Burp SSL Configuration

TL;DR

This guide shows you how to configure Burp Suite to handle HTTPS (SSL) connections correctly so you can intercept and analyse traffic from websites using encryption. It covers importing your browser’s certificate authority (CA) into Burp, ensuring Burp trusts the sites you want to test.

Configuring Burp for SSL

1. Find Your Browser’s Certificate Authority (CA)
   • Chrome/Edge: Type chrome://settings/certificates into your address bar and press Enter. Go to the ‘Authorities’ tab.
   • Firefox: Type about:preferences#privacy into your address bar and press Enter. Scroll down to ‘Certificates’. Click ‘View Certificates’, then the ‘Authorities’ tab.
2. Export the CA Certificate
   • Locate the certificate authority that issued the certificate for the website you are testing (e.g., Let’s Encrypt Authority X3).
   • Select the certificate and export it in a format Burp understands – usually DER encoded binary (.cer or .crt) is best. The exact steps vary by browser, but look for an ‘Export…’ option.
3. Import the CA Certificate into Burp
   • Open Burp Suite and go to the ‘Proxy’ tab.
   • Select ‘Options’.
   • Go to the ‘HTTPS’ section.
   • Under ‘Certificate Authority’, click ‘Add…’.
   • Browse to the location where you saved your exported CA certificate (.cer or .crt) and select it.
   • Click ‘OK’ to import the certificate.
4. Restart Burp Suite

   Completely close and restart Burp Suite for the changes to take effect.

5. Configure Your Browser to Use Burp as a Proxy
   • In your browser’s proxy settings, set the HTTP proxy to 127.0.0.1 and port to 8080 (or whatever port you configured Burp to use).
   • Ensure that SSL/TLS traffic is also routed through this proxy. The exact wording varies by browser.
6. Install the Burp CA Certificate in Your Browser
   • With Burp running, visit http://burpsuite in your browser.
   • Click ‘CA Certificate’.
   • Save the certificate to a file (e.g., cacert.der).
   • Import this certificate into your browser’s trusted root CA store, similar to step 1 and 2 but importing *into* the browser instead of exporting from it. This is crucial for Burp to intercept HTTPS traffic.
7. Verify SSL Interception
   • Browse to a website that uses HTTPS (e.g., https://www.google.com).
   • In Burp’s ‘Proxy’ tab, you should now see the intercepted traffic in the ‘HTTP history’ table. If not, double-check all previous steps and ensure your browser is correctly configured to use Burp as a proxy.