(Optional) Configuring SSL Certificates for a Secure Proxy Service

This guide explains how to create and configure an SSL certificate for use with a proxy service. This setup ensures secure communications and compliance with best practices when routing traffic to Snowflake or other endpoints. By following these steps, you will configure an SSL certificate, integrate it with AWS ACM, and adjust the proxy load balancer.

Steps to Configure an SSL Certificate

1. Generate a Private Key

A private key is used to create and sign SSL certificates. Run the following commands to generate the key:

# Generate a private key
openssl genpkey -algorithm RSA -out private.key

# Convert the key to PEM format for AWS compatibility
openssl rsa -in private.key -outform PEM -out private.pem

2. Create a Certificate Signing Request (CSR)

A CSR is a formal request to generate an SSL certificate. This includes information about the server's domain name.

# Create a CSR
openssl req -new -key private.key -out request.csr

When prompted for the Common Name, specify your Snowflake account domain in the format:

<org>-<account>.snowflakecomputing.com

For example: orgname-accountname.snowflakecomputing.com.

3. Generate a Self-Signed Certificate

Self-signed certificates can be used for internal testing and development. To generate one, run:

4. Import the PEM Certificate to AWS ACM

AWS Certificate Manager (ACM) manages SSL certificates and integrates them with AWS resources like load balancers.

1. Log in to your AWS Management Console.

2. Navigate to Certificate Manager.

3. Select Import a Certificate.

4. Upload the following files:

   • Certificate Body: certificate.pem

   • Certificate Private Key: private.pem

Once imported, AWS ACM will manage the certificate for use with your load balancer.

5. Update the Proxy Load Balancer

The load balancer will use the new SSL certificate to secure client connections.

1. Navigate to EC2 Dashboard > Load Balancers in AWS.

2. Select your load balancer and go to the Listeners tab.

3. For the HTTPS listener:

   • Click Edit or Add Certificates.

   • Select the newly imported certificate from AWS ACM.

6. Deploy the Certificate to Pods

Ensure the pods can find the self-signed SSL certificate.

1. Upload the Certificate: Place the certificate.crt file on the pods sending requests to Snowflake.

2. Update the Trusted Certificate Store:

   • For Debian/Ubuntu-based images:

     response should be:

   • For Python services using the Snowflake connector, set an environment variable named REQUESTS_CA_BUNDLE to point:

3. Verify DNS Resolution: Ensure that DNS resolution for requests to *.snowflakecomputing.com resolves to the proxy load balancer's IP. This can be configured globally at the DNS level or locally in the /etc/hosts file:

Testing the Setup

Verify the SSL Certificate with OpenSSL

Run the following command to verify the certificate and handshake:

• Look for Verification: OK to confirm that the certificate is trusted.

Test the Proxy Configuration

Use a tool like curl to send a request through the proxy:

Validate Application Behavior

Ensure that requests from your applications (e.g., SnowSQL, Python scripts) are routed through the proxy and SSL verification succeeds.

Conclusion

By following these steps, you have successfully configured an SSL certificate for use with your proxy service, enabling secure communication between clients and Snowflake. This approach ensures compliance with best practices for SSL/TLS security and maintains the integrity of your data traffic.