CA Certificate Quick Start Guide using Sectigo

edited October 2023 in Best Practices

Creating an Anaplan CA Certificate using the Sectigo Personal Email Security (S/MIME) certificate involves several steps. Here's a quick start guide to help you through the process:

Step #1: Purchase the Sectigo Personal Email Security (S/MIME) certificate from Sectigo's website. You can find it here. The cost is $15 for a 1-year certificate and $24 for a 2-year certificate.

Step #2: Create your Certificate Signing Request (CSR). You can use the following example CSR configuration and update the fields as needed. Save it with your first & last name in this format: firstname_lastname_openssl.cnf

[ req ]
default_md = sha512
default_bits = 2048
utf8 = yes
string_mask = utf8only
distinguished_name = req_distinguished_name
req_extensions = v3_user_req

[ req_distinguished_name ]
countryName = US
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = California
stateOrProvinceName_default = California
localityName = San Francisco
localityName_default = San Francisco
0.organizationName = Anaplan, Inc
0.organizationName_default = Anaplan, Inc
organizationalUnitName = Anaplan OEG
organizationalUnitName_default = Anaplan OEG
commonName = John Doe
commonName_default = John Doe
commonName_max = 64
emailAddress = [email protected]
emailAddress_default = [email protected]
emailAddress_max = 40

[ v3_user_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
keyUsage = digitalSignature
nsCertType = client
extendedKeyUsage = clientAuth

Step #3: Save the CSR configuration as firstname_lastname_openssl.cnf.

Step #4: Use OpenSSL to create your CSR and Private Key in PEM format. Run the following command and note that you will be asked for a passphrase. Please remember this passphrase because it is needed when the private key is used in an Anaplan Connect script or a REST API request.

openssl req -config firstname_lastname_openssl.cnf -new -out firstname_lastname_csr.pem -keyout firstname_lastname_private-key.pem

If you prefer to issue a private key without a passphrase, add the -nodes parameter:

openssl req -nodes -config firstname_lastname_openssl.cnf -new -out firstname_lastname_csr.pem -keyout firstname_lastname_private-key.pem

As a review, the output of this step will be two files:

  • A Certificate Signing Request (CSR) that will be used in the next step to get a signed public key from Sectigo. The file will begin and end as follows:
  • The private key that is used directly with Anaplan Connect or REST API calls. The file will begin and end as follows:

Step #5: Log in to Sectigo and navigate to "Setup". When the following dialogue appears, enter the following information:

  1. An email address that is a valid working account in Anaplan with access to the email's inbox. Typically this will be your designated Anaplan service account.
  2. In the larger second box, copy and paste the CSR from the previous step.

When complete, submit the certificate request.

Step #6: Within a few minutes, you should receive an email requesting validation and confirmation of the Sectigo Subscriber Agreement. Follow the provided instructions to validate your certificate request.

Step #7: Once validated, your email certificates should be active and ready for download. You'll receive an email confirmation.

Step #8: Download the certificate files from Sectigo. You will have two files: the public key and the S/MIME certificate.

The Public Key contains a single certificate, and the filename should not contain the string "ca_bundle." You can ignore the file that has "ca_bundle" contained in the name.

For Anaplan Certificate Authentication, you will need both the Private Key (created earlier in Step #4) and the Public Certificate.

Note: Sectigo provides a .crt file that is already .pem formatted and can be directly uploaded to Anaplan. Not all certificate providers deliver .pem formatted certificates. You may want to change the file extension to .pem for clarity. For non-Sectigo certificates, please follow this Interactive Certificate Guide.

Now that you have both the public certificate and private key, you are ready to use them with the Anaplan REST API or Anaplan Connect for authentication. See the following articles to learn more:

Please also make sure to track your certificate expiration. Sectigo offers to add a reminder in your calendar.

Author: Quin Eddy, @QuinE - Director of Data Integration, Operational Excellence Group (OEG)


  • This series of tutorials touching on the topic of leveraging the Anaplan API and scripting is pure gold.
    I think they should be bulked up in one summary article for better visibility.

    Thanks for making those!

  • Thank you @kpasko. This is a great idea! We will do that.

  • This one is perfect as creating CSR can be really confusing for non technical user!

  • +1 to this - as it's something that for us was done 3 years ago, having the guide ready to go for renewal has been a big plus

  • +1 to excellence!