Your IT or security administrator can acquire a CA certificate for your Anaplan integrations by following one of the choices below.
Choose the option that best aligns with your procurement process:
- Generate a CSR and Private Key yourself
- Purchase a CA certificate direct from a vendor
How to generate a Private Key and Certificate Signing Request (CSR)
IT or security can use the OpenSSL Command Line tool to self-generate a Private Key and Certificate Signing Request (CSR). This CSR will be submitted to a supported Certificate Authority (CA).
The CA generates and provides a CA certificate that, once formatted, can be used with Anaplan API v2.0.
Create a new text file and add this content:
[ req ]
default_md = sha512
default_bits = 2048
utf8 = yes
string_mask = utf8only
distinguished_name = req_distinguished_name
req_extensions = v3_user_req
[ req_distinguished_name ]
countryName = US
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = California
stateOrProvinceName_default = California
localityName = San Francisco
localityName_default = San Francisco
0.organizationName = Anaplan, Inc
0.organizationName_default = Anaplan, Inc
organizationalUnitName = Anaplan OEG
organizationalUnitName_default = Anaplan OEG
commonName = John Doe
commonName_default = John Doe
commonName_max = 64
emailAddress = john.doe@anaplan.com
emailAddress_default = john.doe@anaplan.com
emailAddress_max = 40
[ v3_user_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
keyUsage = digitalSignature
nsCertType = client
extendedKeyUsage = clientAuth
Configuration file explanation
| Element | Description |
| countryName_default | The country's name |
| stateOrProvinceName_default | The name of the state or province |
| localityName_default | The name of the city |
| O.organizationName_default | The organization name |
| organizationalUnitName_default | The organizational unit name |
| commonName_default | The name of the user associated with the certificate or the company's domain |
| emailAddress_default | The user's email address associated with the Anaplan login |
Generate the CSR and Private Key
Run this command in your OpenSSL Command Prompt instance to generate a CSR and Private Key file:
req-new -newkey rsa:2048 -keyout private_key.key -config openssl.cnf-out cert-request.csr
This command outputs your private_key.key and a cert-request.cr file, which is your CSR.
Keep track of your Private Key file and the Password that was used to generate this key for later use in this guide.
Verify that the content of your CSR is correct before submitting to a Certificate Authority:
req -text -in cert-request.csr -noout -verify
Submit the CSR to one of our supported CA providers to receive your S/MIME certificate and continue to the certificate conversion process.
Purchase a CA certificate direct from a vendor
First, contact your IT or security team to determine if your company already has an existing relationship with a CA or intermediate CA.
If not, then check Anapedia for the latest list of supported CA certificates: Supported root CA certificates with Anaplan.
Choose a supported provider and visit their website directly to purchase an "S/MIME" (secure email) certificate. Each provider will then have you complete the necessary form so you can purchase your new certificate.
The certificate you purchase must be of the "S/MIME" type, otherwise your API requests to Anaplan won't contain the required "Email address" attribute. You may also see "S/MIME" called "Client authentication" or "Personal email" certificates.
Once you've purchased and downloaded your certificate from a supported CA provider, you can proceed to converting that certificate for use within the Anaplan API.