Changes in OCSP Allowlist Changes for AWS Customers¶

Note

The changes mentioned in this BCR affect customers using Snowflake on AWS (including AWS PrivateLink).

As part of Snowflake’s continued commitment to providing best-in-class transport-layer-security (TLS) we are migrating all endpoints used by connectors, drivers, SQL API clients and all PrivateLink Endpoints to a new load balancing stack based on the open source Envoy Proxy, as described in Snowflake’s migration to Envoy for traffic management.

While this migration will be transparent for most customers, for some customers using Snowflake in AWS regions, a configuration update will be required.

Snowflake is changing which TLS Certificate Authority (CA) signs the certificates used to terminate TLS connections to its API endpoints, from Amazon Trust Services to Digicert (Digicert is already used for Snowflake’s Azure & GCP deployments).

This may require:

An update to operating system or application level trust stores to include the Digicert CA root certificate, and/or intermediates. If you need assistance checking or updating your operating system truststore, contact your local system administration team or operating system vendor and ask them to add the DigiCert Root Certificate in the Trust Store. For Java truststores, Snowflake recommends contacting your application administrator or Java support provider for assistance. For more information, see the following documentation:
- SSLHandshakeException due to missing Digicert Root CA G2
- FAQ: DigiCert Global Root G2 certificate authority (CA) TLS certificate updates
An update to client firewalls and egress proxies to allow requests to the ocsp.digicert.com OCSP responder endpoint. To add ocsp.digicert.com, see SYSTEM$ALLOWLIST.

To validate and update this configuration, see Envoy migration updates.

This change will occur gradually across all AWS regions from September - October 2024.

Ref: 1657