Get involved in the Burp challenge for opportunities to test your skills and win swag  –   Challenge me


Managing CA certificates

  • Last updated: November 25, 2022

  • Read time: 2 Minutes

Each installation of Burp generates its own CA certificate that Proxy listeners use to negotiate TLS connections. This section explains how to export, import, and create CA certificates.


You only need to manage CA certificates in the following cases:

  • You want to use an external browser, instead of Burp's browser. For the vast majority of users, this isn't necessary.
  • You want to test certain types of network devices or applications.

Exporting and importing the CA certificate

You can export your installation-specific CA certificate for use in other tools or other instances of Burp, and import a certificate to use in the current instance of Burp:

  1. From the Proxy tab, select Options.
  2. Click the Import / export CA certificate button.
  3. Configure the Export or Import options. Click Next.
  4. Enter the file details, and keystore password if necessary. Click Next.
  5. At the prompt, click Close.


You should not disclose the private key for your certificate to any untrusted party. A malicious attacker in possession of your certificate and key may be able to intercept your browser's HTTPS traffic even when you are not using Burp.

To regenerate a CA certificate:

  1. From the Proxy tab, select Options.
  2. Click the Regenerate CA certificate button.
  3. At the prompt, click Yes.
  4. Restart Burp for the change to take effect.
  5. Install the new certificate in your browser.

Creating a custom CA certificate

You can use OpenSSL to create a CA certificate with your own details:

  1. Enter the following OpenSSL command to create a self-signed certificate with an unencrypted 2048-bit RSA key, which is valid for 730 days:

    openssl req -x509 -days 730 -nodes -key rsa:2048 -outform der -keyout server.key -out ca.der
  2. Enter the following OpenSSL command to convert the key from PEM to DER:

    openssl rsa -in server.key -inform pem -out server.key.der -outform der
  3. Enter the following OpenSSL command to convert the key to a PKCS8 that contains the key:

    openssl pkcs8 -topk8 -in server.key.der -inform der -out server.key.pkcs8.der -outform der -nocrypt
  4. Click the Import / export CA certificate button in Burp, and select Cert and key in DER format.
  5. Select ca.der as the certificate file, and server.key.pkcs8.der as the key file.

Burp loads the custom CA certificate and uses it to generate per-host certificates.

Was this article helpful?