diff --git a/.github/workflows/e2e_openssl.yml b/.github/workflows/e2e_openssl.yml
index 4fe27b67f2..09ab963896 100644
--- a/.github/workflows/e2e_openssl.yml
+++ b/.github/workflows/e2e_openssl.yml
@@ -55,7 +55,7 @@ jobs:
       - name: Build, deploy, contrast generate, contrast set, contrast verify
         run: |
           just coordinator initializer openssl
-          just generate openssl contrast.cli
+          just populate openssl
       - name: Setup Summary
         run: |
           cat ./workspace/just.namespace | tee -a "${GITHUB_STEP_SUMMARY}"
diff --git a/e2e/openssl/openssl_test.go b/e2e/openssl/openssl_test.go
index 53e7c40fae..c471e3d3e8 100644
--- a/e2e/openssl/openssl_test.go
+++ b/e2e/openssl/openssl_test.go
@@ -41,6 +41,25 @@ func TestOpenSSL(t *testing.T) {
 	resources, err := filepath.Glob("./workspace/deployment/*.yml")
 	require.NoError(t, err)
 
+	require.True(t, t.Run("generate", func(t *testing.T) {
+		require := require.New(t)
+
+		args := []string{
+			"--workspace-dir", "./workspace",
+		}
+		args = append(args, resources...)
+
+		generate := cmd.NewGenerateCmd()
+		generate.Flags().String("workspace-dir", "", "") // Make set aware of root flags
+		generate.SetArgs(args)
+		generate.SetOut(io.Discard)
+		errBuf := &bytes.Buffer{}
+		generate.SetErr(errBuf)
+
+		require.NoError(generate.Execute(), "could not generate manifest: %s", errBuf)
+
+	}))
+
 	// TODO(burgerdev): policy hash should come from contrast generate output.
 	coordinatorPolicyHashBytes, err := os.ReadFile("workspace/coordinator-policy.sha256")
 	require.NoError(t, err)
diff --git a/justfile b/justfile
index f9f9ad2ce2..69b3996d13 100644
--- a/justfile
+++ b/justfile
@@ -25,10 +25,10 @@ default_deploy_target := "simple"
 workspace_dir := "workspace"
 
 # Generate policies, apply Kubernetes manifests.
-deploy target=default_deploy_target cli=default_cli: (generate target cli) (apply target)
+deploy target=default_deploy_target cli=default_cli: (populate target) (generate cli) (apply target)
 
-# Generate policies, update manifest.
-generate target=default_deploy_target cli=default_cli:
+# Populate the workspace with a Kubernetes deployment
+populate target=default_deploy_target:
     #!/usr/bin/env bash
     set -euo pipefail
     mkdir -p ./{{ workspace_dir }}
@@ -47,6 +47,10 @@ generate target=default_deploy_target cli=default_cli:
         --replace ghcr.io/edgelesssys ${container_registry}
     nix run .#kypatch namespace -- ./{{ workspace_dir }}/deployment \
         --replace edg-default {{ target }}${namespace_suffix-}
+
+# Generate policies, update manifest.
+generate cli=default_cli:
+    #!/usr/bin/env bash
     t=$(date +%s)
     nix run .#{{ cli }} -- generate \
         --workspace-dir ./{{ workspace_dir }} \