Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

PKCS #11 support for Burp CA

netflow | Last updated: Sep 05, 2021 12:37PM UTC

We are considering to use Burp Suite in our environment. However, the admins (understandably) don't like having private keys lying around on disk. Also portswigger mentions potential problems at the bottom of the page: https://portswigger.net/burp/documentation/desktop/getting-started/proxy-setup/certificate It looks like there is some support for client certificates already which are stored in a smart card. I guess in the end storing the private key of the Burp CA in some hardware token should not be much different. Is this supported in any way? If so, could you maybe post a small How-To? We would like to store the private key in something affordable like a HSM from Yubikey or Nitrokey. Maybe even already the Yubikey 5 could be sufficient. We don't need support for thousands of handshakes per hour.

Michelle, PortSwigger Agent | Last updated: Sep 07, 2021 09:06AM UTC

Thanks for your message. The Client certificates that can be set under User Options -> TLS are ones that would be used for authentication to a particular site. The certificate used by Burp's Proxy is generated per installation and the private key for that is stored in a user-specific location for the user that has installed Burp. Burp's certificate only needs to be installed if you are using an external browser for manual testing (you would not need to install the certificate if you were using Burp's automated scan tasks). Burp's embedded browser is already pre-configured to work with the certificate so you can choose to use that instead so your external browser does not need to trust it. Would this be a good option for you?

netflow | Last updated: Oct 02, 2021 06:54AM UTC

We need to use other browsers than the Burp embedded one. Also we need to test other non-browser applications as well. It looks like Yubico already has some java related snippets: https://github.com/YubicoLabs/yubihsm-java https://developers.yubico.com/yubico-piv-tool/YKCS11/Supported_applications/Java_keytool.html so maybe it would be possible at some point to use a custom location for the private key?

Michelle, PortSwigger Agent | Last updated: Oct 04, 2021 01:40PM UTC