Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

SSL certificate issue

Scott | Last updated: Jan 15, 2016 11:38AM UTC

How can I prevent my scans from reporting an SSL certificate issue Severity: Medium Confidence: Certain Host: https://localhost:44300 Path: / "The server's certificate is not trusted" Issued to: localhost Issued by: CN=localhost I'm using IIS express and have added the certificate to the windows store, so I can navigate in the browser without being prompted to continue.

PortSwigger Agent | Last updated: Jan 15, 2016 01:42PM UTC

Burp uses the Java truststore to validate whether SSL certificates are trusted. You could try adding the certificate to the Java truststore. Otherwise you could just ignore this issue by marking it as false positive.

Burp User | Last updated: Jan 18, 2016 09:01AM UTC

Thanks Dafydd though adding the certificate to the truststore didn't seem to work. Are self signed certificates inherently less trusted than CA signed certificates? I'm wondering if that's the issue here. I'm using carbonator to automate this process, so I can't mark it as a false positive. I'm happy to just continue having it reported but if you have any other ideas I'd be grateful.

PortSwigger Agent | Last updated: Jan 18, 2016 04:03PM UTC

Any certificate added to the trust store should be trusted, but if you can't easily get things working I would suggest just ignoring the issue if you know it is a false positive.

Liam, PortSwigger Agent | Last updated: Feb 19, 2016 09:17AM UTC

Hi Oliver Thanks for your message. Have you tried updating to the the latest version of Oracle Java?

Burp User | Last updated: Mar 04, 2016 12:42PM UTC