Sometimes you want to include that certificate that Burp Suite generates and place it somewhere, (e.g., into a mobile app. to bypass Certificate pinning).

Here is how to extract the certificate using Kali 2016 Rolling.

proxytunnel -p LOCAL_IP_BURP_LISTENING_ON:LOCAL_PORT_BURP_LISTENING_ON -d DOMAIN_YOU_WANT:443 -a 7000 & openssl s_client -connect localhost:7000 -showcerts </dev/null 2>/dev/null | openssl x509 -outform der > mycert.der

Options are :

  • LOCAL_IP_BURP_LISTENING_ON is the IP address that Burp Suite Proxy is set to listen on.
  • LOCAL_PORT_BURP_LISTENING_ON is the port  that Burp Suite Proxy is set to listen on.
  • DOMAIN_YOU_WANT is the domain you want to spoof. This can also include subdomains and a wildcard (e.g., test.myuni.ac.uk or *.myuni.ac.uk)
  • mycert.der is the DER file generated. Don't forget to rename it to what the application is expecting. 

For example:
proxytunnel -p 127.0.0.1:8080 -d *.myUni.ac.uk:443 -a 7000 & openssl s_client -connect localhost:7000 -showcerts </dev/null 2>/dev/null | openssl x509 -outform der > mycert.der

Here my Burp Suite proxy is listening on 127.0.0.1 and 8080, *.myUni.ac.uk is the example domain I want on my cert and it is name mycert.der. 

P.S: Don't forget if you are working with team mates, you can easily query their Burp Suite proxy. 

-- 

If you want to check your results, you will need to convert from the one format to the other. So convert DER to PEM : 

openssl x509 -inform der -in mycert.der -out mycert.pem

And then check your results. 

openssl x509 -in mycert.pem -text -noout