In June 2018, Anaplan implemented support for use of public Certificate Authority (CA)-issued certificates to authenticate against Anaplan v2.0 APIs.
A number of Anaplan customers are not familiar with CA certificates and questions have been raised with Anaplan Support and Customer Success about where and how they can be procured. For your convenience, Anaplan customers can use Sectigo as a vendor through which you can acquire CA certificates. Anaplan interviewed a number of CA vendors, including GlobalSign, QuoVadis, and Digicert. Sectigo (formerly Commodo) impressed us a flexible vendor with a well-established presence in the CA certificate market.
You are not obligated to use Sectigo as your CA certificate vendor. Your organization may use any vendor certificates as part of Anaplan's list of supported root CA certificates. Please note that Sectigo is an intermediary CA vendor which uses AddTrust External CA Root as its root certificate. You can find AddTrust in the supported root CA Certificates page.
Under User Details, complete the fields for: Email Address, Forename, Surname.
Under Advanced Security Options, accept the pre-populated default values.
Under Login Credentials, set a Username, and Password. Re-enter your password to confirm in the Confirm Password field.
Click Place Order.
Once you've paid the fee for the certificate, Sectigo sends you a certificate file. You are now ready to extract your certificate for use in Anaplan.
Extract your Sectigo Certificate
When you obtain your certificate from Sectigo, you can either submit the certificate request and get a private key from the CA or you can submit your request with a Certificate Signing Request (CSR).
If you are on a Windows system, you must have opensslinstalled to complete these steps.
Follow these instructions to extract your certificate from Sectigo:
Using Firefox, export your certificate in .p12 format. For example, in Firefox:
Navigate to Tools > Options > Privacy & Security
Scroll down to Certificates and click View Certificates
Click the Your Certificates tab
Select your certificate
Click Backup and save your certificate as a memorable name in PKCS12 Files format.
Define a password for the private key.
Open a terminal window and navigate to the directory where you have your p12 certificate.
Extract the certificates:
openssl pkcs12 -in <path to p12 cert>.p12 -nokeys -out client_certificate.pem
The public certificate is extracted and starts with "-----BEGIN CERTIFICATE-----".
The client_certificate.pem file contains three certificates: the Root certificate, the Intermediate certificate, and the Public certificate. In a text editor, edit the client_certificate.pem file.
Delete the first two certificates (the Root and Intermediate certificate) by scrolling down to the third instance of "-----BEGIN CERTIFICATE----- " and removing all text above that entry.
For the remaining certificate, ensure there is no content other than whitespace before the "-----BEGIN CERTIFICATE----- " or after "-----END CERTIFICATE-----" entry NOTE: Do not remove the certificate contentbetweenthe "-----BEGIN CERTIFICATE----- " or after "-----END CERTIFICATE-----" lines!
Create either an encrypted or unencrypted private key for use with Anplan Connect. An encrypted key is password protected.
To create an unencrypted key for use with Anaplan Connect: Extract an unencrypted private key (PEM format) from the Sectigo p12 file:
openssl pkcs12 -in <path to Sectigo p12 file> -nocerts -out <path to unencrypted private key> -nodes
To create an encrypted private key for use with Anaplan Connect:
Extract the encrypted private key (PEM format) from the Sectigo p12 file. You will be prompted to create a password to encrypt the Private key:
openssl pkcs12 -in <path to Sectigo p12 file> -nocerts -out <path to encrypted private key>
The Private key is encrypted. The key should start with "-----BEGIN ENCRYPTED PRIVATE KEY-----"
Convert the private key to an encrypted pkcs8 file (PEM format).