diff --git a/modules/services/step-ca/mtls.nix b/modules/services/step-ca/mtls.nix
index b7da51e..9fd8087 100644
--- a/modules/services/step-ca/mtls.nix
+++ b/modules/services/step-ca/mtls.nix
@@ -91,7 +91,7 @@ let
     '') reloadUnits;
     renewPostCommands = lib.concatStringsSep "\n" postCommands;
   in
-    pkgs.writeShellScript "mtls-renew" ''
+    pkgs.writeShellScriptBin "mtls-renew" ''
       set -euo pipefail
 
       if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${tlsCert}"; then
@@ -104,7 +104,7 @@ let
       ${lib.getExe pkgs.step-cli} ca renew --force "${tlsCert}" "${tlsKey}"
 
       umask 077
-      cat "${tlsCert}" "${tlsKey}" > "${mtlsBundle}"
+      ${lib.getExe' pkgs.coreutils "cat"} "${tlsCert}" "${tlsKey}" > "${mtlsBundle}"
 
       ${renewReloadScript}
       ${renewPostCommands}
@@ -131,13 +131,12 @@ let
     wantedBy = [ ];
     after = [ "network-online.target" ];
     wants = [ "network-online.target" ];
-    path = [ pkgs.coreutils pkgs.step-cli pkgs.systemd ];
     serviceConfig = {
       Type = "oneshot";
       User = user;
       Group = serviceGroup;
+      ExecStart = lib.getExe renewScript;
     };
-    script = builtins.readFile renewScript;
   };
 
   mkNixosMtlsRenewTimer = {
@@ -178,7 +177,7 @@ let
     };
     Service = {
       Type = "oneshot";
-      ExecStart = "${renewScript}";
+      ExecStart = lib.getExe renewScript;
     };
   };
 
@@ -283,6 +282,7 @@ in
             -ext subjectAltName,extendedKeyUsage \
             -enddate -in ${mtlsBundle}
           '')
+          (mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; })
         ];
 
         systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService {