You can receive your new CA certificate in a few different formats from the CA provider.

The sections below outline the required OpenSSL steps for each format.

Run the following OpenSSL Command:

×509 -inform DER -in "path to your cert.crt" -out "path to your public cert.pem"

The result will be your "pem" (Public Certificate.pem) file that will be imported into Anaplan using Anaplan's Tenant Administrator client.

Your "Public Certificate.pem" file can be paired with the previously generated Private Key/Password from the CSR process.

Note: This is the same command to use for the "cer" format. Be sure to replace "path to your cert.crt" with "path to your cert.cer" file instead.

We will now open the resulting "Public Certificate.pem" file in a text editor to edit the contents.

Once the new ".pem" file has been extracted from the CA Certificate that you received from the CA Provider, you will need to open the "Public Certificate.pem" file in a text editor.

1. Remove any content before "-----BEGIN CERTIFICATE-----section.

Note: Do not remove the certificate content between the "-----BEGIN CERTIFICATE-----" or after "-----END CERTIFICATE-----" lines.

An example of the certificate string when editing the "Public Certificate.pem" file for API use.

2. Cut each certificate string that appears after the first "-----BEGIN CERTIFICATE-----" and " -----END CERTIFICATE-----" entry.

Paste the cut certificate strings into a separate text file and save the file as "Additional Certificate Strings" in case these are needed in place of the certificate string that we left in the "Public Certificate pem" file.

3. Save the file. Your "Public Certificate.pem" file should look like this:

An example of what the "Public Certificate.pem" file should look like.

4. Save the "Public Certificate.pem" file and move on to the Implementation Process steps.

The ".pfx" or ".p12" format contains the server certificate, intermediate certificates, and the private key in one encrypted file.

Run the following OpenSSL command: 

pkcs12 -in "path to your cert.p12" -nokeys -out "path to your new cert.psm"

The result will be your ".pem" (Public Certificate.pem) file that will be imported into Anaplan using Anaplan's Tenant Adminstrator client.

Note: This is the same command to use for the ".pfx" format. Be sure to replace the "path to your cert.p12" with "path to your cert.pfx" file instead.

There's an option to either extract an Unencrypted Private Key or an Encrypted Private Key.

Use of an Unencrypted Private Key won't require you to share your Private Key Passphrase in plain text within an Anaplan Connect script. 

To extract an Unencrypted Private Key, run the following OpenSSL command: 

pkcs12 -in "path to your p12 cert.p12" -nocerts -out "path to your private key.psm" - nodes

(This will create a "Private Key.pem" file that won't require the use of a password while running your API integrations.)

You'll be prompted to enter a password for the Private Key. It will also ask to confirm that password.

Use of an Encrypted Private Key will require an additional OpenSSL command and the inclusion of your Private Key Passphrase in plain text within an Anaplan Connect script.  

To extract an Encrypted Private Key, run the following OpenSSL command: 

pkcs12 -in "path to your p12 cert.p12" -nocerts -out "path to your private key.psm"

(This will create a Private Key file that will require a password when running your API integrations.) 

This password or "passphrase" will be presented in plain text within your Anaplan Connect scripts. If you'd rather not present the Private Key passphrase in your scripts, an Unencrypted Private Key may be a better option.

For an Encrypted Private Key to be used in Anaplan Connect, the file must be converted to PKCS8 (PEM) format. The OpenSSL command below will convert that file:

pkcs8 -inform PEM -in "path to your private key.pem" -outperform PEM -out "path to pkcs8 formatted private key file.pem" -passout pass:pkcs8 file password

You'll be prompted to create a new password (passphrase) for your Encrypted Private Key. Be sure to keep track of this password as it will be needed in our API implementation steps.

You can open and edit the resulting "Public Certificate.pem" file in a text editor. 

Once the new ".pem" file has been extracted from the CA Certificate that you received from the CA Provider, you will need to open the "Public Certificate.pem" file in a text editor.

1. Remove any content before "-----BEGIN CERTIFICATE-----section.

Note: Don't remove the certificate content between the "-----BEGIN CERTIFICATE-----" or after "-----END CERTIFICATE-----" lines.

An example of the certificate string when editing the "Public Certificate.pem" file for API use.

2. Cut each certificate string that appears after the first "-----BEGIN CERTIFICATE-----" and " -----END CERTIFICATE-----" entry.

Paste the cut certificate strings into a separate text file and save the file as "Additional Certificate Strings" in case these are needed in place of the certificate string that we left in the "Public Certificate pem" file.

3. Save the file. Your "Public Certificate.pem" file should look like this:

An example of what the "Public Certificate.pem" file should look like.

4. Save the "Public Certificate.pem" file and move on to the Implementation Process steps.

To extract the Public Certificate, run the following OpenSSL command:

pkcs7 -print_certs -in "path to your cert.p7b" -out "path to your public cert.pem"

The result will be your ".pem" (Public Certificate.pem) file that will be imported into Anaplan using Anaplan's Tenant Adminstrator client.

Your "Public Certificate.pem" file can be paired with the previously generated Private Key/Password from the CSR process. 

You can open and edit the resulting "Public Certificate.pem" file in a text editor. 

Once the new ".pem" file has been extracted from the CA Certificate that you received from the CA Provider, you will need to open the "Public Certificate.pem" file in a text editor.

1. Remove any content before "-----BEGIN CERTIFICATE-----section.

Note: Do not remove the certificate content between the "-----BEGIN CERTIFICATE-----" or after "-----END CERTIFICATE-----" lines.

An example of the certificate string when editing the "Public Certificate.pem" file for API use.

2. Cut each certificate string that appears after the first "-----BEGIN CERTIFICATE-----" and " -----END CERTIFICATE-----" entry.

Paste the cut certificate strings into a separate text file and save the file as "Additional Certificate Strings" in case these are needed in place of the certificate string that we left in the "Public Certificate pem" file.

3. Save the file. Your "Public Certificate.pem" file should look like this:

An example of what the "Public Certificate.pem" file should look like.

4. Save the "Public Certificate.pem" file and move on to the Implementation Process steps.