diff --git a/cmd/flux/bootstrap_bitbucket_server.go b/cmd/flux/bootstrap_bitbucket_server.go
index 20a6b3f3..07fb04c7 100644
--- a/cmd/flux/bootstrap_bitbucket_server.go
+++ b/cmd/flux/bootstrap_bitbucket_server.go
@@ -141,12 +141,22 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		user = bServerArgs.owner
 	}
 
+	var caBundle []byte
+	if bootstrapArgs.caFile != "" {
+		var err error
+		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
+		if err != nil {
+			return fmt.Errorf("unable to read TLS CA file: %w", err)
+		}
+	}
+
 	// Build Bitbucket Server provider
 	providerCfg := provider.Config{
 		Provider: provider.GitProviderStash,
 		Hostname: bServerArgs.hostname,
 		Username: user,
 		Token:    bitbucketToken,
+		CaBundle: caBundle,
 	}
 
 	providerClient, err := provider.BuildGitProvider(providerCfg)
@@ -243,6 +253,7 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		bootstrap.WithReadWriteKeyPermissions(bServerArgs.readWriteKey),
 		bootstrap.WithKubeconfig(rootArgs.kubeconfig, rootArgs.kubecontext),
 		bootstrap.WithLogger(logger),
+		bootstrap.WithCABundle(caBundle),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
diff --git a/internal/bootstrap/provider/factory.go b/internal/bootstrap/provider/factory.go
index b120361e..575cb551 100644
--- a/internal/bootstrap/provider/factory.go
+++ b/internal/bootstrap/provider/factory.go
@@ -63,6 +63,9 @@ func BuildGitProvider(config Config) (gitprovider.Client, error) {
 		if config.Hostname != "" {
 			opts = append(opts, gitprovider.WithDomain(config.Hostname))
 		}
+		if config.CaBundle != nil {
+			opts = append(opts, gitprovider.WithCustomCAPostChainTransportHook(config.CaBundle))
+		}
 		if client, err = stash.NewStashClient(config.Username, config.Token, opts...); err != nil {
 			return nil, err
 		}