HTTP/TLS Support

Last updated: 2025-05-28

Abstract

Bamboo Health uses modern TLSv1.2 or greater for all applications. Our TLS certificates are signed by universally accepted vendors, and our systems make use of automated PKI systems such as ACME (RFC 8555) where possible to update our certificates on a frequent basis per industry best practice (CA/B SC-063).

This page details all CAs used by our systems, and shares information on upcoming TLS-related changes.
Note: For systems that use automated PKI rotation, details on terminal/leaf certificate changes will not be shared, only information for upcoming root-related changes.

Trust Store and Certificate Pinning Recommendations

We recommend the use of an operating-system or programming language maintained trust store for all customers. Our CA vendors are universally trusted and and meet or exceed CCADB and CA/B forum baseline policies and requirements. The Mozilla CA certificate store can be used, and contains all root CAs we will use. If you must make use of custom trust stores, you must include all active use & deprecated CAs below. Inclusion of all below roots ensures maximum stability for your integration and reduces the likelihood of downtime.

We strongly discourage pinning, and refer all customers to current OWASP guidance around pinning:

While the idea of pinning is simple to talk about, it is very difficult to safely execute on. Considering the current risks in the CA and browser space and comparing them to the risk of down time, pinning is not recommended. Google, Microsoft, Apple, and Firefox control almost every trust store on every device on the planet and they wield this power with an eye on security as a competitive advantage.

If the client’s pinset and the server’s keys are not kept in sync in real-time, do not pin

If your information security standards require pinning, you must pin to all roots below. You should not depend on the certificate chain to remain the same after certificate rotations as our vendors may not reissue using the same root or intermediates.

Never pin to an intermediate CA certificate. We will not provide information about intermediate CA certificates on this page, and the intermediate CA certificate is subject to change without warning.

Never pin to the terminal/leaf certificate. This would place your system at high risk for outages and service interruptions.

Supported TLS Versions

We fully support modern TLSv1.3 and will fallback to TLSv1.2 for legacy systems. Versions of TLS less than v1.2 are not supported as these have been deprecated since 2021.

Customers should ensure their operating systems are fully updated to their latest version to ensure maximum support for TLSv1.3 and TLSv1.2. We strongly discourage any client-side restriction for TLS versions.

TLS Ciphersuite Information

The following ciphers are supported by all of our systems. Ciphers are identified by IANA names.

TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

These ciphers are defined in RFC 5289 and RFC 8446. They represent a balance between maximum backwards compatibility and modern security.

Customers should ensure their operating systems are fully updated to their latest version to ensure maximum support for TLSv1.3 and TLSv1.2. We strongly discourage customers from manually specifying ciphersuites or attempting to force negotiation of a certain cipher.

Note: Certain systems may support additional ciphersuites. The suites identified above are our supported baseline.

CA Lifecycle at Bamboo Health

All CAs in use for our managed systems will follow the below lifecycle.

Active use: these certificate authorities are actively present and used in our environment, and we will renew certificates / seek new issuances from them. Customers who pin to roots must pin all active use CA certificates.
Deprecated: deprecated certificate authorities have signed certificates which are actively present and used in our environment. However, we will not plan to renew certificates issued by these vendors or seek new issuances from them. Customers who pin to roots must pin all deprecated CA certificates.
Exited: exited certificate authorities have been used in the past to sign certificates in our environments. No active certificates are present in our environment signed by these providers. Customers do not need to include these CA certificates in their trust stores. These CAs are included for informational purposes only, and the list of exited CAs may not be comprehensive.

All lifecycle transitions (active use to deprecated, deprecated to exited) will be listed in the below root TLS changes list.

Root TLS changes

Upcoming

No upcoming root TLS changes are planned.

Past

Tuesday, April 22, 2025 - we have ceased the use of certificates issued by Entrust (43df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f339) and moved that CA to the exited list.
Tuesday, March 12, 2025 - we rotated the TLS certificate for pmpgateway.net and all subdomains to use a certificate in the active list below.
Wednesday, November 10, 2024 - we have moved Entrust (43df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f339) to the deprecated CA list. We will not issue new certificates from Entrust beyond this point.

Root CAs in active use

These CAs are in active use for our systems. If you pin to roots, all of the below certificates must be included.

Distinguished Name	SHA-256 Fingerprint	Details	Test URL
`CN=Amazon Root CA 1, O=Amazon,C=US`	`8ecde6884f3d87b1125ba31ac3fcb13d7016de7f57cc904fe1cb97c6ae98196e`	PEM crt.sh	Valid
`CN=Amazon Root CA 2, O=Amazon,C=US`	`1ba5b2aa8c65401a82960118f80bec4f62304d83cec4713a19c39c011ea46db4`	PEM crt.sh	Valid
`CN=Amazon Root CA 3, O=Amazon,C=US`	`18ce6cfe7bf14e60b2e347b8dfe868cb31d02ebb3ada271569f50343b46db3a4`	PEM crt.sh	Valid
`CN=Amazon Root CA 4, O=Amazon,C=US`	`e35d28419ed02025cfa69038cd623962458da5c695fbdea3c22b0bfb25897092`	PEM crt.sh	Valid
`CN=Starfield Services Root Certificate Authority - G2, O=Starfield Technologies\, Inc., L=Scottsdale, ST=Arizona, C=US`	`568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab5`	PEM crt.sh	Valid
`O=Internet Security Research Group, CN=ISRG Root X1`	`96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6`	PEM crt.sh	Valid
`O=Internet Security Research Group, CN=ISRG Root X2`	`69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470`	PEM crt.sh	Valid
`C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority`	`1793927a0614549789adce2f8f34f7f0b66d0f3ae3a3b84d21ec15dbba4fadc7`	PEM crt.sh	Valid
`C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority`	`52f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234`	PEM crt.sh	Valid
`C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority`	`4ff460d54b9c86dabfbcfc5712e0400d2bed3fbc4d4fbdaa86e06adcd2a9ad7a`	PEM crt.sh	Valid
`C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority`	`e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2`	PEM crt.sh	Valid
`C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication Root R46`	`7bb647a62aeeac88bf257aa522d01ffea395e0ab45c73f93f65654ec38f25a06`	PEM crt.sh	Valid
`C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication Root E46`	`c90f26f0fb1b4018b22227519b5ca2b53e2ca5b3be5cf18efe1bef47380c5383`	PEM crt.sh	Valid

Deprecated Root CAs

These root CAs are in active use for our systems but have been deprecated. No new issuance of certificates is expected from one of these root CAs. If you pin to roots, all of the below certificates must be included.

At this time, no deprecated root CAs are in use.

Exited Root CAs

These root CAs were formerly in use for our systems, but have been exited. Inclusion of these roots in your trust store is not required to communicate with Bamboo Health systems.

Distinguished Name	SHA-256 Fingerprint	Details	Test URL	Exit Date
`C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2009 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - G2`	`43df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f339`	PEM crt.sh	Valid	April 22, 2025

Document Changes

May 28, 2025 - added TLS ciphersuite information, updated to reflect Entrust exit
March 6, 2025 - corrected crt.sh links to Sectigo Public Server Authentication Root R46 and ISRG Root X1