Burp Suite User Forum

Login to post

PKCS #11 support for Burp CA

netflow | Last updated: Sep 05, 2021 12:37PM UTC

We are considering to use Burp Suite in our environment. However, the admins (understandably) don't like having private keys lying around on disk. Also portswigger mentions potential problems at the bottom of the page: https://portswigger.net/burp/documentation/desktop/getting-started/proxy-setup/certificate It looks like there is some support for client certificates already which are stored in a smart card. I guess in the end storing the private key of the Burp CA in some hardware token should not be much different. Is this supported in any way? If so, could you maybe post a small How-To? We would like to store the private key in something affordable like a HSM from Yubikey or Nitrokey. Maybe even already the Yubikey 5 could be sufficient. We don't need support for thousands of handshakes per hour.

Michelle, PortSwigger Agent | Last updated: Sep 07, 2021 09:06AM UTC

Thanks for your message. The Client certificates that can be set under User Options -> TLS are ones that would be used for authentication to a particular site. The certificate used by Burp's Proxy is generated per installation and the private key for that is stored in a user-specific location for the user that has installed Burp. Burp's certificate only needs to be installed if you are using an external browser for manual testing (you would not need to install the certificate if you were using Burp's automated scan tasks). Burp's embedded browser is already pre-configured to work with the certificate so you can choose to use that instead so your external browser does not need to trust it. Would this be a good option for you?

netflow | Last updated: Oct 02, 2021 06:54AM UTC

We need to use other browsers than the Burp embedded one. Also we need to test other non-browser applications as well. It looks like Yubico already has some java related snippets: https://github.com/YubicoLabs/yubihsm-java https://developers.yubico.com/yubico-piv-tool/YKCS11/Supported_applications/Java_keytool.html so maybe it would be possible at some point to use a custom location for the private key?

Michelle, PortSwigger Agent | Last updated: Oct 04, 2021 01:40PM UTC

If you use Burp's default options, Burp creates a unique, self-signed Certificate Authority (CA) certificate, and stores this on your computer to use each time Burp is run. When your browser makes a TLS connection to a given host, Burp generates a TLS certificate for that host, signed by the CA certificate. You can install Burp's CA certificate as a trusted root in your browser so that the per-host certificates are accepted without any alerts. As the certificates are unique to the installation, if you regenerate the certificate or use a different installation of Burp, you will have to reinstall the new CA certificate into your browser as the one your browser has will no longer match. To help us understand more of the background to your request, are you wanting to create your own certificate and store it on a key to use across multiple installations of Burp? Or are you concerned about someone gaining unauthorized access to your machine and then also having access to the private key used by that installation of Burp?

You need to Log in to post a reply. Or register here, for free.