Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Adding certificates to the trust store in order to get Burp updates

Seth | Last updated: Sep 21, 2018 03:07PM UTC

Would it be possible to add something in the user options in Burp to add a certificate to the trust store? In some environments in order to reach the internet you must go through a proxy and sometimes that proxy is configured to do SSL interception which means you need to install the proxy's certificate into the JVM's trust store before you can download Burp updates from the UI.

PortSwigger Agent | Last updated: Sep 24, 2018 07:56AM UTC

I think this is a good idea. A few users have encountered issue since we strengthened certificate validation. We will implement some mechanism like this. In the meantime, you can ask the proxy administrator to disable SSL breaking for portswigger.net, or manually install the certificate in the Java store: - https://stackoverflow.com/questions/4325263/how-to-import-a-cer-certificate-into-a-java-keystore

floyd | Last updated: Oct 26, 2020 12:21PM UTC

Hi there, This would be a really cool feature. Here's why: On a Windows computer where no administrative privileges are available, but Burp Pro was installed and Burp Pro is nearly fully usable. The new builtin-browser allows to do tests even if the proxy-settings from the already installed browser can only be changed by an administrator. However, in many corporate networks there is a proxy. This is also not a problem because Burp Pro has upstream proxy settings that can be configured. But then there is this one last problem: The corporate proxy often does TLS-interception by installing a CA certificate on all the clients. Now this would be easily solved by install the corporate CA into Burp, however, that's not possible as the file "C:\Program Files\BurpSuitePro\jre\lib\security\cacerts" is only writeable by the administrator. Of course, in Burp you could simply install the CA into your trust store if you would provide a GUI option to install a CA.

Liam, PortSwigger Agent | Last updated: Oct 27, 2020 08:58AM UTC

Thanks, Floyd. We'll discuss your request internally and get back to you.

floyd | Last updated: Oct 27, 2020 10:21AM UTC

Hey Liam, thanks! What would also be interesting, if changing the cacerts actually works at all or if Burp Pro has any kind of certificate pinning (e.g. TLS update channel is pinned to a particular CA or such). Because this didn't work for me on Windows: & 'C:\Program Files\BurpSuitePro\jre\bin\keytool.exe' -importcert -file "C:\Users\foo\Documents\root_ca_DER.cer" -keystore "C:\Users\foo\Documents\cacerts" -alias "customer" Then start Burp: & "C:\Program Files\BurpSuitePro\jre\bin\java.exe" -jar "C:\Program Files\BurpSuitePro\burpsuite_pro.jar" -Djavax.net.ssl.trustStore="C:\Users\foo\Documents\cacerts" -XX:MaxRAMPercentage=50 Afterwards I still can't reach the update server (btw. what is the URL it tries to reach?), I can't access BApps or similar. I can't tell why without reversing Burp Pro.

Liam, PortSwigger Agent | Last updated: Nov 02, 2020 12:49PM UTC

Thanks, Floyd, we think this sounds like a good idea. We'll add it to our development backlog.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.