Burp CA Certificate Issues

TL;DR

Burp Suite’s CA certificate is essential for intercepting HTTPS traffic. Problems with it (not trusted, expired, incorrect installation) mean Burp can’t see your web app’s data securely. This guide fixes common issues.

1. Understanding the Problem

When you use Burp Suite to test a website that uses HTTPS, Burp acts as a ‘man-in-the-middle’. Your browser needs to trust Burp’s certificate authority (CA) so it can safely send encrypted data through Burp. If this trust isn’t set up correctly, you’ll get warnings in your browser and Burp won’t be able to intercept the traffic.

2. Checking if Your Browser Trusts the Burp CA

1. Open your browser’s certificate settings: The exact steps vary by browser (see below).
2. Look for the Burp Suite CA: Search for a certificate named something like “Burp Suite Proxy CA”.
3. Verify trust: Make sure it’s listed as trusted for identifying websites.

Browser-specific instructions:

• Chrome/Edge: Settings > Privacy and security > Security > Manage certificates.
• Firefox: Options > Privacy & Security > Certificates > View Certificates.

3. Installing the Burp CA Certificate (If Missing)

1. Download from Burp: In Burp Suite, go to Proxy > Options > Import / Export CA certificate. Save the certificate as a .der file.
2. Install in your browser: Use the instructions above (Step 2) but choose ‘Import’ instead of checking existing certificates. You’ll likely need to restart your browser after installing.

4. Dealing with Expired Certificates

Burp CA certificates expire periodically. You need to renew them.

1. Generate a new certificate: In Burp Suite, go to Proxy > Options > Import / Export CA certificate and save the new .der file.
2. Replace the old certificate in your browser: Follow the instructions in Step 2 to remove the old certificate and install the new one. Again, restart your browser.

5. Issues with Multiple Certificates

Sometimes having multiple Burp CA certificates installed can cause problems.

1. Remove duplicates: In your browser’s certificate manager (Step 2), delete any older or unnecessary Burp Suite CA certificates.
2. Restart your browser: This ensures the changes take effect.

6. Problems with Specific Websites

Some websites might have strict certificate pinning, preventing interception even with a trusted CA.

• Certificate Pinning Detection: Use Burp Suite’s scanner to identify if the website uses certificate pinning.
• Bypass (advanced): Bypassing certificate pinning is complex and often requires modifying your browser or using specialized tools. This is beyond the scope of this guide, as it can compromise security.

7. Proxy Settings

Ensure your browser is correctly configured to use Burp Suite as a proxy.

1. Check Browser settings: Verify that your browser’s proxy settings point to 127.0.0.1 and port 8080 (the default Burp port).
2. Verify Burp is running: Make sure Burp Suite is actually running and listening on port 8080.

8. Operating System Trust Stores

In rare cases, the operating system itself might not trust the Burp CA.

1. Import into OS Trust Store: The process varies by operating system (Windows, macOS, Linux). Search online for instructions specific to your OS.