If the "TPM public key match failed" error persists, it usually indicates a "stuck" certificate state that cannot be cleared through the standard GUI or CLI.
Large certificate packets can be dropped if the Management Interface MTU is too high. Setting the MTU to 1374 often resolves timeout-related fetch failures. If the "TPM public key match failed" error
Immediately attempt to fetch the certificate via the CLI to avoid expiration: request certificate fetch otp 2. Perform a "Commit Force" Immediately attempt to fetch the certificate via the
In some cases, the firewall's configuration state is out of sync. Forcing a commit can re-initialize the management plane's certificate handler. configure -> commit force . 3. Adjust Management MTU configure -> commit force
The firewall's hardware TPM generates a public key that must match the record in the Support Portal. If the device was previously registered or had a certificate that wasn't cleared properly, the portal may reject new fetch requests.
The existing invalid certificate must be manually removed from the device's root directory, which is inaccessible to standard administrators.