Change of Certificate Authority and OCSP Allowlist for AWS Customers

Note

The changes mentioned in this BCR affect only customers using Snowflake on AWS (including AWS PrivateLink).

Changes

As part of Snowflake’s continued commitment to providing best-in-class transport-layer-security (TLS) we are migrating all endpoints used by connectors, drivers, SQL API clients and all PrivateLink Endpoints to a new load balancing stack. A final step in this migration moves TLS session termination from Amazon Elastic Load Balancers to Snowflake-managed Envoy proxies.

As a result, Snowflake is changing which TLS Certificate Authority (CA) signs the certificates used to terminate TLS connections to its API endpoints from Amazon Trust Services to Digicert.

Note

Digicert is already used for Snowflake’s Azure & GCP regions.

Since Digicert CA certificates are present in the default trust stores of all major operating systems, browsers and client environments, and allowlisting egress to OCSP responders is a rare configuration, this migration will be transparent and require no changes for the majority of Snowflake customers.

For the small fraction of customers who allowlist network egress or customize their CA trust stores to exclude Digicert, configuration updates may be required:

  1. An update to operating system or application level trust stores to include the Digicert CA root certificate, or intermediates (applies to PrivateLink and non-PrivateLink connectivity).

  2. An update to client firewalls and egress proxies to allow requests to the ocsp.digicert.com OCSP responder endpoint (applies only to non-PrivateLink connectivity).

Validation

CA Trust Store

Your Operating System, Browser or Application level TLS Certificate Authority trust store must contain the certificate for Digicert Global Root G2, serial 03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5.

Operating system trust stores are implemented by the OS provider, and all recently patched operating systems contain the Digicert Global Root G2 certification in their default trust stores. Please reach out to your OS vendor for additional assistance.

For more information see the following:

  • Windows (https://learn.microsoft.com/en-us/windows-hardware/drivers/install/certificate-stores?source=recommendations)

  • macOS (https://support.apple.com/en-us/HT209143)

  • RedHat Linux (https://www.redhat.com/sysadmin/configure-ca-trust-list)

  • Ubuntu (https://ubuntu.com/server/docs/security-trust-store)

If you access Snowflake from a Java application with a custom trust store, you can validate that Digicert Global Root G2 appears in the output of:

keytool -list -keystore <path_to_keystore_file>
Copy

OCSP Allowlist

Note

This BCR does not require any OCSP allowlist changes for customers using Snowflake drivers to access AWS PrivateLink endpoints.

Non-privatelink customers should validate that their clients have outbound network connectivity to ocsp.digicert.com on port 80, e.g. using curl:

curl -I 'http://ocsp.digicert.com'
HTTP/1.1 200 OK
...
Copy

For general instructions on Firewall allowlist requirements and validation using the SnowCD tool, see SYSTEM$ALLOWLIST.

Timeline

Important

This BCR is an Unbundled Change. This infrastructure update will be executed by Snowflake on the timeline below, and is not coupled to the Snowflake release cycle or Behavior Change Management tooling. There is no self-service mechanism to opt in or opt out of this change. For validation and testing, please reach out to the support team to opt in individual accounts for non non-PrivateLink connectivity testing. For PrivateLink validation, Snowflake will provide support for account level early adopter opt-in by February 2025.

This change will occur gradually across all AWS regions from January 5 - January 31, 2025 (postponed from the previously announced dates of September - October 2024) for all non-PrivateLink traffic. For PrivateLink traffic, the change will be rolled out across all AWS regions from April 2 - April 30, 2025.

Ref: 1657

Language: English