This section describes the way in which to procure Certificate Authority (CA) certificates.
This section describes the way in which to procure Certificate Authority (CA) certificates.
Certificate Authority (CA) certificates must:
Note: Anaplan does not support SSL or Server certificates.
When you obtain an S/MIME certificate from a CA, you can either:
Note: Contact your certificate vendor to confirm what the vendor requires.
Contact your IT or Security Operations organization to determine if your company already has an existing relationship with a CA or intermediary CA.
Note: There are many categories of certificates that a CA offers (for example: SAN certificates, wildcard certificates, code-signing certificates, and others). You should request a client certificate only. The process for procuring the certificate may take a few weeks for some validation that the CA must perform. We recommend you allow time for the procurement process. Once the CA issues the certificate file, follow their documented steps for making this file available in your environment.
If you have your own private key and public key, use them to generate a Certificate Signing Request (CSR) in which you will include the public key.
Note: The procedure below describes how to manage and create the CSR to register with a Certificate Authority using the OpenSSL
Prepare the openssl.cnf file.
[ req ]
default_md = sha256
default_bits = 2048
utf8 = yes
string_mask = utf8only
distinguished_name = req_distinguished_name
#attributes = req_attributes
#x509_extensions = v3_ca_req
req_extensions = v3_user_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = CA
localityName = Locality Name (eg, city)
localityName_default = San Francisco
0.organizationName = Organization Name (eg, company)
0.organizationName_default = CompanyNameGoesHere, Inc.
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = YourOrganizationalUnitGoesHere
commonName = Common Name (eg, YOUR name)
commonName_default = EmployeeNameGoesHere
commonName_max = 64
emailAddress = Email Address
emailAddress_default = EmployeeEmailAddressGoesHere
emailAddress_max = 40
[ v3_user_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
keyUsage = digitalSignature
nsCertType = client
extendedKeyUsage = clientAuth
Element | Value |
countryName_default | The country name. |
stateOrProvinceName_default | The name of the state or province. |
0.organizationName_default | The organization name. |
organizationalUnitName_default | The organizational unit name. |
commonName_default | The name of the user associated with the certificate. |
emailAddress_default | The user's email address associated with the Anaplan login. |
We further recommend setting default_md = sha512.
$openssl req -nodes -config openssl.cnf -new -out cert-request.csr -keyout <key name>
Note: Do not run the command multiple times in the same folder, as that will overwrite the private.key and the cert-request.csr files. If you need to issue certificates for multiple users, we recommend creating separate folders for each employee to contain the relevant file.
$openssl req -in cert-request.csr -noout -text
This outputs the content of the certificate signing request. Double-check that the data in the certificate signing request is for the correct organization and user.Note: If you need to distribute the private key we recommend using an encrypted method, such as GPG, using a keysize of 4096 bits to exchange the files. GPGtools can be downloaded from https://gpgtools.org/
Note: The following procedure describes the process to manage and create the CSR to register with a Certificate Authority using the OpenSSL
openssl pkcs12 -in <name of your p12 cert>.p12 -nokeys -out client_certificate.pem
Where <name of your p12 cert> is the name of the certificate saved in p12 format.openssl pkcs12 -in <name of your p12 cert>.p12 -nocerts -out private.key -nodes
Where <name of your p12 cert> is the name of the certificate saved in p12 format.Note: Do not remove the certificate content between the "-----BEGIN CERTIFICATE----- " or after "-----END CERTIFICATE-----" lines!
Disclaimer
We update Anapedia content regularly to provide the most up-to-date instructions.