CA Certificate Quick Start Guide using Sectigo

Creating an Anaplan CA Certificate using the Sectigo Personal Email Security (S/MIME) certificate involves several steps. Here's a quick start guide to help you through the process:

Step #1: Purchase the Sectigo Personal Email Security (S/MIME) certificate from Sectigo's website. You can find it here. The cost is $15 for a 1-year certificate and $24 for a 2-year certificate.

Step #2: Create your Certificate Signing Request (CSR). You can use the following example CSR configuration and update the fields as needed. Save it with your first & last name in this format: firstname_lastname_openssl.cnf

[ req ]
default_md = sha512
default_bits = 2048
utf8 = yes
string_mask = utf8only
distinguished_name = req_distinguished_name
req_extensions = v3_user_req

[ req_distinguished_name ]
countryName = US
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = California
stateOrProvinceName_default = California
localityName = San Francisco
localityName_default = San Francisco
0.organizationName = Anaplan, Inc
0.organizationName_default = Anaplan, Inc
organizationalUnitName = Anaplan OEG
organizationalUnitName_default = Anaplan OEG
commonName = John Doe
commonName_default = John Doe
commonName_max = 64
emailAddress = [email protected]
emailAddress_default = [email protected]
emailAddress_max = 40

[ v3_user_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
keyUsage = digitalSignature
nsCertType = client
extendedKeyUsage = clientAuth

Step #3: Save the CSR configuration as firstname_lastname_openssl.cnf.

Step #4: Use OpenSSL to create your CSR and Private Key in PEM format. Run the following command, and if you prefer to issue a private key without a passphrase, add the -nodes parameter:

openssl req -config firstname_lastname_openssl.cnf -new -out firstname_lastname_csr.pem -keyout firstname_lastname_private-key.pem

Step #5: Log in to Sectigo and navigate to "Setup". Add the CSR to create the public certificate by entering your name and pasting the CSR in PEM format. Submit your certificate request.

Step #6: Within a few minutes, you should receive an email requesting validation and confirmation of the Sectigo Subscriber Agreement. Follow the provided instructions to validate your certificate request.

Step #7: Once validated, your email certificates should be active and ready for download. You'll receive an email confirmation.

Step #8: Download the certificate files from Sectigo. You will have two files: the public key and the S/MIME certificate. The Public Key contains a single certificate, and the filename should not contain the string "ca_bundle." For Anaplan Certificate Authentication, you will need both the Private Key (created earlier in Step #4) and the Public Certificate.

Now that you have both the public certificate and private key, you are ready to use them with the Anaplan REST API or Anaplan Connect for authentication. See the following articles to learn more:

Please also make sure to track your certificate expiration. Sectigo offers to add a reminder in your calendar.

Author: Quin Eddy, @QuinE - Director of Data Integration, Operational Excellence Group (OEG)


  • This series of tutorials touching on the topic of leveraging the Anaplan API and scripting is pure gold.
    I think they should be bulked up in one summary article for better visibility.

    Thanks for making those!

  • Thank you @kpasko. This is a great idea! We will do that.

  • This one is perfect as creating CSR can be really confusing for non technical user!