diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index 01cefaf..56ae750 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -274,6 +274,10 @@ in
           (mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; })
         ];
 
+        systemd.tmpfiles.rules = [
+          "d ${cfg.certDir} 0750 ${cfg.renew.user} ${if cfg.renew.group == null then cfg.renew.user else cfg.renew.group} -"
+        ];
+
         systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService {
           inherit pkgs tlsCert tlsKey mtlsBundle;
           inherit (cfg.renew) reloadUnits postCommands user group;
@@ -313,6 +317,10 @@ in
           (mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; })
         ];
 
+        systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [
+          "d ${cfg.certDir} 0700 - - -"
+        ];
+
         systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService {
           inherit pkgs tlsCert tlsKey mtlsBundle;
           inherit (cfg.renew) reloadUnits postCommands;