Wider variety of Certificate Authorities and shorter certificate lifetimes¶

Note

This change is pending.

As part of Snowflake’s continued commitment to providing best-in-class transport-layer-security (TLS) we are introducing Let’s Encrypt and Google Trust Services as additional Certificate Authority (CA) providers alongside our existing providers. You may see certificates issued by these CAs when connecting to endpoints owned by Snowflake. We are also investing in shortening our certificate lifetime to meet and exceed upcoming CA/Browser Forum standards.

This unbundled change will not affect the endpoints most drivers use to connect to Snowflake, specifically the SNOWFLAKE_DEPLOYMENT and SNOWFLAKE_DEPLOYMENT_REGIONLESS types returned by SYSTEM$ALLOWLIST and SYSTEM$ALLOWLIST_PRIVATELINK. When the list of possible CAs for these existing endpoints is expanded, separate communications will be sent.

This unbundled change may affect any of the other domains owned by Snowflake and returned by SYSTEM$ALLOWLIST and SYSTEM$ALLOWLIST_PRIVATELINK, such as SNOWSIGHT_DEPLOYMENT. You will likely see these new certificates if you access Snowflake services through a web browser, if you access SPCS endpoints programmatically, or if you use Snowpipe Streaming with High Performance Architecture.

A small number of Snowflake sites, including app.snowflake.com, were already using certificates issued by some of these CAs prior to 2026.

Validation¶

Your Operating System, Browser or Application level TLS Certificate Authority trust store must contain the root CA certificates described at https://letsencrypt.org/certificates/ and https://pki.goog/repository/. These CA certificates are present in the default trust stores of all major operating systems, browsers and client environments, so this migration will be transparent and require no changes for the majority of Snowflake customers.

You can open connections to the test websites listed below to ensure that you trust certificates issued by those CAs.


Root CA	Test URL
ISRG Root X1	https://valid-isrgrootx1.letsencrypt.org/
ISRG Root X2	https://valid-isrgrootx2.letsencrypt.org/
GTS Root R1	https://good.gtsr1.demosite.pki.goog/
GTS Root R2	https://good.gtsr2.demosite.pki.goog/
GTS Root R3	https://good.gtsr3.demosite.pki.goog/
GTS Root R4	https://good.gtsr4.demosite.pki.goog/
GlobalSign R4	https://good.gsr4.demosite.pki.goog/

Operating system trust stores are implemented by the OS provider, and all recently patched operating systems contain sufficient certificates in their default trust stores. Please reach out to your OS vendor for additional assistance. We recommend that clients accept certs from any CA in the Mozilla CA/Included Certificates list.

Ref: 2255