diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index e57aa89..063352e 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -1,4 +1,4 @@
-{ inputs, lib, ... }:
+{ self, inputs, lib, ... }:
 let
   # Options that will be in common between
   opts = {
@@ -74,6 +74,31 @@ let
     };
   };
 
+  mtlsGenerate = {
+    pkgs,
+    subject,
+    provisioner,
+    san,
+    tlsCert,
+    tlsKey,
+    mtlsBundle,
+    lifetime,
+  }:
+  let
+    stepCmd = lib.getExe pkgs.step-cli;
+    sanArgs = lib.concatMapStringsSep " " (s: "--san \"${s}\"") san;
+  in
+  (pkgs.writeShellScriptBin "mtls-generate" ''
+    set -euo pipefail
+    ${stepCmd} ca certificate \
+      ${subject} ${tlsCert} ${tlsKey} \
+      --not-before=-5m --not-after=${lifetime} \
+      --provisioner ${provisioner} \
+      ${sanArgs} \
+      "$@"
+    cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
+  '');
+
   mkMtlsRenewScript = {
     pkgs,
     tlsCert,
@@ -84,6 +109,7 @@ let
     systemctlArgs ? [ ],
   }:
   let
+    echoCmd = lib.getExe' pkgs.coreutils "echo";
     systemctl = lib.getExe' pkgs.systemd "systemctl";
     escapedArgs = lib.escapeShellArgs systemctlArgs;
     systemctlCommand = "${systemctl} ${escapedArgs}";
@@ -98,9 +124,9 @@ let
       set -euo pipefail
 
       if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${tlsCert}"; then
-        echo "Renewing mTLS certificate"
+        ${echoCmd} "Renewing mTLS certificate"
       else
-        echo "Skipping renew"
+        ${echoCmd} "Skipping renew"
         exit "$?"
       fi
 
@@ -109,10 +135,10 @@ let
       umask 077
       ${lib.getExe' pkgs.coreutils "cat"} "${tlsCert}" "${tlsKey}" > "${mtlsBundle}"
 
-      echo "Reloading units:"
+      ${echoCmd} "Reloading units:"
       ${renewReloadScript}
 
-      echo "Post commands:"
+      ${echoCmd} "Post commands:"
       ${renewPostCommands}
     '';
 
@@ -222,16 +248,10 @@ in
       options.mtls = opts;
       config = lib.mkIf cfg.enable {
         environment.systemPackages = with pkgs; lib.optionals cfg.enable [
-          (writeShellScriptBin "mtls-generate" ''
-            set -euo pipefail
-            ${lib.getExe pkgs.step-cli} ca certificate \
-              ${cfg.subject} ${tlsCert} ${tlsKey} \
-              --provisioner ${cfg.provisioner} \
-              --not-before=-5m --not-after=${cfg.lifetime} \
-              ${sanArgs} \
-              "$@"
-            cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
-          '')
+          (mtlsGenerate {
+            inherit (cfg) subject provisioner san lifetime;
+            inherit pkgs tlsCert tlsKey mtlsBundle;
+          })
           (writeShellScriptBin "mtls-check" ''
             ${lib.getExe pkgs.openssl} x509 \
             -noout -subject -issuer \
@@ -271,16 +291,10 @@ in
       config = {
         home.packages = with pkgs; lib.optionals cfg.enable [
           step-cli
-          (writeShellScriptBin "mtls-generate" ''
-            set -euo pipefail
-            ${lib.getExe pkgs.step-cli} ca certificate \
-              ${cfg.subject} ${tlsCert} ${tlsKey} \
-              --not-before=-5m --not-after=${cfg.lifetime} \
-              --provisioner ${cfg.provisioner} \
-              ${sanArgs} \
-              "$@"
-            cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
-          '')
+          (mtlsGenerate {
+            inherit (cfg) subject provisioner san lifetime;
+            inherit pkgs tlsCert tlsKey mtlsBundle;
+          })
           (writeShellScriptBin "mtls-check" ''
             ${lib.getExe pkgs.openssl} x509 \
             -noout -subject -issuer \