Palo Alto Failed To Fetch Device Certificate. Tpm Public Key Match Failed [updated]

: This is the specific root cause. The client did find a candidate certificate. However, that certificate is marked as having a TPM-protected private key. During the TLS handshake, the client attempted to use the TPM to sign a challenge (or decrypt a pre-master secret). The TPM returned an error indicating that the public key embedded in the certificate does not match the private key inside the TPM.

The error message breaks down into two distinct failures: : This is the specific root cause

After the new certificate is installed: