed.

A company that provides cybersecurity solutions, including firewalls, to protect networks from cyber threats.

If the firewall reports Public key mismatch , the issue is not the client but the firewall’s stored CA chain.

When the error persists, analyze these logs: