Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

TLS for burp Enterprise server

Chaitanya | Last updated: Jan 29, 2019 03:55AM UTC

Team, Can you please help us how/where can we configure burp enterprise server to use tls? We would want the self signed certificate to be used for encryption. Regards, chaitanya

PortSwigger Agent | Last updated: Jan 29, 2019 09:51AM UTC

Hi Chaitanya, Burp Enterprise can be configured to use TLS with a self-signed P12 certificate in settings. Login to Burp Enterprise and navigate to settings > network. Click on the "Web server port" editable area, and toggle "Use TLS" to on. A dialog will be displayed for you to upload your P12 Certificate, upload it and confirm the change. Your server will restart accessible through https://... Hope that helps, please let me know if you have any more problems.

Burp User | Last updated: Jan 30, 2019 09:33PM UTC

Hi Nick, Thanks for getting back to me. Could you please let me know how I can do those changes in the code? We have our infrastructure in the code and currently complete burp setup and usage is in the code. Your response is appreciated. Regards, Chaitanya

PortSwigger Agent | Last updated: Jan 31, 2019 09:24AM UTC

Hi Chaitanya, This is not something we currently support. A workaround might be to use a proxy server in front of your web server (e.g. NGINX) configured to use your certificate.

Burp User | Last updated: Feb 05, 2019 03:33AM UTC

Team, As advised we have configured nginx proxy server with self generated certificates in front of the Burp web server and configured to use ssl and everything works fine using the browser. I could access it using the IP of the ALB and also the IP of the Nginx proxy. However, when we invoke the scan using the CI driver in the CLI, I receive the below error ( I am hitting the IP of the Load Balancer): echo "BURP_SCAN_URL = https://shelde.com" | java -jar burp-ci-driver-v1.0.5beta.jar --scan-definition=myscan.json https://dev.burp.shelde.com/api/<api-key> ERROR: net.portswigger.bH: Expected 101 status when negotiating websocket, but got 404 with message body: {"error":"Not found"} if this is a problem with web socket can you help us how to configure Burp web socket? When I try to hit the IP of the nginx server, I receive a different error: echo "BURP_SCAN_URL = https://shelde.com" | java -jar burp-ci-driver-v1.0.5beta.jar --scan-definition=myscan.json https://10.10.211.182:8443/api/<api-key> ERROR: No trusted certificate found your support is very much appreciated.

PortSwigger Agent | Last updated: Feb 06, 2019 09:04AM UTC

Hi Chaitanya, It sounds like there may be multiple problems with your setup. To best help you, perhaps you could let us know what it is that your are trying to achieve with your TLS configuration? Depending on your end goal, there may be a better solution. Do you need TLS all the way to the Enterprise Server or is terminating TLS at the load balancer a viable option?

Liam, PortSwigger Agent | Last updated: Feb 06, 2019 02:20PM UTC

Hi Chaitanya It might be possible for you to do this by creating a trust store file containing the self-signed certificate (you should upload the certificate manually, check everything works, then take a copy of the trust store that Enterprise Server has created). Whenever you create the AMI, copy the trust store back into the image and manipulate the web-server.config file to use it. Use the same trust store (or import their self-signed certificate into the trust store) for the instance of Java that launches the CI driver, otherwise the CI driver won't trust the certificate. This applies regardless of what solution used at the server end. Please let us know if you need any further assistance.

Burp User | Last updated: Feb 07, 2019 12:39AM UTC

As per our security policy, we cannot let unencrypted network traffic and hence we need TLS all the way to the Enterprise Server. Though our burp server is completely locked down, we still cannot let it run over http. Also, we cannot manually generate and upload the certificate every-time as we may not have access to the underlying ec2 instance and we have our complete infrastructure in the CODE. since you advised, to have nginx proxy to configure TLS configuration in the code, we have implemented the same setup. Our main goal is to invoke the scan by the build server by hitting the load balancer: echo "BURP_SCAN_URL = https://shelde.com" | java -jar burp-ci-driver-v1.0.5beta.jar --scan-definition=myscan.json https://dev.burp.shelde.com/api/<api-key>

Mike, PortSwigger Agent | Last updated: Feb 07, 2019 03:40PM UTC

Hi Cristian, this can be done using OpenSSL https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/

Burp User | Last updated: Sep 17, 2019 08:21PM UTC

We can't use a self signed certificate so I created a p12 cert from the CA issued certificate and its private key. When I attempted to upload the certificate in the GUI I get this error: "Failed to update Web Server settings Invalid REST argument"

Burp User | Last updated: Sep 17, 2019 08:35PM UTC

We can't use a self signed certificate so I created a p12 cert from the CA issued certificate and its private key. When I attempted to upload the certificate in the GUI I get this error: "Failed to update Web Server settings Invalid REST argument" Can you provide a method of creating the p12 certificate from PEM / KEY files?

Burp User | Last updated: Dec 09, 2019 06:18AM UTC

I used the command in preceding URL https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/ and still found an error message "Failed to update Web Server settings Invalid REST argument" I used this command `openssl pkcs12 -export -out www.redacted.pfx -inkey www.redacted.key -in www.redacted.crt` Any suggestion?

Michelle, PortSwigger Agent | Last updated: Dec 09, 2019 09:36AM UTC

Hi If you change the file extension on the certificate to .p12 do you see the same error?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.