Register
Ask the Community

How to Use Third-Party Certificates With Anaplan

Gwen.pryor
Regular Contributor
Regular Contributor
‎07-24-2019 05:44 PM
‎07-24-2019 05:44 PM

Background

In June 2018, Anaplan implemented support for use of public Certificate Authority (CA)-issued certificates to authenticate against Anaplan v2.0 APIs. 

A number of Anaplan customers are not familiar with CA certificates and questions have been raised with Anaplan Support and Customer Success about where and how they can be procured.  For your convenience, Anaplan customers can use Sectigo as a vendor through which you can acquire CA certificates.  Anaplan interviewed a number of CA vendors, including GlobalSign, QuoVadis, and Digicert.  Sectigo (formerly Commodo) impressed us a flexible vendor with a well-established presence in the CA certificate market.

You are not obligated to use Sectigo as your CA certificate vendor.  Your organization may use any vendor certificates as part of Anaplan's list of supported root CA certificates. Please note that Sectigo is an intermediary CA vendor which uses AddTrust External CA Root as its root certificate. You can find AddTrust in the supported root CA Certificates page.

Click here to download the FAQ

Procure your CA Certificate from Sectigo

To procure a CA certificate from Sectigo:

  1. Log into Sectigo from this URL: https://secure.trust-provider.com/products/!PlaceOrder?ap=Anaplan&product=506
    The Sectigo interface displays: 
    certificate.png
  2. Under User Details, complete the fields for: Email Address, Forename, Surname.
  3. Under Advanced Security Options, accept the pre-populated default values.
  4. Under Login Credentials, set a Username, and Password. Re-enter your password to confirm in the Confirm Password field.
  5. Click Place Order.

Once you've paid the fee for the certificate, Sectigo sends you a certificate file.  You are now ready to extract your certificate for use in Anaplan.

Extract your Sectigo Certificate

When you obtain your certificate from Sectigo, you can either submit the certificate request and get a private key from the CA or you can submit your request with a Certificate Signing Request (CSR).  

Note:

If you are on a Windows system, you must have openssl installed to complete these steps.

Follow these instructions to extract your certificate from Sectigo:

  1. Using Firefox, export your certificate in .p12 format.  For example, in Firefox:
    1. Navigate to Tools > Options > Privacy & Security 
    2. Scroll down to Certificates and click View Certificates
    3. Click the Your Certificates tab
    4. Select your certificate
    5. Click Backup and save your certificate as a memorable name in PKCS12 Files format.
    6. Define a password for the private key.
  2. Open a terminal window and navigate to the directory where you have your p12 certificate. 
  3. Extract the certificates: 
      openssl pkcs12 -in <path to p12 cert>.p12 -nokeys -out client_certificate.pem
    The public certificate is extracted and starts with "-----BEGIN CERTIFICATE-----".
  4. The client_certificate.pem file contains three certificates: the Root certificate, the Intermediate certificate, and the Public certificate. In a text editor, edit the client_certificate.pem file. 
    1. Delete the first two certificates (the Root and Intermediate certificate) by scrolling down to the third instance of "-----BEGIN CERTIFICATE----- " and removing all text above that entry.
    2. For the remaining certificate, ensure there is no content other than whitespace before  the "-----BEGIN CERTIFICATE----- " or after "-----END CERTIFICATE-----" entry 
      NOTE: Do not remove the certificate content between the "-----BEGIN CERTIFICATE----- " or after "-----END CERTIFICATE-----" lines!
  5. Create either an encrypted or unencrypted private key for use with Anplan Connect.  An encrypted key is password protected.
    • To create an unencrypted key for use with Anaplan Connect: 
      Extract an unencrypted private key (PEM format) from the Sectigo p12 file: 
      openssl pkcs12 -in <path to Sectigo p12 file> -nocerts -out <path to unencrypted private key> -nodes
    • To create an encrypted private key for use with Anaplan Connect:
      1. Extract the encrypted private key (PEM format) from the Sectigo p12 file.  You will be prompted to create a password to encrypt the Private key: 
        openssl pkcs12 -in <path to Sectigo p12 file> -nocerts -out <path to encrypted private key>
        The Private key is encrypted.  The key should start with "-----BEGIN ENCRYPTED PRIVATE KEY-----"
      2. Convert the private key to an encrypted pkcs8 file (PEM format). 
        openssl pkcs8 -inform PEM -in <path to encrypted private key> -outform PEM -out <path to pkcs 8 private key> -passout pass:<pkcs8 file password>
  6. Have your Tenant Administrator register the extracted public certificate.  For more information, see Manage your Certificates in Anapedia.
  7. Configure your Anaplan Connect scripts to use your encrypted or unencrypted private key.  Refer to the user guide for steps. It's also possible to use these keys with other Anaplan integration clients