Initial Master-Key configuration from CLI corrupts the Firewall keys

• After updating the master key, firewall is not able to communicate to the update server.
• SSH to Firewall is failing as well.
• Factory reset of the firewall resolves the issue.
• Errors are seen in cryptod.log (less mp-log cryptod.log) related to master key.

-0700 Error:  pan_cryptod_re_encrypt_keys(pan_cryptod_crypt.c:1464): Decryption failed for id:client-ssl-cert, abort
-0700 Error:  pan_crypto_process_event(pan_crypto_thread.c:1360): Error re-encrypting keystore with new master key
-0700 Error:  pan_cryptod_sysd_key_get(pan_cryptod_crypt.c:1922): Id:curl_api_key not found in keystore
-0700 Error:  pan_cryptod_sysd_key_get(pan_cryptod_crypt.c:1994): Error decrypting key data forid:support_user_key
-0700 Error:  pan_cryptod_sysd_key_get(pan_cryptod_crypt.c:1922): Id:curl_api_key not found in keystore
-0700 Error:  pan_cryptod_sysd_key_get(pan_cryptod_crypt.c:1994): 

• Palo Alto Firewalls
• PAN-OS 9.1, 10.0, and 10.1
• Master key

• Incorrect CLI command was used to enter the master key.
• The Current master-key was not validated while changing the master-key.
• Due to the software defect, the Firewall took the wrong command causing further issues.

1. The issue is fixed under PAN-168635  in PAN-OS 9.1.15, 10.0.12 and 10.1.5 versions and above.
2. For resolution, Factory reset of the firewall.
3. Once factory reset has been performed, upgrade will resolve the issue (wrong command will error out if typed).

• Wrong command used "request master-key new-master-key <new_key_value> lifetime <lifetime_value> current-masterkey <new-key-value>"
• Correct command: request master-key new-master-key <new_key_value> lifetime <lifetime_value>
• Reference: How to perform factory reset