Device certificate fetch fails with error "Failed to fetch device certificate. Failed to send request to CSP server."

• When trying to install a device certificate the certificate fetch fails with the following error message in GUI:

Failed to fetch device certificate. Failed to send request to CSP server. Error: OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to certificate.paloaltonetworks.com:443

• Any Palo Alto Networks Firewall or Panorama
• PAN-OS version 10.0 and above
• Traffic from the management interface (dynamic updates, certificate fetch, etc) is routed through a firewalls data plane for inspection.

• The certificate fetch error can occur when the 'paloalto-shared services' application is absent from the configured security policy that is supposed to allow this traffic.
• Without including this specific application in the policy rules, the firewall may not properly handle management traffic such as dynamic updates and device certificate updates.

1. Review and update your security policy to include the following applications:
   • Web-Browsing
   • SSL
   • paloalto-updates
   • paloalto-shared-services
2. After making the necessary policy changes, commit the configuration.
3. Proceed to 'Device' > 'Setup' > 'Management' > 'Device Certificate' and select 'Get certificate.'
4. Paste the OTP obtained from the SCP and click 'Get certificate.'