JDBC

jdbc:snowflake://chukei.internal.example.com:8443/?account=abc12345.eu-west-2.aws&ocspFailOpen=true

Two things to know:

The account stays in the URL parameters; only the host/port change.
The JDBC driver enforces OCSP revocation checks against the certificate it connects to. Your internal-CA proxy cert has no public OCSP responder, so set ocspFailOpen=true for the pilot. (The Python connector and snowsql soft-fail by default and need no flag.)

For BI tools that wrap JDBC (e.g. anything with a "host" field and an "additional JDBC parameters" box), set the host to chukei and add ocspFailOpen=true to the parameters.

Two gotchas validated the hard way

Truststore: extend, never replace. If you pass -Djavax.net.ssl.trustStore with only your internal CA, small queries work but large results fail — chunk downloads go directly from the driver to Snowflake's presigned cloud-storage URLs, which need the public CAs. Build your truststore as a copy of the JDK's cacerts plus your CA.
Modern JDKs (17+) need Arrow flags: the driver's Arrow reader wants --add-opens=java.base/java.nio=ALL-UNNAMED (and on JDK 24+, --sun-misc-unsafe-memory-access=allow). Alternatively set the session parameter JDBC_QUERY_RESULT_FORMAT=JSON.

Validated live: login, cached repeat reads, and 100k-row chunked results through chukei with ocspFailOpen=true (the driver logs the OCSP validation event and soft-fails as designed).

Two gotchas validated the hard way​

Two gotchas validated the hard way