Installing Burp's CA Certificate
By default, when you browse an HTTPS website via Burp, the Proxy
generates an SSL certificate for each host, signed by its own Certificate Authority
(CA) certificate. This CA certificate is generated the
first time Burp is run, and stored locally. To use Burp Proxy most
effectively with HTTPS websites, you will need to install Burp's CA certificate as a trusted root
in your browser.
Note: If you install
a trusted root certificate in your browser, then an attacker who has the private
key for that certificate may be able to man-in-the-middle your SSL connections
without obvious detection, even when you are not using an intercepting proxy.
To protect against this, Burp generates a unique CA certificate for each installation,
and the private key for this certificate is stored on your computer, in a
user-specific location. If untrusted people can read local data on your computer, you may
not wish to install Burp's CA certificate.
Use the links below for help on installing Burp's CA certificate in
different browsers and devices:
Please note that browser options and processes for handling trusted
certificates are subject to change over time. The instructions described
here work on most recent browsers, and the process is sufficiently generic
for you to adapt if your browser behaves slightly differently. If you
encounter a significant error or omission, please
contact us to let us know.
Internet Explorer
Note: To change trusted certificate settings on IE, you
must have an account with local administrator privileges.
To install Burp's CA certificate on IE, perform the following steps:
- If you have previously installed a different CA certificate generated
by Burp, you should first remove it (see instructions below).
- Launch Internet Explorer. On recent versions of Windows, you must run IE as
administrator. Click the "Start" button, type "internet explorer" into the
search box, right-click the Internet Explorer link, and select "Run as
Administrator" from the context menu.
- If you have not already done so,
configure your browser to
use Burp as its proxy, and configure Burp's
Proxy listener to generate
CA-signed per-host certificates (this is the default setting).
- In your browser, visit any HTTPS URL. If you receive a warning, click "Continue
to this website (not recommended)".
- Click on the "Certificate error" button in the address bar.
- Click "View certificates".
- Go to the "Certification Path" tab.
- Select the root certificate in the tree (PortSwigger CA).
- Click "View Certificate".
- Click "Install Certificate".
- In the Certificate Import Wizard, select "Place all certificates in
the following store".
- Click "Browse".
- Select "Trusted Root Certification Authorities".
- Click "OK".
- Complete the wizard.
- Click "Yes" on the security warning.
- Close all dialogs and restart IE (no need to run as administrator).
If everything has worked, you should now be able to visit any HTTPS URL via
Burp without any security warnings.
To remove a Burp CA certificate which you have previously installed on IE,
perform the following steps:
- Launch Internet Explorer. On recent versions of Windows, you must run IE as
local administrator. Click the "Start" button, type "internet explorer" into the
search box, right-click the Internet Explorer link, and select "Run as
Administrator" from the context menu.
- Go to Tools | Internet Options.
- Go to the Content tab.
- Click "Certificates".
- Go to the Trusted Root Certification Authorities tab.
- Select the PortSwigger CA entry in the list.
- Click "Remove".
- Click "Yes" in each confirmation dialog.
- Confirm that the PortSwigger CA entry has been removed.
- Restart IE.
Firefox
To install Burp's CA certificate on Firefox, perform the following
steps:
- If you have previously installed a different CA certificate generated
by Burp, you should first remove it (see instructions below).
- If you have not already done so,
configure your browser to use Burp as its proxy, and configure Burp's
Proxy listener to generate CA-signed
per-host certificates (this is the default setting).
- In your browser, visit any HTTPS URL.
- On the "Secure Connection Failed" screen, click on "Or you can add an
exception", and then click "Add Exception".
- Click "Get Certificate", then click "View".
- Select the root certificate in the tree (PortSwigger CA).
- Click "Export" and save the certificate somewhere.
- Click "Close" on the Certificate Viewer dialog, and "Cancel" on the
"Add Security Exception" dialog.
- Go to Tools | Options.
- Click "Advanced".
- Go to the Encryption tab.
- Click "View Certificates".
- Go to the Authorities tab.
- Click "Import" and select the certificate file that you previously saved.
- On the "Downloading Certificate" dialog, check the box "Trust this CA
to identify web sites", and click "OK".
- Close all dialogs and restart Firefox.
If everything has worked, you should now be able to visit any HTTPS URL via
Burp without any security warnings.
To remove a Burp CA certificate which you have previously installed on Firefox,
perform the following steps:
- In Firefox, go to Tools | Options.
- Click "Advanced".
- Go to the Encryption tab.
- Click "View Certificates".
- Go to the Authorities tab.
- Select the PortSwigger CA entry in the list (this is a sub-entry under
PortSwigger).
- Click "Delete".
- Click "OK" in the confirmation dialog.
- Confirm that the PortSwigger CA entry has been removed.
- Restart Firefox.
Chrome
The Chrome browser picks up the certificate trust store from your host
computer. If you are using Chrome, you can follow the instructions on this
page for your computer's built-in browser. When the Burp CA certificate has
been installed in your built-in browser, restart Chrome and you should be
able to visit any HTTPS URL via Burp without any security warnings.
If you aren't sure which browser to configure, then
configure Chrome to use Burp
as its proxy, and visit any SSL-protected URL in Chrome. Proceed through the
security warning, click on the broken padlock symbol in the URL bar, and
click on Certificate Information. This will open the certificate details
dialog for your built-in browser, and you can follow the relevant
instructions from there.
Safari
To install Burp's CA certificate on Safari, perform the following
steps:
- If you have not already done so,
configure your browser to
use Burp as its proxy, and configure Burp's
Proxy listener to generate
CA-signed per-host certificates (this is the default setting).
- In your browser, visit any HTTPS URL.
- In the warning dialog titled "Safari can't verify the identity ..."
click "Show Certificate".
- Select the root certificate in the tree (PortSwigger CA).
- Check the box "Always trust PortSwigger CA".
- Click Continue, and enter your password if requested.
IPhone
To install Burp's CA certificate on Firefox, perform the following steps.
- First, you need to use your desktop browser to export Burp's CA
certificate. This is easy with both Internet Explorer and Firefox.
Follow the steps to install the CA certificate in your desktop browser, and then
visit any HTTPS URL. Click on the padlock / SSL icon to view the details
of the SSL certificate. Then select the root certificate in the tree
(PortSwigger CA), and in the details for that certificate click the
"Export" button. Save the certificate somewhere on your computer using
the .crt file extension.
- Copy the certificate onto your iPhone. The easiest way to do this is
to send it as an email attachment from your desktop computer to an
account that your iPhone is set up to receive emails for.
- On your iPhone, open the email and click on the attachment.
- In the dialog that opens, click the "Install" button, and step
through the certificate installation wizard, entering your PIN number if
requested.
Android
Installing a new trusted CA certificate on Android is not trivial, and
requires running some scripts on a rooted phone. Various instructions and
scripts can be found via Google if you would like to do this (try searching
for: import burp CA into android device).