diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index 1212d8f..02fe517 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -329,15 +329,16 @@ in
         home.packages = with pkgs; lib.optionals cfg.enable [
           # step-cli
           (mkMtlsGenerateScript {
+            inherit pkgs;
+            inherit (cfg) keyFile certFile bundleFile;
             inherit (cfg) subject provisioner san lifetime;
             inherit (cfg.renew) user group;
-            inherit pkgs certFile keyFile bundleFile;
           })
           (mkMtlsCheckScript { inherit pkgs bundleFile; })
           # (mkMtlsRenewScript { inherit pkgs cfg; systemctlArgs = [ "--user" ]; })
           (inputs.self.wrappers.mtlsRenew.apply {
             inherit pkgs;
-            inherit (cfg) certDir certFile keyFile;
+            inherit (cfg) certDir keyFile certFile bundleFile;
           }).wrapper
         ];
 
@@ -389,11 +390,15 @@ in
           type = lib.types.str;
           default = "${config.certDir}/cert.pem";
         };
+        bundleFile = lib.mkOption {
+          description = "String path for the mTLS key bundle";
+          type = lib.types.str;
+          default = "${config.certDir}/mtls.pem";
+        };
       };
 
       config = {
         binName = "mtls-renew";
-        package = config.pkgs.step-cli;
         extraPackages = [
           (inputs.self.wrappers.mtlsNeedsRenewal.apply {
             inherit (config) pkgs certFile;
@@ -423,6 +428,8 @@ in
             echo "Renewing mTLS certificate"
           fi
         '';
+        package = config.pkgs.step-cli;
+        args = [ "ca" "renew" "--force" config.certFile config.keyFile ];
       };
     });
   };