Wednesday, September 9, 2009

BToD / Client SSL Certificate & CAC

Today's Burp Suite tip is a bit different and is based on some personal headaches I've had and what I've learned this week.

Burp comes with the ability to load PKCS12 Client SSL Certificate. This is a great feature. It is located under Burp > Options (recent versions of Professional) or Burp > Comms (Free version/outdated) and looks like this:

This relates to my situation. I must test a web application using a Common Access Card. I want Burp to establish this SSL relationship with the web application in the same way my browser would. So some things I learned about PKCS12 this week and how to work with Burp.

1) If you can export the certificate then go ahead and passphrase protect it. Burp will ask for your passhphrase accordingly.

2) If and ONLY if the certificate AND private key are marked as exportable will your middleware allow this to happen.

3) Your middleware (my case ActivClient) does not allow the software that exports the cert + private key such as IE, Outlook, etc. to do so when the "not exportable" flag is set. If this flag is set you will notice an attempt to export in IE will look like so:

BTW, to get to this point in IE you would go ahead and navigate to tools > internet options > content > certificates > and choose your certificate and export.

4) If this "Yes, export private key" option is greyed out you will only be able to export in the DER encoded binary x.509, Base-64 encoded x.509 and PKCS#7 format.

5) Again, we need PKCS#12. If your "yes, export private key" is NOT greyed out you are luckier than I. Enjoy and continue on.

6) If not, then you need to ask the Issuing Authority for a copy of your cert + private key with the "not exportable" flag turned off. This can be in either .p12 or .pfx since .pfx (windows version of .p12) can be renamed and work fine or so at least I am told.

Okay, hopefully anyone who has to test sites with CAC/PKI enabled will find some use.

Happy Hacking!

No comments: