Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

SHA1 certificate signatures

Greg Dec 06, 2018 11:01AM UTC

It looks like up to about v1.6 SHA1 was used exclusively for certificates, then the switch to SHA256 happened. Is there a way to restore the old SHA1 behavior? This would be quite helpful for a current project.

I looked around and don't see an option for it.

Disabling SHA256 in java.security doesn't have an effect on generated certificate signatures (regardless of the Enable algorithms blocked by Java security policy option). This only has the effect of breaking access to sites using SHA256.

I tried using v1.6. It does use SHA1 for certificates, but I also need to be able to replace Burp's CA cert and that doesn't work (NullPointerException on import attempts, and no luck with a registry import of JavaSoft > Prefs > burp > ca/Cert from a newer version that imports replacement CA certs correctly).

Any help would be appreciated.

Thank you.


Paul Johnston Dec 06, 2018 11:42AM UTC Support Center agent

There isn’t an option to automatically generate SHA1 certificates. However, you can generate a suitable certificate using the openssl command line, and configure Burp to use that. In Proxy > Options > Proxy Listeners > Edit > Certificate select “Use a custom certificate”.


Greg Dec 06, 2018 04:10PM UTC
Thank you very much. I already had a suitable certificate from openssl, so when I have time to work on this again the testing should go more quickly.

For reference, I learned in an old support post that the NullPointerException problem in v1.6 was because imported CA certificates had to have a "caCert" alias at that time. Adding a "caCert" alias did indeed allow the CA certificate to be imported, but v1.6 was still unable to function properly after that (cipher errors in the Alerts tab and all connections failing). So, that leaves auto-generation of SHA1 certs off the table for now apparently.

Thanks again for your help.

Greg Jan 07, 2019 09:51AM UTC
I had time to revisit this and am pleased to say that using a custom certificate worked perfectly. Thank you very much.

Of course, it didn't take long for challenges to crop up with the limits of only having one certificate to send to clients. If you can consider allowing multiple custom certificates depending on the host in the future (much like how different client certificates are already allowed for different hosts) and default to auto-gen for other hosts that would be very helpful. I fully understand that if this were added it wouldn't be soon what with v2.0 and everything, so until then I can get by with chaining Burp instances.

Thanks once again.

Paul Johnston Jan 07, 2019 10:53AM UTC Support Center agent

Pleased to hear you got it working. I’m not sure if we’ll implement multiple custom certificates, it’s a rare requirement and would need a non-trivial UI.

As a workaround you can run multiple proxy listeners, each with different certificates, and use a proxy switcher to direct requests to the right one.

What we may do is make the certificate generation be customizable by an extension.


Greg Jan 07, 2019 01:02PM UTC
Thanks for the response Paul. Allowing certificates to be defined by an extension sounds very promising. Thanks to you and the team for all that you do.

Post Your public answer

Your name
Your email address
Answer