Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

SmartCard Authentication - Error: Cannot produce CertificateVerify signature

Will | Last updated: Apr 08, 2020 07:13PM UTC

Greetings, I have a web application that is configured to use pkcs11 Smart Card authentication. When I browse to the application and authenticate via the standard mechanisms, I gain access to the application without issue. When I attempt to browse to the application through burp, I get the following error: 'Error Cannot produce CertificateVerify signature'. I have configured the client TLS Certificates under User Options > TLS > Client TLS Certificates and have verified the certificates work when not using burp. Any thoughts on resolving this issue would be greatly appreciated. Thanks much, Will

Hannah, PortSwigger Agent | Last updated: Apr 09, 2020 08:19AM UTC

Hi Will Could you try using a different Java version with your Burp installation, like Java 13 or 14? You can check the version of Java that Burp is using by going to "Help > Diagnostics > java.version". If that doesn't work, could you try disabling TLSv1.3 by going to "Project options > TLS > TLS negotiation > Use custom protocols and cyphers > Uncheck TLSv1.3"? Please let us know how you get on.

Will | Last updated: Apr 09, 2020 04:01PM UTC

After upgrading to Java 14, the error changes to "Error No supported CertificatVerify signature algorithm for RSA key". The error is the same with TLSv1.3 enabled and disabled. Downgrading to Java 13.0.2 seems to have resolved the Burpsuite error, though it still wont properly authenticate to to application. I suspect this is due to issues outside of Burpsuite itself. Thanks again for the help!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.