Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Certificate Invalid in burp's chromium browser while accessing any website

Rishabh | Last updated: Mar 03, 2021 07:55AM UTC

I just started with Burp's chromium browser a week or so, initially I thought that this 'not secure' written in the url while accessing the website is fine, but as I progressed my way, I saw that I cannot access certain websites due to this, so I clicked on this Not Secure so as to check more, then I saw Certificate(Invalid) written there. I also checked some YouTube videos, so as to confirm if this is only happening with me, and sadly I was right, because every user had a Lock icon in the url bar before the website name. Please help with this. Thanks

Ben, PortSwigger Agent | Last updated: Mar 03, 2021 11:46AM UTC

Hi, You would need to install and authorize the Burp CA Certificate into, depending upon the operating system you are using, the Chromium browser itself or via the default browser for your operating system. There are details on how to do this for Mac, Windows and Linux based systems on the following page: https://portswigger.net/burp/documentation/desktop/getting-started/proxy-setup/certificate/chrome

Rishabh | Last updated: Mar 03, 2021 06:24PM UTC

Hi Ben, actually the problem is not that I am not able to access HTTPS websites, the problem is that websites are getting accessed but with a Not Secure written in the url bar instead of that lock icon, and I am talking about the problem in the context of Burp's own embedded browser and now talking about importing the certificate there in the browser it is already imported in the chromium browser. When I am trying to access for ex. https://www.google.com It is getting accessed in this way https{with a dash line on https}://www.google.com And due to this, some specific websites are though reachable but not loading content on the browser after completion of request. I hope now you understand the problem.

Ben, PortSwigger Agent | Last updated: Mar 04, 2021 08:34AM UTC

HI, Yes i understand the issue and, as noted, the Burp CA Certificate is not installed and authorized in the embedded browser by default. You would need to do this as you would with any other browser (hence my initial instructions). So, to confirm, you have already followed the instructions to install the Burp CA Certificate, in Chrome, for the operating system that you are using and sites are still not loading as secure (you would need to launch a new embedded browser for the certificate to be recognized)? If that is the case then would you be able to email us with some screenshots of this and also some screenshots/details of how you have installed the certificate, as we would be interested to investigate this (we can also share screenshots of us getting this to work from our side to, hopefully, illustrate this better for you)?

Ben, PortSwigger Agent | Last updated: Mar 04, 2021 08:42AM UTC

Just to follow up on the above. It is also probably worth pointing out that if you have installed the certificate for Chrome on Windows or Mac then the nature of the installation (installing it in the keystore of each system) will mean that the embedded browser should pick this up. If you are using Linux then you need to specifically install the certificate in the embedded browser (as you would with a normal Chrome browser) using the instructions i previously linked to.

Rishabh | Last updated: Mar 04, 2021 09:17AM UTC

That's so nice of you for assisting me But please tell me the mail id so that I can mail. And answering your last comment at 08:42am UTC Mar 04,2021, I am working on linux and I have installed the certificate explicitly on the Chromium browser from this link: `https://portswigger.net/burp/documentation/desktop/getting-started/proxy-setup/certificate/chrome` ,even before posting this query here. Thanks and please tell me the mail.

Ben, PortSwigger Agent | Last updated: Mar 04, 2021 09:50AM UTC

Hi, You can email us at support@portswigger.net. For Linux, you have installed the certificate specifically in the embedded browser that is launched from Burp (not just the regular Chrome browser that you might already have installed on your Linux machine)?

Rishabh | Last updated: Mar 04, 2021 03:24PM UTC

Yes, I have installed specifically in that browser And I'll soon mail at support@portswigger.net

Rishabh | Last updated: Mar 04, 2021 04:30PM UTC

Hey, I have dropped the mail, please check.

Rishabh | Last updated: Mar 04, 2021 04:31PM UTC

I am sorry, I by mistakenly hit the submit button 4 times. :-)

Ben, PortSwigger Agent | Last updated: Mar 05, 2021 09:15AM UTC

No problem and thank you for following this up. We have received your email so will take a look and continue the conversation via email.

Brandon | Last updated: Aug 02, 2021 05:11PM UTC

I'm not quite sure this statement is accurate as this is the point of using the built in browser (already configured). "Yes i understand the issue and, as noted, the Burp CA Certificate is not installed and authorized in the embedded browser by default. You would need to do this as you would with any other browser (hence my initial instructions)." I've installed the latest stable release on 2 new windows boxes and the built in browser works perfectly fine. I even double checked the built in browser and the portswigger cert is already installed out of the box. I just updated to the latest stable release on a machine that had an older version and I'm getting the same issue as OP. I did verify that the certificate is already installed out of the box, but still receive an error saying the site is not secure for any website I go to.

Ben, PortSwigger Agent | Last updated: Aug 03, 2021 11:10AM UTC

Hi Brandon, You should be able to use the embedded browser on HTTP/S sites out of the box - the site connection, however, should be highlighted as being insecure because, as noted in previous posts in this thread, the Burp CA certificate has not been installed (this should not prevent the proxying of traffic, however). To clarify, in your scenario you are saying that a fresh install of Burp on a new machine also installs the Burp CA certificate so that the connection to HTTP/S sites is deemed secure but an upgrade to a later version of Burp on another machines does not do this? Do you have any details of the versions of Burp and Windows involved? Running a quick test and installing a new copy of the latest stable version of Burp on a Windows 10 machine works as expected for me - the embedded browser is able to proxy HTTP/S traffic but the Burp CA certificate is not installed and the connection is listed as unsecure. Is it possible that you had already installed the Burp CA certificate on these machines as a result of a separate action (perhaps by installing it in order to use Burp with an external browser before then trying to use the embedded browser)?

Dr | Last updated: Sep 09, 2021 04:59PM UTC

Greetings, I am having the same issue on MacOS. No HTTPS connection works, neither in built-in browser, nor in Firefox, nor in Chrome. What I tried: • Removed old cert from MacOS (10.14.6) certificate store • Export the cert from http://burp • Install in MacOS certificate store, and set as fully trusted => Not working in Chrome, Chromium, built-in Chromium, Safari • Install in Firefox certificate manager, set as fully trusted => Not working • Rebooted computer, By not working I mean the padlock in Firefox says "Not secure". Sites visited protected with Cloudflare are unusable because they detect the discrepancy somehow. What may be interesting is that I just updated Burp Suite for the first time in a year or so. Reading the thread above it appears that that's what happened to at least one other user - it worked before the update, and stopped working after. So maybe some configuration file got mangled in the update? It appears that the cert was correctly installed everywhere and the error is somehow in Burp Suite not processing the data flow correctly. Please advise.

Dr | Last updated: Sep 09, 2021 06:09PM UTC

Ok so a fresh install on a Mac with the same OS, that never had Burp Suite installed before, worked as expected. Sites appear secure and can be handily intercepted. No CloudFlare detection. So there seems to be a serious problem in your upgrade path. Is there a guide to completely uninstall Burp Suite and remove all prior traces, including configs? I wanted this to work on my main computer... Thanks, and thanks for an otherwise great software tool!!

Dr | Last updated: Sep 09, 2021 06:09PM UTC

Ok so a fresh install on a Mac with the same OS, that never had Burp Suite installed before, worked as expected. Sites appear secure and can be handily intercepted. No CloudFlare detection. So there seems to be a serious problem in your upgrade path. Is there a guide to completely uninstall Burp Suite and remove all prior traces, including configs? I wanted this to work on my main computer... Thanks, and thanks for an otherwise great software tool!!

Dr | Last updated: Sep 09, 2021 06:43PM UTC

Holy hell, going back to the problematic computer, after throwing into the trash both the Burp Suite application, and the .BurpSuite folder from ~ (user home directory), and reinstalling both the application, and installing the fresh certificate it generated in the process (both to Mac OS KeyChain and FireFox's certificate manager), it worked. I know it's free software, so thanks again, but this cost me hours of my life to figure out. There's something wrong in your update path. It can't seem to convert the old config files correctly. FWIW, the old version I updated from was version 2020.9.1.

Ben, PortSwigger Agent | Last updated: Sep 10, 2021 10:37AM UTC

Hi, Just to clarify (so that we have the exact scenario noted down with a view to testing this to see if we can replicate the issue): - You are running a MacOS 10.14.6 machine that had Burp Community 2020.9.1 already running on it, which was working without issue. - You updated this Burp version (via the automatic update and replaced the 2020.9.1 version entirely, I presume?) to the latest stable version of 2021.8.2. - At this point you removed the certificate you had working correctly and replaced it with a new certificate (in various locations) using the web interface at http://burpsuite - The freshly installed certificate would not allow you to proxy any HTTP/S traffic via any of the browsers that you were using - Performing a fresh install of the latest version of Burp on a clean machine allowed Burp to work as expected. - Removing Burp in its entirety and then installing the latest version directly on the problematic machine also allowed Burp to work as expected. Is that a fair summary of the scenario or have I missed or misunderstood any aspect of this?

james | Last updated: Oct 18, 2021 09:35PM UTC

Having the same problem with Burp professional as above on windows 10 and Linux ubuntu latest. I am going to try and uninstall every bit of burpsuite then reinstall from fresh but this is going to erase all of my prior burp files that I have for clients. This is a problem and I hope you guys fix it in the future.

james | Last updated: Oct 18, 2021 11:07PM UTC

Okay here is my issue. I have a windows 10 64 bit OS I have completely uninstalled and reinstalled burpsuite 4 times......the embedded browser has the lock at the top of the screen but does not show the google page...it will show yahoo no problem but google.com will not come up a few of my clients sites are the same. they wont come up no matter what. it was also happening yesterday when I was doing the portswigger academy. How do I fix this issue??>

Ben, PortSwigger Agent | Last updated: Oct 19, 2021 07:21AM UTC