login

Burp Suite, the leading toolkit for web application security testing

Installing Burp's CA Certificate

By default, when you browse an HTTPS website via Burp, the Proxy generates an SSL certificate for each host, signed by its own Certificate Authority (CA) certificate. This CA certificate is generated the first time Burp is run, and stored locally. To use Burp Proxy most effectively with HTTPS websites, you will need to install Burp's CA certificate as a trusted root in your browser.

Note: If you install a trusted root certificate in your browser, then an attacker who has the private key for that certificate may be able to man-in-the-middle your SSL connections without obvious detection, even when you are not using an intercepting proxy. To protect against this, Burp generates a unique CA certificate for each installation, and the private key for this certificate is stored on your computer, in a user-specific location. If untrusted people can read local data on your computer, you may not wish to install Burp's CA certificate.

Use the links below for help on installing Burp's CA certificate in different browsers and devices:

Please note that browser options and processes for handling trusted certificates are subject to change over time. The instructions described here work on most recent browsers, and the process is sufficiently generic for you to adapt if your browser behaves slightly differently. If you encounter a significant error or omission, please contact us to let us know.

Internet Explorer

Note: To change trusted certificate settings on IE, you must have an account with local administrator privileges.

To install Burp's CA certificate on IE, perform the following steps:

  1. If you have previously installed a different CA certificate generated by Burp, you should first remove it (see instructions below).
  2. Launch Internet Explorer. On recent versions of Windows, you must run IE as administrator. Click the "Start" button, type "internet explorer" into the search box, right-click the Internet Explorer link, and select "Run as Administrator" from the context menu.
  3. If you have not already done so, configure your browser to use Burp as its proxy, and configure Burp's Proxy listener to generate CA-signed per-host certificates (this is the default setting).
  4. In your browser, visit any HTTPS URL. If you receive a warning, click "Continue to this website (not recommended)".
  5. Click on the "Certificate error" button in the address bar.
  6. Click "View certificates".
  7. Go to the "Certification Path" tab.
  8. Select the root certificate in the tree (PortSwigger CA).
  9. Click "View Certificate".
  10. Click "Install Certificate".
  11. In the Certificate Import Wizard, select "Place all certificates in the following store".
  12. Click "Browse".
  13. Select "Trusted Root Certification Authorities".
  14. Click "OK".
  15. Complete the wizard.
  16. Click "Yes" on the security warning.
  17. Close all dialogs and restart IE (no need to run as administrator).

If everything has worked, you should now be able to visit any HTTPS URL via Burp without any security warnings. 

To remove a Burp CA certificate which you have previously installed on IE, perform the following steps:

  1. Launch Internet Explorer. On recent versions of Windows, you must run IE as local administrator. Click the "Start" button, type "internet explorer" into the search box, right-click the Internet Explorer link, and select "Run as Administrator" from the context menu.
  2. Go to Tools | Internet Options.
  3. Go to the Content tab.
  4. Click "Certificates".
  5. Go to the Trusted Root Certification Authorities tab.
  6. Select the PortSwigger CA entry in the list.
  7. Click "Remove".
  8. Click "Yes" in each confirmation dialog.
  9. Confirm that the PortSwigger CA entry has been removed.
  10. Restart IE.

Firefox

If you have the Plug-n-hack plugin installed in Firefox, you can configure your browser to use Burp as its proxy, and install Burp's CA certificate, by visiting the URL of your Proxy listener (for example: http://127.0.0.1:8080) and following the "Plug-n-hack" link.

If you do not have the Plug-n-hack plugin, perform the following steps:

  1. If you have previously installed a different CA certificate generated by Burp, you should first remove it (see instructions below).
  2. If you have not already done so, configure your browser to use Burp as its proxy, and configure Burp's Proxy listener to generate CA-signed per-host certificates (this is the default setting).
  3. Visit http://burp and click the "Cert" link to download and save your Burp CA certificate.
  4. Go to Tools | Options.
  5. Click "Advanced".
  6. Go to the Encryption tab.
  7. Click "View Certificates".
  8. Go to the Authorities tab.
  9. Click "Import" and select the certificate file that you previously saved.
  10. On the "Downloading Certificate" dialog, check the box "Trust this CA to identify web sites", and click "OK".
  11. Close all dialogs and restart Firefox.

If everything has worked, you should now be able to visit any HTTPS URL via Burp without any security warnings. 

To remove a Burp CA certificate which you have previously installed on Firefox, perform the following steps:

  1. In Firefox, go to Tools | Options.
  2. Click "Advanced".
  3. Go to the Encryption tab.
  4. Click "View Certificates".
  5. Go to the Authorities tab.
  6. Select the PortSwigger CA entry in the list (this is a sub-entry under PortSwigger).
  7. Click "Delete".
  8. Click "OK" in the confirmation dialog.
  9. Confirm that the PortSwigger CA entry has been removed.
  10. Restart Firefox.

Chrome

The Chrome browser picks up the certificate trust store from your host computer. If you are using Chrome, you can follow the instructions on this page for your computer's built-in browser. When the Burp CA certificate has been installed in your built-in browser, restart Chrome and you should be able to visit any HTTPS URL via Burp without any security warnings.

If you aren't sure which browser to configure, then configure Chrome to use Burp as its proxy, and visit any SSL-protected URL in Chrome. Proceed through the security warning, click on the broken padlock symbol in the URL bar, and click on Certificate Information. This will open the certificate details dialog for your built-in browser, and you can follow the relevant instructions from there.

Safari

To install Burp's CA certificate on Safari, perform the following steps:

  1. If you have not already done so, configure your browser to use Burp as its proxy, and configure Burp's Proxy listener to generate CA-signed per-host certificates (this is the default setting).
  2. In your browser, visit any HTTPS URL.
  3. In the warning dialog titled "Safari can't verify the identity ..." click "Show Certificate".
  4. Select the root certificate in the tree (PortSwigger CA).
  5. Check the box "Always trust PortSwigger CA".
  6. Click Continue, and enter your password if requested.

IPhone

To install Burp's CA certificate on your iPhone or other IOS device, perform the following steps.

  1. First, you need to use your desktop browser to export Burp's CA certificate. Using your browser, visit http://burp and click the "Cert" link to download your Burp CA certificate. Save the certificate somewhere on your computer using the .crt file extension.
  2. Copy the certificate onto your iPhone. The easiest way to do this is to send it as an email attachment from your desktop computer to an account that your iPhone is set up to receive emails for.
  3. On your iPhone, open the email and click on the attachment.
  4. In the dialog that opens, click the "Install" button, and step through the certificate installation wizard, entering your PIN number if requested.

Note that you may be able to download Burp's CA certificate directly to your device by visiting http://burp/cert with your device configured to use Burp as its proxy.

Android

Installing a new trusted CA certificate on Android is not trivial, and requires running some scripts on a rooted phone. Various instructions and scripts can be found via Google if you would like to do this (try searching for: import burp CA into android device).

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Tuesday, August 19, 2014

1.6.05

This release fixes a UI bug affecting a small number of users who are running Burp on Java 1.6.

See all release notes ›

Copyright © 2014 PortSwigger Ltd. All rights reserved.