github.com/snowflakedb/gosnowflake@v1.9.0/doc/runbook-update-ca-certs.md

github.com/snowflakedb/gosnowflake@v1.9.0/doc/runbook-update-ca-certs.md (about)

     1  ### Updating CA cert store (currently manual process)
     2  1. As with other Snowflake drivers, here we use the cacerts.pem as well, which is curated by Mozilla and available at https://curl.se/docs/caextract.html
     3  2. The driver reads the certs from `caRootPEM` which is found in [cacert.go](https://github.com/snowflakedb/gosnowflake/blob/master/cacert.go)
     4  3. So to update the cert store, one needs to update it in `cacert.go`. Download the latest `cacert.pem` from https://curl.se/ca/cacert.pem.
     5  4. Edit `cacert.go`, and locate the `caRootPEM` const:
     6  ```go
     7  const caRootPEM = `
     8  ##
     9  ## Bundle of CA Root Certificates
    10  ##
    11  ## Certificate data from Mozilla as of: Wed Jul 22 03:12:14 2020 GMT
    12  ##
    13  ## This is a bundle of X.509 certificates of public Certificate Authorities
    14  ## (CA). These were automatically extracted from Mozilla's root certificates
    15  ## file (certdata.txt).  This file can be found in the mozilla source tree:
    16  ## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
    17  ##
    18  ## It contains the certificates in PEM format and therefore
    19  ## can be directly used with curl / libcurl / php_curl, or with
    20  ## an Apache+mod_ssl webserver for SSL client authentication.
    21  ## Just configure this file as the SSLCACertificateFile.
    22  ##
    23  ## Conversion done with mk-ca-bundle.pl version 1.28.
    24  ## SHA256: cc6408bd4be7fbfb8699bdb40ccb7f6de5780d681d87785ea362646e4dad5e8e
    25  ##
    26  
    27  
    28  GlobalSign Root CA
    29  ==================
    30  -----BEGIN CERTIFICATE-----
    31  ..here's the first CA cert, followed by tons of other CA certs
    32  ..last CA cert in the bundle ends here
    33  -----END CERTIFICATE-----
    34  `
    35  ```
    36  5. replace the whole bundle of CA certs which is enclosed by
    37  ```go
    38  const caRootPEM = `
    39  ..certs
    40  `
    41  ```
    42  
    43  replace the part represented by `..certs` above, with the whole content of the `cacerts.pem` which you downloaded. 
    44  5. Save the edited file and create a PR. 
    45  
    46  #### Things to watch out for:
    47  * Make sure you retain the enclosing opening and closing backticks around the actual CA cert bundle