famedly
diff --git a/Diff for: ‎.config/starte2e.sh
+4-1 b/Diff for: ‎.config/starte2e.sh
+4-1
diff --git a/Diff for: ‎.gitignore
+3 b/Diff for: ‎.gitignore
+3
diff --git a/Diff for: ‎tests/environment/certs/ca.crt
-20 b/Diff for: ‎tests/environment/certs/ca.crt
-20
diff --git a/Diff for: ‎tests/environment/certs/client.crt
-19 b/Diff for: ‎tests/environment/certs/client.crt
-19
diff --git a/Diff for: ‎tests/environment/certs/client.key
-28 b/Diff for: ‎tests/environment/certs/client.key
-28
diff --git a/Diff for: ‎tests/environment/certs/generate-certs.sh
+7-1 b/Diff for: ‎tests/environment/certs/generate-certs.sh
+7-1
diff --git a/Diff for: ‎tests/environment/certs/server.crt
-20 b/Diff for: ‎tests/environment/certs/server.crt
-20
diff --git a/Diff for: ‎tests/environment/certs/server.key
-28 b/Diff for: ‎tests/environment/certs/server.key
-28
@@ -10,6 +10,9 @@ export PATH="${PATH}:/usr/bin"
 touch tests/environment/zitadel/service-user.json
 chmod a+rw tests/environment/zitadel/service-user.json
 
+# Generate certificates
+tests/environment/certs/generate-certs.sh
+
 # Shut down any still running test-setup first
-docker compose --project-directory ./tests/environment down -v test-setup || true
+docker compose --project-directory ./tests/environment down -v || true
 docker compose --project-directory ./tests/environment up --wait
@@ -2,3 +2,6 @@
 /target
 /tests/environment/zitadel/service-user.json
 /tests/environment/config.yaml
+/tests/environment/certs/*.crt
+/tests/environment/certs/*.key
+.DS_Store
@@ -1,11 +1,16 @@
 #!/bin/sh
 set -eux
 
+pushd $(dirname $0)
+
+# We need to set EKUs (extendedKeyUsage) otherwise MacOS won't trust
+# the certificate
 openssl req -x509 -new -nodes -sha256 -newkey rsa:2048 \
 		-keyout server.key \
 		-out server.crt \
 		-subj "/C=DE/CN=example.org" \
-		-addext "subjectAltName = DNS:zitadel, DNS:localhost"
+		-addext "subjectAltName = DNS:zitadel, DNS:localhost" \
+		-addext "extendedKeyUsage = serverAuth, clientAuth"
 
 # These keys are not actually secret, and when passed into the docker
 # container the server key needs to be readable by the container user
@@ -18,3 +23,4 @@ openssl req -x509 -nodes -days 3650 -sha256 -newkey rsa:2048 \
 		-keyout client.key \
 		-out client.crt \
 		-subj "/CN=admin.example.org"
+popd