Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

SSL certificate issue

Scott | Last updated: Jan 15, 2016 11:38AM UTC

How can I prevent my scans from reporting an SSL certificate issue Severity: Medium Confidence: Certain Host: https://localhost:44300 Path: / "The server's certificate is not trusted" Issued to: localhost Issued by: CN=localhost I'm using IIS express and have added the certificate to the windows store, so I can navigate in the browser without being prompted to continue.

PortSwigger Agent | Last updated: Jan 15, 2016 01:42PM UTC

Burp uses the Java truststore to validate whether SSL certificates are trusted. You could try adding the certificate to the Java truststore. Otherwise you could just ignore this issue by marking it as false positive.

Burp User | Last updated: Jan 18, 2016 09:01AM UTC

Thanks Dafydd though adding the certificate to the truststore didn't seem to work. Are self signed certificates inherently less trusted than CA signed certificates? I'm wondering if that's the issue here. I'm using carbonator to automate this process, so I can't mark it as a false positive. I'm happy to just continue having it reported but if you have any other ideas I'd be grateful.

PortSwigger Agent | Last updated: Jan 18, 2016 04:03PM UTC

Any certificate added to the trust store should be trusted, but if you can't easily get things working I would suggest just ignoring the issue if you know it is a false positive.

Liam, PortSwigger Agent | Last updated: Feb 19, 2016 09:17AM UTC

Hi Oliver Thanks for your message. Have you tried updating to the the latest version of Oracle Java?

Burp User | Last updated: Mar 04, 2016 12:42PM UTC

Hi, I'm getting the same problem as Scott. I'm using a normal domain wildcard certificate, not a self-signed one (not that it should make any difference in this scenario, as you said). I've added the cert and even the intermediate and CA certs to the java keystore, but burp is still reporting a false positive saying the SSL certificate is not trusted. I've hunted around to see if there's a way to check if burp is using the right keystore, but I can't seem to find out a way to check which keystore it's using or force it to use a specific keystore. I'm not a Java expert and I'm running burp on Windows, so any help would be gratefully received! Thanks, Oliver

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.