Installing the Burp SSL certificate in your browser

One of the functions of SSL is to authenticate the identity of webservers. To intercept traffic between your browser and webservers, Burp needs to break the SSL connection. This causes a security warning in your browser because it detects that it is not communicating directly with the authentic web server. Burp generates an SSL certificate for that host which is signed by the CA certificate. Burp’s CA certificate can be installed as a trusted root in your browser so that the per-host certificates are accepted without any alerts.

Installing Burps SSL certificate is detailed in the following procedures.

Browser making an SSL connection.

Browser_Making_SSL Connection

Burp is to break the SSL connection.

Break_SSL Connection

This causes a security warning in your browser because it identifies that it’s not directly communicating with the authentic web service.

Burp_Security_Warning

This how the SSL warning looks like in different browsers:

IE

Burp_IE

Mozilla Firefox

Burp_Mozilla_Firefox

Chrome

Burp_Chrome

Safari

Burp_Safari

To allow HTTPS websites to load properly they use their own certificate authority.

Burp_Certificate_Authority

Then creates an SSL certificate for each host you visit and signs this using the CA certificates.

Burp_SSL_Certificate

To prevent security warnings you should install a Burp CA certificate as a trusted root in your browser. This will cause your browser to trust the SSL connections that it makes to Burp.

Install_Burp CA_Certificates

Installing SSL certification is simple but the details depend on your browser.

IE – should first launch IE as Administrator.

Install_SSL_Certification_IE_1

Then using Burp as your proxy visit any HTTPS URL and click “Continue to this website (not recommended)”.

Install_SSL_Certification_IE_2

Click on ‘Certificates Error’ and ‘View Certificates’.

Install_SSL_Certification_IE_3

Go to ‘Certification Path’ and select ‘PortSwingger CA’ and ‘View Certificate’.

Install_SSL_Certification_IE_4

This displays the Certificate screen.

Install_SSL_Certification_IE_5

Click on ‘Install Certificate’ and in the wizard click ‘Next’.

Install_SSL_Certification_IE_6

Select “Place all certificates in the following store”, browse and select “Trusted Root Certification Authorities”. Click ‘Next’ and then ‘Finish’.

Install_SSL_Certification_IE_7

Confirm the action and restart IE. Now you will be able to visit any HTTPS URL without any warnings.

Install_SSL_Certification_IE_8

Mozilla Firefox – Using Burp as your proxy visit any HTTPS URL.

Install_SSL_Certification_Mozilla_1

Click ‘I Understand the Risks’ and ‘Add Exception’.

Install_SSL_Certification_Mozilla_2

View the certificate and from the ‘Details’ tab select ‘PortSwingger CA’, ‘Export’ the certificate, save it somewhere and close all pop-ups.

Install_SSL_Certification_Mozilla_3

Go to ‘Options’.

Install_SSL_Certification_Mozilla_4

From the pop-up select ‘Advanced’ –> ‘Encryption’ –> ‘View Certificate’.

Install_SSL_Certification_Mozilla_5

Click ‘Import’.

Install_SSL_Certification_Mozilla_6

Select the certificate that you have saved and select the check box ‘Trust this CA to identify websites.’ Click ‘Ok’ on all pop-ups to close. Now you should be able to visit any HTTPS URL without warning messages.

Chrome – It uses the certificate from the trust store of your host computer. Normally, if you install Burp using the default browser of your computer, chrome will use this.

Using Burp as your proxy visit any HTTPS URL and click on ‘Proceed anyway’ and click on the broken lock and view the certificate information. This will link you to the relevant settings on your host computer.

Install_SSL_Certification_Chrome_1

Click on ”PortSwingger CA” certificate.

Install_SSL_Certification_Chrome_2

Safari – Visit any HTTPS URL using Burp as your proxy. Click ‘show certificate’ and select ‘Portswingger CA’ certificate.

Install_SSL_Certification_Safari_1

Click on ‘Trust’ and select the option ‘Always Trust’.

Install_SSL_Certification_Safari_2

Click ‘Continue’ and enter the password, if you need to update the settings.

Install_SSL_Certification_Safari_3

Now you will be able to visit any HTTPS URL without warning messages.

Have questions? Contact the technology experts at InApp to learn more.