安全科普:Installing Burp’s CA Certificate

burp suite代理https的时候，会使用服务器传过来的CA证书与服务器进行数据交互，而burp会把自己的证书数据传送给客户端（浏览器），而客户端 （浏览器）需要信任burp的证书，这样进行交互burp才能捕获到明文数据，如果你用burp做代理分析移动设备上的app https数据包的时候记得需要先安装burp的证书。

下面是详细的介绍：

By default, when you browse an HTTPS website via Burp, the Proxy generates an SSL certificate for each host, signed by its own Certificate Authority (CA) certificate. This CA certificate is generated the first time Burp is run, and stored locally. To use Burp Proxy most effectively with HTTPS websites, you will need to install Burp’s CA certificate as a trusted root in your browser.

Note: If you install a trusted root certificate in your browser, then an attacker who has the private key for that certificate may be able to man-in-the-middle your SSL connections without obvious detection, even when you are not using an intercepting proxy. To protect against this, Burp generates a unique CA certificate for each installation, and the private key for this certificate is stored on your computer, in a user-specific location. If untrusted people can read local data on your computer, you may not wish to install Burp’s CA certificate.

Use the links below for help on installing Burp’s CA certificate in different browsers and devices:

• Internet Explorer
• Firefox
• Chrome
• Safari
• IPhone
• Android

Please note that browser options and processes for handling trusted certificates are subject to change over time. The instructions described here work on most recent browsers, and the process is sufficiently generic for you to adapt if your browser behaves slightly differently. If you encounter a significant error or omission, please contact us to let us know.

Internet Explorer

Note: To change trusted certificate settings on IE, you must have an account with local administrator privileges.

To install Burp’s CA certificate on IE, perform the following steps:

1. If you have previously installed a different CA certificate generated by Burp, you should first remove it (see instructions below).
2. Launch Internet Explorer. On recent versions of Windows, you must run IE as administrator. Click the “Start” button, type “internet explorer” into the search box, right-click the Internet Explorer link, and select “Run as Administrator” from the context menu.
3. If you have not already done so, configure your browser to use Burp as its proxy, and configure Burp’s Proxy listener to generate CA-signed per-host certificates (this is the default setting).
4. In your browser, visit any HTTPS URL. If you receive a warning, click “Continue to this website (not recommended)”.
5. Click on the “Certificate error” button in the address bar.
6. Click “View certificates”.
7. Go to the “Certification Path” tab.
8. Select the root certificate in the tree (PortSwigger CA).
9. Click “View Certificate”.
10. Click “Install Certificate”.
11. In the Certificate Import Wizard, select “Place all certificates in the following store”.
12. Click “Browse”.
13. Select “Trusted Root Certification Authorities”.
14. Click “OK”.
15. Complete the wizard.
16. Click “Yes” on the security warning.
17. Close all dialogs and restart IE (no need to run as administrator).

If everything has worked, you should now be able to visit any HTTPS URL via Burp without any security warnings.

To remove a Burp CA certificate which you have previously installed on IE, perform the following steps:

1. Launch Internet Explorer. On recent versions of Windows, you must run IE as local administrator. Click the “Start” button, type “internet explorer” into the search box, right-click the Internet Explorer link, and select “Run as Administrator” from the context menu.
2. Go to Tools | Internet Options.
3. Go to the Content tab.
4. Click “Certificates”.
5. Go to the Trusted Root Certification Authorities tab.
6. Select the PortSwigger CA entry in the list.
7. Click “Remove”.
8. Click “Yes” in each confirmation dialog.
9. Confirm that the PortSwigger CA entry has been removed.
10. Restart IE.

Firefox

If you have the Plug-n-hack plugin installed in Firefox, you can configure your browser to use Burp as its proxy, and install Burp’s CA certificate, by visiting the URL of your Proxy listener (for example: http://127.0.0.1:8080) and following the “Plug-n-hack” link.

If you do not have the Plug-n-hack plugin, perform the following steps:

1. If you have previously installed a different CA certificate generated by Burp, you should first remove it (see instructions below).
2. If you have not already done so, configure your browser to use Burp as its proxy, and configure Burp’s Proxy listener to generate CA-signed per-host certificates (this is the default setting).
3. Visit http://burp and click the “Cert” link to download and save your Burp CA certificate.
4. Go to Tools | Options.
5. Click “Advanced”.
6. Go to the Encryption tab.
7. Click “View Certificates”.
8. Go to the Authorities tab.
9. Click “Import” and select the certificate file that you previously saved.
10. On the “Downloading Certificate” dialog, check the box “Trust this CA to identify web sites”, and click “OK”.
11. Close all dialogs and restart Firefox.

If everything has worked, you should now be able to visit any HTTPS URL via Burp without any security warnings.

To remove a Burp CA certificate which you have previously installed on Firefox, perform the following steps:

1. In Firefox, go to Tools | Options.
2. Click “Advanced”.
3. Go to the Encryption tab.
4. Click “View Certificates”.
5. Go to the Authorities tab.
6. Select the PortSwigger CA entry in the list (this is a sub-entry under PortSwigger).
7. Click “Delete”.
8. Click “OK” in the confirmation dialog.
9. Confirm that the PortSwigger CA entry has been removed.
10. Restart Firefox.

Chrome

The Chrome browser picks up the certificate trust store from your host computer. If you are using Chrome, you can follow the instructions on this page for your computer’s built-in browser. When the Burp CA certificate has been installed in your built-in browser, restart Chrome and you should be able to visit any HTTPS URL via Burp without any security warnings.

If you aren’t sure which browser to configure, then configure Chrome to use Burp as its proxy, and visit any SSL-protected URL in Chrome. Proceed through the security warning, click on the broken padlock symbol in the URL bar, and click on Certificate Information. This will open the certificate details dialog for your built-in browser, and you can follow the relevant instructions from there.

Safari

To install Burp’s CA certificate on Safari, perform the following steps:

1. If you have not already done so, configure your browser to use Burp as its proxy, and configure Burp’s Proxy listener to generate CA-signed per-host certificates (this is the default setting).
2. In your browser, visit any HTTPS URL.
3. In the warning dialog titled “Safari can’t verify the identity …” click “Show Certificate”.
4. Select the root certificate in the tree (PortSwigger CA).
5. Check the box “Always trust PortSwigger CA”.
6. Click Continue, and enter your password if requested.

IPhone

To install Burp’s CA certificate on your iPhone or other IOS device, perform the following steps.

1. First, you need to use your desktop browser to export Burp’s CA certificate. Using your browser, visit http://burp and click the “Cert” link to download your Burp CA certificate. Save the certificate somewhere on your computer using the .crt file extension.
2. Copy the certificate onto your iPhone. The easiest way to do this is to send it as an email attachment from your desktop computer to an account that your iPhone is set up to receive emails for.
3. On your iPhone, open the email and click on the attachment.
4. In the dialog that opens, click the “Install” button, and step through the certificate installation wizard, entering your PIN number if requested.

Note that you may be able to download Burp’s CA certificate directly to your device by visiting http://burp/cert with your device configured to use Burp as its proxy.

Android

Installing a new trusted CA certificate on Android is not trivial, and requires running some scripts on a rooted phone. Various instructions and scripts can be found via Google if you would like to do this (try searching for: import burp CA into android device).

博主补充：

1.先把你的CA证书拷贝到你的SD卡里面
2.进入手机的“设置”->“位置和安全”，最下面有个“从SD卡安装”，就是安装证书的。点击后按提示操作就OK了。

转自：http://www.cnseay.com/3871/

转载请注明：jinglingshu的博客 » 安全科普:Installing Burp’s CA Certificate