https://github.com/fhessel/esp32_https_server/blob/de1876cf6fe717cf236ad6603a97e88f22e38d62/examples/REST-API/REST-API.ino#L219 is exactly what we need

That seems not sufficient. The generated cert must adhere to some Apple rules also:

• https://support.apple.com/de-de/HT210176
  • Max validity 2 years
  • hostname (&ip?) in Subject Alternative Name
  • 2048 bit key length
  • ExtendedKeyUsage (EKU)- "id-kp-serverAuth OID"

So we need:

• Extend the cert creation method to add the extension attributes (seem to be well supported by mbedtls but not directly by the https server utility method). Supported via: self-signed certificates: Add CN as subjectAltName fhessel/esp32_https_server#113
• A way to trigger generation of new cert (can not create cert for 10 years)
• Way to download the cert for local install (application/octet-stream (?) obs.cer, base64), also via http access.
• Increase length to 2048 which will increase key creation time, we need a progress bar or similar
• Put some documentation on the http welcome page (specific for Mac? / Android? / Linux / iOS / Win)?