Home » CA

Tag: CA

Citrix NetScaler Certificates – Install your CA Response Cert

We will now take the Certificate response file (CRT file) from our 3rd party Certificate Authority (CA) and install it onto the NetScaler device, then using both the CRT and Private key to combine and finally create a fully functional NetScaler certificate.

Step Description Screenshot
 1 Expand Traffic Management > SSL > SSL Files

Click Upload

2 Browse for your Certificate file (provided by your 3rd Party CA)

Click Open

Note: The file is uploaded to the NetScaler but not yet usable!

3 Browse to Traffic Management > SSL > Server Certificates

Click Install

4 Give the new ‘Server Certificate’ a unique easily identifiable name

Certificate File: Choose the Certificate you just uploaded in step 2

Key File Name: select your private key file that is on the NetScaler

Provide the private key password

Click Install

5 Your certificate is now installed and ready to be used on NetScaler services, VIPs, NetScaler gateway etc.

Windows 2008 Certificate Authority Error – 0x80094009

Problem: When adding or revoking certificates we were getting the following error

0×80094009 – The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.

Even though I was a domain AND enterprise admin!!!???? Panic!

Also our CA had been migrated and updated from Windows 2003 so there was some concern about the upgrade and its process and of course the testing done after.


After the CA was migrated we HAD tested the CA process, so we confirmed this was working previously.

Somewhere,  somehow the CA now has corrupted ACL’s or something (or something like that)

1) Right click the CA Name > Properties

2) Certificate Managers tab

3) Tick ‘do not restrict certificate managers’

4) try your addition or deletion (just to check it works)

5) go back and undo step 3 – (i.e. tick to re-Restrict Certificate Managers)

6) You should now be able to add and delete certificate requests etc as expected as a Domain or enterprise admin

Good Luck!