Device certificate OTPs have a 60-minute lifetime . If the fetch fails once, the OTP often expires immediately and must be regenerated.
Large certificate packets can be dropped if the Management Interface MTU is too high. Setting the MTU to 1374 often resolves timeout-related fetch failures. Device certificate OTPs have a 60-minute lifetime
Immediately attempt to fetch the certificate via the CLI to avoid expiration: request certificate fetch otp 2. Perform a "Commit Force" Device certificate OTPs have a 60-minute lifetime
You must open a support case with Palo Alto Networks . A support engineer must gain root access (via a challenge/response process) to erase the invalid certificate and hash keys before a new one can be fetched. Known Bug Reference Device certificate OTPs have a 60-minute lifetime