Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Enterprise TLS Certificate untrusted

Bailey, | Last updated: Feb 04, 2020 04:27PM UTC

I have followed several other posts about importing trusted certs into a certificate store. I have "successfully" imported a certificate but the TLS Certificate untrusted finding continues to flag. How can I get this finding to go away with the correct certificate in the cert store?

Hannah, PortSwigger Agent | Last updated: Feb 05, 2020 08:15AM UTC

Hi, could you tell me the steps you have already tried?

Bailey, | Last updated: Feb 20, 2020 04:18PM UTC

1. I created a PEM file with a specific certificate - DigiCertGlobalCAG2.pem a. It has 644 perms by default with root:root ownership 2. I execute keytool -import -trustcacerts -keystore /opt/burpsuite_enterprise/jre/lib/security/cacerts -alias digicertglobalcag2 -file /data/keys/DigiCertGlobalCAG2.pem 3. I executed keytool -keystore /opt/burpsuite_enterprise/jre/lib/security/cacerts -v -list and verified that the cert was included. The count went from 104 to 105 certificates. 4. I restarted burp enterprise services - #systemctl restart burp….db,agent,werbserver,server.service 5. I performed a rescan of a site and the TLS certificate is still being flagged as untrusted. 6. I copied the pem file to both /usr/share/pki/ca-trust-source/anchors/ and /etc/pki/ca-trust/source/anchors/ a. I tried just coping to one or the other individually too but stuck with both to keep me covered 7. I executed update-ca-trust. The files in the anchor folders remained and the /etc/pki/java/cacerts file was updated 8. I used keytool -keystore /etc/pki/java/cacerts -v -list to review the file and the cert count went from 140 to 141 to include the correct digicertglobalcag2 alias 9. I tried echo $JAVA_HOME but there is no output. Maybe that needs to be defined 10. There are several dirs under /usr/lib/ for java and jvm Is there a different cacerts file that Burp Enterprise is using?

Bailey, | Last updated: Feb 20, 2020 04:18PM UTC

1. I created a PEM file with a specific certificate - DigiCertGlobalCAG2.pem a. It has 644 perms by default with root:root ownership 2. I execute keytool -import -trustcacerts -keystore /opt/burpsuite_enterprise/jre/lib/security/cacerts -alias digicertglobalcag2 -file /data/keys/DigiCertGlobalCAG2.pem 3. I executed keytool -keystore /opt/burpsuite_enterprise/jre/lib/security/cacerts -v -list and verified that the cert was included. The count went from 104 to 105 certificates. 4. I restarted burp enterprise services - #systemctl restart burp….db,agent,werbserver,server.service 5. I performed a rescan of a site and the TLS certificate is still being flagged as untrusted. 6. I copied the pem file to both /usr/share/pki/ca-trust-source/anchors/ and /etc/pki/ca-trust/source/anchors/ a. I tried just coping to one or the other individually too but stuck with both to keep me covered 7. I executed update-ca-trust. The files in the anchor folders remained and the /etc/pki/java/cacerts file was updated 8. I used keytool -keystore /etc/pki/java/cacerts -v -list to review the file and the cert count went from 140 to 141 to include the correct digicertglobalcag2 alias 9. I tried echo $JAVA_HOME but there is no output. Maybe that needs to be defined 10. There are several dirs under /usr/lib/ for java and jvm Is there a different cacerts file that Burp Enterprise is using?

Ben, PortSwigger Agent | Last updated: Feb 21, 2020 09:28AM UTC

Hi Ben, Can you give us some more detail about what you trying to do with this certificate? Is it a client certificate that you are wanting to present when a destination host requests one during a scan?

Daniel | Last updated: Apr 13, 2021 10:16PM UTC

Hi I have a similar problem, I have my local SMTP server, but this one have a Self-signed certificate, when I try to send the test mail This show me this message "SSL error whilst trying to send email". In logs show this "PKIX path building failed. PKIX path building failed: sun.security.provider.certpath.suncertpathbuilderexception: unable to find valid certification path to requested target" I know there is a problem with the selfsigned certificate, Is there any possibility to resolve this ? Thanks.

Ben, PortSwigger Agent | Last updated: Apr 15, 2021 07:32AM UTC