diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index 4041c84..3fa7b26 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -351,14 +351,7 @@ in
     };
 
   flake.wrappers = {
-    mtlsCheck = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }:
-      let
-        singleOutputOpenSSL = config.pkgs.symlinkJoin {
-          name = "openssl";
-          paths = [ config.pkgs.openssl.bin config.pkgs.openssl.man ];
-          meta.mainProgram = "openssl";
-        };
-      in {
+    mtlsCheck = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
       options = {
         bundleFile = lib.mkOption {
           description = "String path for the mTLS key bundle";
@@ -368,8 +361,12 @@ in
 
       config = {
         binName = "mtls-check";
-        package = singleOutputOpenSSL;
-        exePath = "${singleOutputOpenSSL}/bin/openssl";
+        # This pattern is necessary to wrap packages like openssl that provide more than one binary
+        package = config.pkgs.symlinkJoin {
+          name = "openssl";
+          paths = [ config.pkgs.openssl.bin config.pkgs.openssl.man ];
+          meta.mainProgram = "openssl";
+        };
         args = [
           "x509"
           "-noout"