Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

The server's certificate is not trusted

Denis | Last updated: Oct 06, 2020 06:01PM UTC

Hi Team, I'm running Burp scans against various sites, and in every report it has a Medium SSL certificate finding that says "The server's certificate is not trusted." For example, we have the following URL: https://terra-bard-dev.appspot.com Burp report tells us: The server presented the following certificates: Server certificate Issued to: *.appspot.com, *.an.r.appspot.com, *.app.google, *.as.r.appspot.com, *.de.r.appspot.com, *.df.r.appspot.com, *.dt.r.appspot.com, *.du.r.appspot.com, *.el.r.appspot.com, *.et.r.appspot.com, *.ew.r.appspot.com, *.ey.r.appspot.com, *.ez.r.appspot.com, *.lz.r.appspot.com, *.nn.r.appspot.com, *.nw.r.appspot.com, *.nz.r.appspot.com, *.oa.r.appspot.com, *.rj.r.appspot.com, *.thinkwithgoogle.com, *.ts.r.appspot.com, *.tz.r.appspot.com, *.uc.r.appspot.com, *.ue.r.appspot.com, *.uk.r.appspot.com, *.uw.r.appspot.com, *.withgoogle.com, *.withyoutube.com, *.wl.r.appspot.com, *.wm.r.appspot.com, *.wn.r.appspot.com, app.google, appspot.com, thinkwithgoogle.com, withgoogle.com, withyoutube.com Issued by: GTS CA 1O1 Valid from: Thu Sep 03 06:35:41 GMT 2020 Valid to: Thu Nov 26 06:35:41 GMT 2020 Certificate chain #1 Issued to: GTS CA 1O1 Issued by: GlobalSign Valid from: Thu Jun 15 00:00:42 GMT 2017 Valid to: Wed Dec 15 00:00:42 GMT 2021 Certificate chain #2 Issued to: GlobalSign Issued by: GlobalSign Valid from: Fri Dec 15 08:00:00 GMT 2006 Valid to: Wed Dec 15 08:00:00 GMT 2021 I've tried the following: 1) verified with keytool that certificate #2 is already in Java cacerts store 2) imported certificate #1 into that store However, even after these attempts, the report still says that the certificate is untrusted. This is happening to every site that we scan, and they use different cert chains (so it's not limited to just one issuer). Is there something else we overlook here? Thank you

Denis | Last updated: Oct 06, 2020 07:20PM UTC

What's even stranger, the validation worked only after I also imported the actual server certificate here: Server certificate Issued to: *.appspot.com, *.an.r.appspot.com, *.app.google, *.as.r.appspot.com, *.de.r.appspot.com, *.df.r.appspot.com, *.dt.r.appspot.com, *.du.r.appspot.com, *.el.r.appspot.com, *.et.r.appspot.com, *.ew.r.appspot.com, *.ey.r.appspot.com, *.ez.r.appspot.com, *.lz.r.appspot.com, *.nn.r.appspot.com, *.nw.r.appspot.com, *.nz.r.appspot.com, *.oa.r.appspot.com, *.rj.r.appspot.com, *.thinkwithgoogle.com, *.ts.r.appspot.com, *.tz.r.appspot.com, *.uc.r.appspot.com, *.ue.r.appspot.com, *.uk.r.appspot.com, *.uw.r.appspot.com, *.withgoogle.com, *.withyoutube.com, *.wl.r.appspot.com, *.wm.r.appspot.com, *.wn.r.appspot.com, app.google, appspot.com, thinkwithgoogle.com, withgoogle.com, withyoutube.com Issued by: GTS CA 1O1 Valid from: Thu Sep 03 06:35:41 GMT 2020 Valid to: Thu Nov 26 06:35:41 GMT 2020 But doesn't that mean we have to import every single server certificate to Java cacerts, even though they're supposed to be trusted if their intermediate certificates are already in the store? I'd imagine there's an option setting in Burp to enable this trust? Thanks

Hannah, PortSwigger Agent | Last updated: Oct 08, 2020 08:57AM UTC

Hi Does your certificate use ECC keys for encryption?

Joel | Last updated: Feb 23, 2021 04:57PM UTC

So I was too receiving the TLS "The server's certificate is not trusted" issue. So I checked "all" my Java cacerts keystores and thought i'd added my ROOT CA (running this in my homelab) to Burp's jre cacerts. Still I was having the same issue, even tried to use ECC on my certs, still same issue. So I, yes, uninstalled my JDK and/or JRE installation and removed this from the windows path and Java_Home environment variable, and then added Burp's jre\bin to the windows path, and tried to import my ROOT CA certificate, once again, and it worked. Hope this helps everyone who is using and trying this software. I have 27 days on my trial version of Enterprise and I'm loving it. Keep up the good work. JL

Ben, PortSwigger Agent | Last updated: Feb 24, 2021 09:55AM UTC