02 December 2015

Adding BurpSuite CA To The Java Keystore

Just a quick tech note for my own reference in the future.
While testing a Java based thick client, I discovered the developers had left an option to set a proxy right inside the app (handy!). That meant I could throw all the app traffic through BurpSuite, and manipulate it as I wished.

The problem I ran into was that Java didn't trust the Burp CA. To get around that, I needed to add the CA to the default Java keystore. That turned out to be simple enough, the main thing to know was where the Java keystore is stored:    $JAVA_HOME/jre/lib/security/cacerts
and what the password is:    changeit

Once I had those, importing was painless:

$ keytool -import -trustcacerts -file ~/burp.cer -alias BURPSUITE -keystore $JAVA_HOME/jre/lib/security/cacerts

Enter keystore password: changeit

Owner: CN=PortSwigger CA, OU=PortSwigger CA, O=PortSwigger, L=PortSwigger, ST=PortSwigger, C=PortSwigger 
Issuer: CN=PortSwigger CA, OU=PortSwigger CA, O=PortSwigger, L=PortSwigger, ST=PortSwigger, C=PortSwigger 
Serial number: 563a4f3e 
Valid from: Wed Nov 04 13:32:30 EST 2015 until: Tue Oct 30 14:32:30 EDT 2035 
Certificate fingerprints: 
        MD5:  AF:5E:1C:E9:D5:18:4B:EC:7D:E3:6C:C7:91:BE:11:F0 
        SHA1: D5:5E:D4:2B:BC:4D:D0:0F:A2:04:97:AC:B8:1E:EB:DA:95:94:60:DB 
        SHA256: 73:F6:FF:6B:63:9C:E6:80:86:A3:63:C6:C5:08:77:F1:69:DA:71:34:4A:E5:7E:1B:33:5A:4B:F4:FD:1F:E1:6
B 
        Signature algorithm name: SHA256withRSA 
        Version: 3 

Extensions: 

#1: ObjectId: 2.5.29.19 Criticality=true 
BasicConstraints:[ 
 CA:true 
 PathLen:0 
] 

#2: ObjectId: 2.5.29.14 Criticality=false 
SubjectKeyIdentifier [ 
KeyIdentifier [ 
0000: 20 1C 1C 67 C2 21 B5 73   21 88 E2 77 6C 1D 2E 80   ..g.!.s!..wl... 
0010: 97 8E B2 D7                                        .... 
] 
] 

Trust this certificate? [no]:  yes 
Certificate was added to keystore