Burp Suite User Forum

Login to post

PKCS11 Authentication with intermediate CA

Ben | Last updated: Apr 24, 2020 11:11AM UTC

When using client authentication with a smart card, Burp Suite currently only sends the client certificate to the server. So a server, which needs the whole certificate chain, cannot verify the certificate. This is the case if a certificate chain consists of a root CA, an intermediate CA and the client certificate. The server configuration only contains the root CA certificate and expects the client to send at least the intermediate CA certificate and its client certificate (for verification). The behavior can be reproduced using nginx and the following configuration parameters: server { [...] ssl_client_certificate /path/to/root/ca; ssl_verify_client on; ssl_verify_depth 2; [...] } Note: All certificates from the chain are contained in the Java keystore on the client (except the private key of the used smart card). The verification succeeds without using Burp Suite. When I test this with Chrome (without Burp proxy), the browser sends all 3 certificates, when tested with Burp only one is sent (also verified with Wireshark).

Uthman, PortSwigger Agent | Last updated: Apr 27, 2020 07:45AM UTC

Hi, Thanks for reporting this. I have reported this to our development team who will be looking into the issue. In the meantime, can you please share the Wireshark PCAP via email?

Ben | Last updated: Apr 27, 2020 02:06PM UTC

Unfortunately, I cannot send you the Wireshark dump, since this concerns a client. I can however send you a few redacted screenshots from the affected packages within Wireshark.

Uthman, PortSwigger Agent | Last updated: Apr 27, 2020 02:48PM UTC

Yes, please. As much information as possible would be helpful.

Ben | Last updated: Apr 27, 2020 03:05PM UTC

Email sent :)

Ryan | Last updated: Jan 12, 2022 09:08AM UTC

We are also having issues with the certificate chain not being sent. When comparing a successful handshake with a burp proxied handshake in wireshark only the smart card client certificate is sent whereas the succesful attempt sends the whole chain of 3 certificates.

Uthman, PortSwigger Agent | Last updated: Jan 12, 2022 11:40AM UTC

Rad, can you please email support@portswigger.net with the information below?

  • A screen recording of the issue replicated, including the URL of a site/application you can replicate it on
  • Diagnostics (Help > Diagnostics)
  • PCAP from Wireshark capturing the handshake when Burp is and is not configured

Steve | Last updated: Jul 25, 2022 08:58PM UTC

I am currently working on a similar issue. I have the benefit of multiple tokens, some of which have the complete certificate chain stored on the token itself and one of which does not. The tokens with the complete chain on them work correctly and all root, intermediate, and user certificates are sent. The one without the complete chain, only the user token is sent. Hopefully this helps the next person who finds this issue. Where would I need to add root and intermediary certificates to the truststore and/or keystore for Burp to be able to access them properly if this is possible? The certificates are in the Windows certificate store, but haven't been added to the Java configuration explicitly.

Hannah, PortSwigger Agent | Last updated: Jul 27, 2022 04:43PM UTC

Hi The trust store that Burp will use comes from your version of Java. Are you using the Installer version of Burp, or the standalone JAR file?

You need to Log in to post a reply. Or register here, for free.