Problem: Provisioning to Palo Alto devices works, but the certificates don't "Commit"

Applies to:

At least TPP version 17.1 and forward.


There is no noticeable error in Venafi, in fact, the logs will actually show the certificate committing. However, if you check the Palo Alto device, the certificate is still pending and has to be manually committed.


This is a known issue in the Venafi Products.


This is fixed in 19.1

Work Around

In 18.3 and forward, there is ALSO a work-around available using the new Bulk Provisioning Adaptable feature. The attached PS script is a generic script that can be downloaded and used with a Bulk Provisioning job for Palo Alto.  Below are configuration details for the job:

NOTE: This has only been tested on some versions of Palo Alto and is not "fully" supported. Some customizations may be necessary.

  1. Create a new Bulk Provisioning job per the documentation: Creating a new Bulk Provisioning job
    1. Ensure the attached script is in the appropriate folder so you can select it.
    2. For testing purposes, set this to run Manually.
  2. Once the job has your device(s) and certificate folder(s), save.
  3. Run. It's pretty quick, so refresh Aperture after a few seconds to view the results.

Troubleshooting Notes:

  • Verify each device has an appropriate credential configured, just as you would if pushing a cert to them.
  • The settings you are prompted with in the default script are not necessary to modify. They are provided for your use IF you need them.
  • Logging for this job is in WebAdmin. The source folder is where the Bulk Provisioning object will be created, so you can browse to that in WebAdmin and look at the logs there.
Was this article helpful?
0 out of 0 found this helpful