diff --git a/.release-please-manifest.json b/.release-please-manifest.json
index d43a621a..029e2d7c 100644
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-  ".": "1.2.1"
+  ".": "1.2.2"
 }
\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e9087646..55749b5c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Changelog
 
+## 1.2.2 (2025-11-05)
+
+Full Changelog: [v1.2.1...v1.2.2](https://github.com/OneBusAway/ruby-sdk/compare/v1.2.1...v1.2.2)
+
+### Bug Fixes
+
+* better thread safety via early initializing SSL store during HTTP client creation ([ca9ceed](https://github.com/OneBusAway/ruby-sdk/commit/ca9ceed410e516f1487afb30f84d80eb897cf66f))
+
 ## 1.2.1 (2025-11-04)
 
 Full Changelog: [v1.2.0...v1.2.1](https://github.com/OneBusAway/ruby-sdk/compare/v1.2.0...v1.2.1)
diff --git a/Gemfile.lock b/Gemfile.lock
index 72b147fd..b30051f0 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -11,7 +11,7 @@ GIT
 PATH
   remote: .
   specs:
-    onebusaway-sdk (1.2.1)
+    onebusaway-sdk (1.2.2)
       connection_pool
 
 GEM
diff --git a/README.md b/README.md
index d6bc6687..750fb360 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ To use this gem, install via Bundler by adding the following to your application
 <!-- x-release-please-start-version -->
 
 ```ruby
-gem "onebusaway-sdk", "~> 1.2.1"
+gem "onebusaway-sdk", "~> 1.2.2"
 ```
 
 <!-- x-release-please-end -->
diff --git a/lib/onebusaway_sdk.rb b/lib/onebusaway_sdk.rb
index d6708701..0fedbe76 100644
--- a/lib/onebusaway_sdk.rb
+++ b/lib/onebusaway_sdk.rb
@@ -9,6 +9,7 @@
 require "etc"
 require "json"
 require "net/http"
+require "openssl"
 require "pathname"
 require "rbconfig"
 require "securerandom"
diff --git a/lib/onebusaway_sdk/internal/transport/pooled_net_requester.rb b/lib/onebusaway_sdk/internal/transport/pooled_net_requester.rb
index ffacb6f3..b2c7a487 100644
--- a/lib/onebusaway_sdk/internal/transport/pooled_net_requester.rb
+++ b/lib/onebusaway_sdk/internal/transport/pooled_net_requester.rb
@@ -16,10 +16,11 @@ class PooledNetRequester
         class << self
           # @api private
           #
+          # @param cert_store [OpenSSL::X509::Store]
           # @param url [URI::Generic]
           #
           # @return [Net::HTTP]
-          def connect(url)
+          def connect(cert_store:, url:)
             port =
               case [url.port, url.scheme]
               in [Integer, _]
@@ -33,6 +34,8 @@ def connect(url)
             Net::HTTP.new(url.host, port).tap do
               _1.use_ssl = %w[https wss].include?(url.scheme)
               _1.max_retries = 0
+
+              (_1.cert_store = cert_store) if _1.use_ssl?
             end
           end
 
@@ -102,7 +105,7 @@ def build_request(request, &blk)
           pool =
             @mutex.synchronize do
               @pools[origin] ||= ConnectionPool.new(size: @size) do
-                self.class.connect(url)
+                self.class.connect(cert_store: @cert_store, url: url)
               end
             end
 
@@ -192,6 +195,7 @@ def execute(request)
         def initialize(size: self.class::DEFAULT_MAX_CONNECTIONS)
           @mutex = Mutex.new
           @size = size
+          @cert_store = OpenSSL::X509::Store.new.tap(&:set_default_paths)
           @pools = {}
         end
 
diff --git a/lib/onebusaway_sdk/version.rb b/lib/onebusaway_sdk/version.rb
index ded34430..10a13bf9 100644
--- a/lib/onebusaway_sdk/version.rb
+++ b/lib/onebusaway_sdk/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OnebusawaySDK
-  VERSION = "1.2.1"
+  VERSION = "1.2.2"
 end
diff --git a/manifest.yaml b/manifest.yaml
index 556686f5..7853f4ab 100644
--- a/manifest.yaml
+++ b/manifest.yaml
@@ -6,6 +6,7 @@ dependencies:
   - etc
   - json
   - net/http
+  - openssl
   - pathname
   - rbconfig
   - securerandom
diff --git a/rbi/onebusaway_sdk/internal/transport/pooled_net_requester.rbi b/rbi/onebusaway_sdk/internal/transport/pooled_net_requester.rbi
index d9ac0831..d80bcc4e 100644
--- a/rbi/onebusaway_sdk/internal/transport/pooled_net_requester.rbi
+++ b/rbi/onebusaway_sdk/internal/transport/pooled_net_requester.rbi
@@ -26,8 +26,12 @@ module OnebusawaySDK
 
         class << self
           # @api private
-          sig { params(url: URI::Generic).returns(Net::HTTP) }
-          def connect(url)
+          sig do
+            params(cert_store: OpenSSL::X509::Store, url: URI::Generic).returns(
+              Net::HTTP
+            )
+          end
+          def connect(cert_store:, url:)
           end
 
           # @api private
diff --git a/sig/onebusaway_sdk/internal/transport/pooled_net_requester.rbs b/sig/onebusaway_sdk/internal/transport/pooled_net_requester.rbs
index 9bb73715..39afc275 100644
--- a/sig/onebusaway_sdk/internal/transport/pooled_net_requester.rbs
+++ b/sig/onebusaway_sdk/internal/transport/pooled_net_requester.rbs
@@ -17,7 +17,10 @@ module OnebusawaySDK
 
         DEFAULT_MAX_CONNECTIONS: Integer
 
-        def self.connect: (URI::Generic url) -> top
+        def self.connect: (
+          cert_store: OpenSSL::X509::Store,
+          url: URI::Generic
+        ) -> top
 
         def self.calibrate_socket_timeout: (top conn, Float deadline) -> void