Documentation
Toggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Docs
  2. /
  3. Reference
  4. /
  5. Private Broker Setup
  6. /
  7. Private Broker SSL Certificate
Add-on

Private Broker SSL Certificate

Importance of Using an SSL Certificate Issued by a Well-Known Certificate Authority (CA)

When securing traffic between Snowflake SQL clients / drivers and the Sundeck Private Broker, selecting an appropriate SSL certificate is critical for ensuring seamless operation and maintaining client trust. Below are the key reasons why using an SSL certificate issued by a well-known Certificate Authority (CA) is highly recommended.

Simplified Client Configuration

Snowflake clients and drivers have pre-set SSL trust store locations, and these trust stores include certificates from well-known CAs by default. While some Snowflake clients/drivers will allow the trust store location to be overridden via command line arguments, environment variables, or registry settings, some do not and can only use the pre-configured trust stores. Using a certificate from a well-known CA, rather than a self-signed certificate, ensures that client SSL “just works”.

Certificates obtained from a well-known provide:

  • Ease of Use: Clients can validate the server’s certificate without requiring manual intervention to add or update trust stores.
  • Reduced Complexity: Configuring alternate SSL trust stores is either not supported by some clients or requires significant effort to implement, often necessitating technical expertise and additional resources.
  • Out-of-the-box Compatibility: By using a certificate from a widely trusted CA, the risk of compatibility problems with different Snowflake clients is minimized.

Why Self-Signed Certificates Fail in This Context

While many organizations often create self-signed certificates for internal services to save costs and simplify initial setup, this approach is ill-suited for Snowflake clients. Snowflake clients rely heavily on pre-configured trust stores that only recognize certificates issued by well-known CAs. Using a self-signed certificate in this context will result in:

  • Connection Failures: Clients will reject the server’s certificate as untrusted, leading to failed connections.
  • Endless Troubleshooting: Administrators will face significant challenges trying to distribute and configure custom trust stores for every client, and the methods for configuring each client type to use a custom trust store vary (and some Snowflake clients do not support this at all).
  • Operational Frustration: The ongoing maintenance and inevitable misconfigurations will lead to a cycle of disruptions and wasted effort.

For these reasons, relying on self-signed certificates for the Sundeck Private Broker will result in many wasted hours of configuration, with some clients (such as ODBC) never being made to work. Avoiding these pitfalls by using a well-known CA-issued certificate is the appropriate solution.

Enhanced Security and Trust

SSL certificates issued by well-known CAs undergo rigorous validation processes, ensuring that the entity requesting the certificate is legitimate. This provides:

  • Strong Authentication: Ensures clients can trust the proxy as an authenticated intermediary for their Snowflake SQL operations.
  • End-to-End Encryption: Protects sensitive data from interception or tampering during transit.

Avoidance of Operational Disruptions

Using a certificate issued by a lesser-known or self-signed CA can lead to the following challenges:

  • Certificate Trust Issues: Clients may reject the connection if the server certificate is not recognized as trusted.
  • Increased Maintenance Overhead: Administrators need to distribute and maintain custom trust stores for each client, which can be time-consuming and error-prone.
  • Potential Downtime: Configuration errors or delays in propagating trust store updates can result in client connection failures and disrupted service.

Streamlined Updates and Renewals

Certificates from well-known CAs are easy to renew and update without requiring additional client-side configuration. This ensures:

  • Minimal Downtime: The seamless replacement of expiring certificates.
  • Consistency Across Clients: Ensures that all clients remain operational without needing individual updates.

Conclusion

To ensure optimal performance and reliability for an internally-hosted HTTP Snowflake SQL proxy like the Sundeck Private Broker, it is essential to use an SSL certificate issued by a well-known CA. This eliminates the complexities associated with custom trust store configurations, enhances security, and minimizes operational risks. By choosing a trusted CA-issued certificate, organizations can ensure seamless client connectivity, maintain client trust, and avoid the pitfalls of self-signed certificates.