Overview 💥
Some customers attempting to import an existing SSL/TLS certificate into Kaseya VSA encounter failures when exporting the certificate with its private key (a .PFX / PKCS#12 file). This typically happens because the private key is not exportable, is missing, or the certificate chain is incomplete. Kaseya requires a PFX that contains the server cert and the private key.
Reference: Kaseya article — Using An Existing SSL Certificate (R9.4 or later).
Why this happens? 🤔
Root cause | Explanation |
Certificate created as non-exportable | The private key was generated with “not exportable” setting — Windows will not let you export the key. |
Private key lost | CSR was created on a different machine or the key was deleted. |
Incorrect export method | Exported cert omitted private key or used the wrong tool/format. |
Missing intermediate/root | PFX exported but chain incomplete — import fails in VSA. |
CA policy | Some CAs restrict export of private keys for security reasons. |
Quick resolution summary 🤩
Confirm the private key exists and is exportable on the server where the cert was installed.
If exportable → export as a
.pfx(include private key + chain).If not exportable / private key missing → re-key (re-issue) the certificate from your CA with an exportable private key, then export the .pfx and import to Kaseya VSA.
Import into Kaseya VSA following Kaseya’s KB.
Steps to Resolve 👨💻
1️⃣ — Verify the private key exists
Open MMC → Certificates or IIS Manager → Server Certificates and locate the certificate.
If you see “You have a private key that corresponds to this certificate” (or a key icon) — the private key exists.
If not, the private key is missing and you must re-key / re-issue the certificate.
2️⃣ — Export certificate with private key (GUI methods)
IIS Manager (most common)
Open IIS Manager → Server Certificates.
Select the certificate → click Export....
Choose file path (e.g.,
C:\temp\kaseya_cert.pfx) and set a strong password.Click OK. Result:
.pfxcontaining cert + private key.
MMC (Certificates snap-in)
Run
mmc.exe→ File → Add/Remove Snap-in → Certificates → Computer account → Local computer.Navigate to Personal → Certificates.
Right-click certificate → All Tasks → Export....
Choose Yes, export the private key → select .PFX (include all certificates in chain) → set password → export.
3️⃣ — Export certificate with private key (PowerShell / CLI)
PowerShell (Windows Server 2012+):
$thumb = "<THUMBPRINT>"
$pwd = ConvertTo-SecureString -String "StrongP@ssw0rd!" -Force -AsPlainText
Export-PfxCertificate -Cert "Cert:\LocalMachine\My\$thumb" -FilePath "C:\temp\kaseya_cert.pfx" -Password $pwd
certutil
certutil -exportPFX My <THUMBPRINT> C:\temp\kaseya_cert.pfx
# You will be prompted to set a password
If these commands fail with messages about missing private key or “export not allowed”, the key is non-exportable or absent — go to Step 4 (re-key).
4️⃣ — If the private key is not exportable / missing → Re-key & re-issue
On the machine that will host Kaseya (recommended), create a new CSR and generate the private key with the exportable option.
Use IIS → Server Certificates → Create Certificate Request, or your CA’s CSR process.
Submit CSR to your CA and request the certificate.
When CA issues the cert, install it on the same machine (so the private key pairs correctly).
Export as PFX (see step B/C), include the full chain and secure password.
Import the exported
.pfxinto Kaseya VSA per Kaseya KB.
Notes: If your CA will not issue an exportable private key for policy reasons, ask CA support or generate a private key/CSR locally and have CA sign it.
4️⃣ — Ensure full certificate chain is included
When exporting, choose the option to include all certificates in the certification path (intermediate(s) + root) so Kaseya receives a complete chain.
Missing intermediates cause import or verification failures.
Common error symptoms & fixes
Symptom | Likely cause | Fix |
“Cannot export private key” | Key flagged non-exportable | Re-key / re-issue certificate on host with exportable key |
Import fails in VSA / certificate invalid | Missing intermediate chain | Export PFX including chain or add intermediates to system store |
.PFX import asks for password but fails | Wrong password or corrupted PFX | Re-export, choose a strong password and test locally first |
Browser works but VSA rejects | Chain/trust differences on VSA host | Ensure root/intermediates present on VSA host or include chain in PFX |
Best practices 🧑🏫
Practice | Rationale |
Generate CSR on target server | Ensures private key never leaves host unless you choose to export it |
Mark private key exportable if you need to migrate | Allows PFX export for import into Kaseya |
Use a strong PFX password and store securely | Protects private key at rest |
Back up .PFX to secure vault | Recovery & rotation |
Include full certificate chain in PFX | Avoids trust/validation issues during import |
Rotate & reissue certs before expiry | Prevents downtime |
How to import the PFX into Kaseya VSA 😉
Follow the Kaseya KB steps exactly (link below). In short: use Kaseya admin UI → import SSL / provide the .pfx and password. If Kaseya asks for specific format/port info, follow Kaseya’s guidance.
When to contact Support (Kaseya / Liongard) 🦁
Contact support if:
You cannot export the private key and re-key is not possible.
PFX imports into Kaseya still fail after re-export.
You see errors that suggest chain/format problems despite following steps.
What to collect before opening a ticket :
Item | Why |
Screenshot of MMC / IIS certificate details (showing private key presence) | Prove private key exists |
The cert thumbprint & export command output | Repro steps & logs |
The exported PFX filename (do NOT send the PFX in an initial ticket unless requested and secure) | Identifies artifact |
Error messages from Kaseya when the import fails | Triage root cause |
CA issuance details (was CSR generated elsewhere?) | Determines if key mismatch |
Important: Never share the .pfx or its password in an unsecure channel. Only provide them via a secure support process if explicitly requested.
Useful commands / references 📚
PowerShell Export:
Export-PfxCertificate(see snippet above).certutil:
certutil -exportPFX My <THUMBPRINT> C:\temp\file.pfxKaseya KB: Using An Existing SSL Certificate (R9.4 or later) — follow their Step 9 for import details.
Microsoft reference for exporting PFX:
certutildocs and Export a certificate with private key articles.
Security / policy note 🌟
If the original private key is non-exportable by design (CA policy or HSM usage), you must re-key and generate a new CSR on the host that will run Kaseya or use an HSM-aware import process. Never disable SSL verification or otherwise weaken TLS to force acceptance.
Third-party links disclaimer ‼️
We may reference external third-party resources solely as additional guidance.
Liongard does not own, control, or guarantee the accuracy, security, or reliability of third-party sites. Please use them at your own discretion and risk.