login

Burp Suite, the leading toolkit for web application security testing

Installing Burp's CA Certificate

By default, when you browse an HTTPS website via Burp, the Proxy generates an SSL certificate for each host, signed by its own Certificate Authority (CA) certificate. This CA certificate is generated the first time Burp is run, and stored locally. To use Burp Proxy most effectively with HTTPS websites, you will need to install Burp's CA certificate as a trusted root in your browser.

Note: If you install a trusted root certificate in your browser, then an attacker who has the private key for that certificate may be able to man-in-the-middle your SSL connections without obvious detection, even when you are not using an intercepting proxy. To protect against this, Burp generates a unique CA certificate for each installation, and the private key for this certificate is stored on your computer, in a user-specific location. If untrusted people can read local data on your computer, you may not wish to install Burp's CA certificate.

Use the links below for help on installing Burp's CA certificate in different browsers and devices:

Please note that browser options and processes for handling trusted certificates are subject to change over time. The instructions described here work on most recent browsers, and the process is sufficiently generic for you to adapt if your browser behaves slightly differently. If you encounter a significant error or omission, please contact us to let us know.

Internet Explorer

Note: To change trusted certificate settings on IE, you must have an account with local administrator privileges.

To install Burp's CA certificate on IE, perform the following steps:

  1. If you have previously installed a different CA certificate generated by Burp, you should first remove it (see instructions below).
  2. Launch Internet Explorer. On recent versions of Windows, you must run IE as administrator. Click the "Start" button, type "internet explorer" into the search box, right-click the Internet Explorer link, and select "Run as Administrator" from the context menu.
  3. If you have not already done so, configure your browser to use Burp as its proxy, and configure Burp's Proxy listener to generate CA-signed per-host certificates (this is the default setting).
  4. In your browser, visit any HTTPS URL. If you receive a warning, click "Continue to this website (not recommended)".
  5. Click on the "Certificate error" button in the address bar.
  6. Click "View certificates".
  7. Go to the "Certification Path" tab.
  8. Select the root certificate in the tree (PortSwigger CA).
  9. Click "View Certificate".
  10. Click "Install Certificate".
  11. In the Certificate Import Wizard, select "Place all certificates in the following store".
  12. Click "Browse".
  13. Select "Trusted Root Certification Authorities".
  14. Click "OK".
  15. Complete the wizard.
  16. Click "Yes" on the security warning.
  17. Close all dialogs and restart IE (no need to run as administrator).

If everything has worked, you should now be able to visit any HTTPS URL via Burp without any security warnings. 

To remove a Burp CA certificate which you have previously installed on IE, perform the following steps:

  1. Launch Internet Explorer. On recent versions of Windows, you must run IE as local administrator. Click the "Start" button, type "internet explorer" into the search box, right-click the Internet Explorer link, and select "Run as Administrator" from the context menu.
  2. Go to Tools | Internet Options.
  3. Go to the Content tab.
  4. Click "Certificates".
  5. Go to the Trusted Root Certification Authorities tab.
  6. Select the PortSwigger CA entry in the list.
  7. Click "Remove".
  8. Click "Yes" in each confirmation dialog.
  9. Confirm that the PortSwigger CA entry has been removed.
  10. Restart IE.

Firefox

To install Burp's CA certificate on Firefox, perform the following steps:

  1. If you have previously installed a different CA certificate generated by Burp, you should first remove it (see instructions below).
  2. If you have not already done so, configure your browser to use Burp as its proxy, and configure Burp's Proxy listener to generate CA-signed per-host certificates (this is the default setting).
  3. In your browser, visit any HTTPS URL.
  4. On the "Secure Connection Failed" screen, click on "Or you can add an exception", and then click "Add Exception".
  5. Click "Get Certificate", then click "View".
  6. Select the root certificate in the tree (PortSwigger CA).
  7. Click "Export" and save the certificate somewhere.
  8. Click "Close" on the Certificate Viewer dialog, and "Cancel" on the "Add Security Exception" dialog.
  9. Go to Tools | Options.
  10. Click "Advanced".
  11. Go to the Encryption tab.
  12. Click "View Certificates".
  13. Go to the Authorities tab.
  14. Click "Import" and select the certificate file that you previously saved.
  15. On the "Downloading Certificate" dialog, check the box "Trust this CA to identify web sites", and click "OK".
  16. Close all dialogs and restart Firefox.

If everything has worked, you should now be able to visit any HTTPS URL via Burp without any security warnings. 

To remove a Burp CA certificate which you have previously installed on Firefox, perform the following steps:

  1. In Firefox, go to Tools | Options.
  2. Click "Advanced".
  3. Go to the Encryption tab.
  4. Click "View Certificates".
  5. Go to the Authorities tab.
  6. Select the PortSwigger CA entry in the list (this is a sub-entry under PortSwigger).
  7. Click "Delete".
  8. Click "OK" in the confirmation dialog.
  9. Confirm that the PortSwigger CA entry has been removed.
  10. Restart Firefox.

Chrome

The Chrome browser picks up the certificate trust store from your host computer. If you are using Chrome, you can follow the instructions on this page for your computer's built-in browser. When the Burp CA certificate has been installed in your built-in browser, restart Chrome and you should be able to visit any HTTPS URL via Burp without any security warnings.

If you aren't sure which browser to configure, then configure Chrome to use Burp as its proxy, and visit any SSL-protected URL in Chrome. Proceed through the security warning, click on the broken padlock symbol in the URL bar, and click on Certificate Information. This will open the certificate details dialog for your built-in browser, and you can follow the relevant instructions from there.

Safari

To install Burp's CA certificate on Safari, perform the following steps:

  1. If you have not already done so, configure your browser to use Burp as its proxy, and configure Burp's Proxy listener to generate CA-signed per-host certificates (this is the default setting).
  2. In your browser, visit any HTTPS URL.
  3. In the warning dialog titled "Safari can't verify the identity ..." click "Show Certificate".
  4. Select the root certificate in the tree (PortSwigger CA).
  5. Check the box "Always trust PortSwigger CA".
  6. Click Continue, and enter your password if requested.

IPhone

To install Burp's CA certificate on Firefox, perform the following steps.

  1. First, you need to use your desktop browser to export Burp's CA certificate. This is easy with both Internet Explorer and Firefox. Follow the steps to install the CA certificate in your desktop browser, and then visit any HTTPS URL. Click on the padlock / SSL icon to view the details of the SSL certificate. Then select the root certificate in the tree (PortSwigger CA), and in the details for that certificate click the "Export" button. Save the certificate somewhere on your computer using the .crt file extension.
  2. Copy the certificate onto your iPhone. The easiest way to do this is to send it as an email attachment from your desktop computer to an account that your iPhone is set up to receive emails for.
  3. On your iPhone, open the email and click on the attachment.
  4. In the dialog that opens, click the "Install" button, and step through the certificate installation wizard, entering your PIN number if requested.

Android

Installing a new trusted CA certificate on Android is not trivial, and requires running some scripts on a rooted phone. Various instructions and scripts can be found via Google if you would like to do this (try searching for: import burp CA into android device).

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Monday, October 8, 2012

v1.5rc3

This release fixes a bug which was introduced in the v1.5rc2 release, and which caused the active scan checks for XSS to fail to execute in some situations

See all release notes ›

Copyright © 2012 PortSwigger Ltd. All rights reserved.