Skip to main content

Configuring SSL Certificates for a Secure Proxy Service

This guide walks through creating and configuring SSL certificates for a proxy service routing to Snowflake.

1. Generate a Private Key

# Generate a private key
openssl genpkey -algorithm RSA -out private.key

# Convert the key to PEM format for AWS compatibility
openssl rsa -in private.key -outform PEM -out private.pem

2. Create a Certificate Signing Request (CSR)

# Create a CSR
openssl req -new -key private.key -out request.csr

When prompted for Common Name, use:

<org>-<account>.snowflakecomputing.com

3. Generate a Self-Signed Certificate

# Generate a self-signed certificate (valid for 1 year)
openssl x509 -req -days 365 -in request.csr -signkey private.key -out certificate.crt

# Convert the certificate to PEM format for broader compatibility
openssl x509 -in certificate.crt -outform PEM -out certificate.pem

4. Import into AWS Certificate Manager (ACM)

Upload certificate.pem and private.pem through the AWS Certificate Manager console.

5. Configure the Load Balancer

Update the HTTPS listener in EC2 Load Balancers to use the newly imported certificate.

6. Deploy the Certificate to Pods

sudo cp certificate.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Expected output:

Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

Set the environment variable for Python requests:

export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

Configure DNS resolution (add to /etc/hosts or globally):

<proxy-load-balancer-ip> org-account.snowflakecomputing.com

Testing

Verify the SSL connection:

openssl s_client -connect <your-domain>:443

Test the proxy with cURL:

curl -v https://<org>-<company>.snowflakecomputing.com