Back to Cookbook

Burp CA First Aid

Install trust correctly and fix "can't download CA certificate"

Field-tested checklist for getting HTTPS interception working in Burp. Covers Firefox's separate trust store, the http://burpsuite download page not loading, quick verification, and safe post-engagement rollback.

House RecipeWork5 min

INGREDIENTS

🌐Browser

PROMPT

Create a skill called "Burp CA First Aid". Inputs I will provide: - Burp proxy listener config (host/port) - Browser type (Firefox/Chrome/Edge) and OS - The exact error (can't reach http://burpsuite, TLS warning details) Task: 1) Diagnose whether the browser is actually proxying through Burp. 2) Provide the minimal steps to download and install Burp's CA certificate for that browser and OS. 3) Provide verification steps and safe rollback/removal steps.

What this fixes

Common symptoms:

  • Browser shows TLS warnings when Burp is intercepting
  • `http://burpsuite` does not load (can't download the CA certificate)
  • Firefox still shows certificate errors after importing into the OS trust store

Prerequisites

  • Burp running with a proxy listener bound to the right interface/port
  • Browser configured to proxy through Burp (or system proxy set)
  • Understanding of the local risk of trusting an interception CA (remove afterward)

Steps and commands

  1. Verify proxy is actually in use:
  • With Burp running, visit:

`http://burpsuite`

  • If it doesn't load, fix your browser proxy settings first.
  1. Download Burp's CA certificate:
  • Click "CA Certificate" (top-right) and save the file.
  1. Install the CA certificate in Firefox (Firefox maintains its own store):
  • Settings → Privacy & Security → Certificates → View Certificates → Authorities → Import
  • Trust it for identifying websites.
  1. Install the CA certificate in Chrome/Edge (uses OS store):
  • Import into the OS trust store (Keychain on macOS, certmgr on Windows, ca-certificates on Linux).
  1. Confirm HTTPS works:
  • Browse to any HTTPS site and confirm:
  • no browser warning
  • traffic appears in Burp Proxy → HTTP history
  1. Rollback (post-engagement hygiene):
  • Remove the Burp CA certificate from all trust stores when done.

Expected outputs

  • Browsing HTTPS through Burp with no TLS warnings
  • Requests appear in Burp Proxy → HTTP history
  • `http://burpsuite` loads when proxying is correctly configured

Common errors and troubleshooting

  • Can't load `http://burpsuite`
  • Browser is not proxying through Burp, or Burp isn't running/listening.
  • Re-check proxy host/port match the Burp listener.
  • Firefox still warns after importing into OS store
  • Firefox uses its own certificate store. Import into Firefox Authorities separately.
  • Corporate/enterprise roots interaction
  • Firefox can optionally trust OS enterprise roots via `security.enterprise_roots.enabled`.
  • Confirm whether enterprise roots are in play before troubleshooting further.

References

  • https://portswigger.net/burp/documentation/desktop/external-browser-config/certificate
  • https://portswigger.net/burp/documentation/desktop/external-browser-config/certificate/ca-cert-firefox
  • https://portswigger.net/burp/documentation/desktop/external-browser-config/certificate/proxy-troubleshooting
  • https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

Example inputs

  • Burp listener: 0.0.0.0:8080
  • Browser proxy: 127.0.0.1:8080
Tags:#pentesting#web#burp#tls#proxy#troubleshooting