1. Administration and security
  2. Administration
  3. Administration: Security - Certificates
  4. Procure CA Certificates

This section describes the way in which to procure Certificate Authority (CA) certificates.

Certificate Requirements

Certificate Authority (CA) certificates must:

  • be an S/MIME certificate (also known as a Client certificate or Personal Authentication certificate).
  • contain a certificate chain starting from the user's certificate to the root CA and end in a supported Public Root CA.
  • conform to the X.509 format of public key certificates.
  • be generated using the RSA-2048 or stronger algorithm.
  • be in .PEM format.
  • contain the user's email address. The email address must be present in either:
    • The X509v3 Subject Alternative Name field (preferred)
      or
    • The EMAILADDRESS field in the Subject. Set the email address using the EMAILADDRESS attribute, NOT the CommonName (CN) attribute.
  • contain a X509v3 Key Usage Digital Signature bit. Other bits can be present, but are ignored by Anaplan.
  • provide a way to check for revocation using the Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP).
Note: Anaplan does not support SSL or Server certificates.

Obtain a Certificate and Private Key

When you obtain an S/MIME certificate from a CA, you can either:

  • submit the certificate request and get a certificate from the CA,
    or
  • you can submit your request with a Certificate Signing Request (CSR) containing your private key.
Note: Contact your certificate vendor to confirm what the vendor requires.

Obtain a Certificate from a CA

Contact your IT or Security Operations organization to determine if your company already has an existing relationship with a CA or intermediary CA.

  • If your organization has an existing relationship with a CA or Intermediate CA you can request a client certificate be issued for your integration user.
  • If your organization does not have an existing CA relationship, you should contact a valid CA to procure a client certificate.
Note: There are many categories of certificates that a CA offers (for example: SAN certificates, wildcard certificates, code-signing certificates, and others). You should request a client certificate only. The process for procuring the certificate may take a few weeks for some validation that the CA must perform. We recommend you allow time for the procurement process. Once the CA issues the certificate file, follow their documented steps for making this file available in your environment.

Generate a Private Key and Certificate Signing Request (CSR)

If you have your own private key and public key, use them to generate a Certificate Signing Request (CSR) in which you will include the public key.

Note: The following procedure describes the process to manage and create the CSR to register with a Certificate Authority using the OpenSSL tool in a Windows environment. You can use alternate tools to manage and create these files to register with a Certificate Authority, but note other tools have not been tested nor are they supported by Anaplan.

Prepare the openssl.cnf file.

  1. Create a text file and add the following content in it:
    [ req ]
default_md = sha256
default_bits = 2048
utf8 = yes
string_mask = utf8only
distinguished_name = req_distinguished_name
#attributes = req_attributes
#x509_extensions = v3_ca_req
req_extensions = v3_user_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = CA
localityName = Locality Name (eg, city)
localityName_default = San Francisco
0.organizationName = Organization Name (eg, company)
0.organizationName_default = CompanyNameGoesHere, Inc.
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = YourOrganizationalUnitGoesHere
commonName = Common Name (eg, YOUR name)
commonName_default = EmployeeNameGoesHere
commonName_max = 64
emailAddress = Email Address
emailAddress_default = EmployeeEmailAddressGoesHere
emailAddress_max = 40
[ v3_user_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
keyUsage = digitalSignature
nsCertType = client
extendedKeyUsage = clientAuth
  2. Edit the values of these elements for your organization:
    Element Value
    countryName_default The country name
    stateOrProvinceName_default The name of the state or province
    0.organizationName_default The organization name
    organizationalUnitName_default The organizational unit name
    commonName_default The name of the user associated with the certificate.
    emailAddress_default The user's email address associated with the Anaplan login

    We further recommend setting default_md = sha512.

  3. Save the file as openssl.cnf.
  4. Generate the private key and the certificate signing request (CSR) based on the openssl.cnf file:
    $openssl req -nodes -config openssl.cnf -new -out cert-request.csr -keyout <key name>

    In the above command, replace <key name> with the name of your private key (e.g. private.key). The command outputs your private key and a cert-request.csr file, which is your CSR.

    Note: Do not run the command multiple times in the same folder, as that will overwrite the private.key and the cert-request.csr files. If you need to issue certificates for multiple users, we recommend creating separate folders for each employee to contain the relevant file.
  5. Validate the CSR (certificate signing request) using the following openssl command:
    $openssl req -in cert-request.csr -noout -text

    This outputs the content of the certificate signing request. Double-check that the data in the certificate signing request is for the correct organization and user.

  6. Store the private key file securely.
Note: If you need to distribute the private key we recommend using an encrypted method, such as GPG, using a keysize of 4096 bits to exchange the files. GPGtools can be downloaded from https://gpgtools.org/.

Extract the Certificate Key and Public Key

Note: The following procedure describes the process to manage and create the CSR to register with a Certificate Authority using the OpenSSL tool in a Windows environment. You can use alternate tools to manage and create these files to register with a Certificate Authority, but note other tools have not tested nor are supported by Anaplan.
  1. Open a terminal window and navigate to the directory where you have your p12 certificate.
  2. Extract the certificate by running this openssl command in the terminal window:
    openssl pkcs12 -in <name of your p12 cert>.p12 -nokeys -out client_certificate.pem

    Where <name of your p12 cert> is the name of the certificate saved in p12 format.

  3. Extract the private key by running this openssl command in the terminal window.
    openssl pkcs12 -in <name of your p12 cert>.p12 -nocerts -out private.key -nodes

    Where <name of your p12 cert> is the name of the certificate saved in p12 format.

  4. In a text editor, edit the client_certificate.pem file to remove any content before "-----BEGIN CERTIFICATE----- " or after "-----END CERTIFICATE-----".
    Do not remove the certificate content between the "-----BEGIN CERTIFICATE----- " or after "-----END CERTIFICATE-----" lines!

Register your Certificate with a Certificate Authority

  1. Log into your CA account. If necessary, perform any validation steps required by the CA.
  2. Order a client certificate. Certificates must meet the certificate requirements.
  3. When prompted, upload the cert-request.csr file generated previously.
  4. At the Recipient CSR prompt, upload the cert-request.csr file generated previously.
  5. Submit your request to the CA.
  6. The user is then responsible to perform any steps to confirm the email address associated with the certificate. Upon receiving the certificate, extract it and register it with Anaplan.  For more information, see Managing Certificates.