diff --git a/modules/hosts/john-pc-ubuntu.nix b/modules/hosts/john-pc-ubuntu.nix
index 6d2c9aa..49a9581 100644
--- a/modules/hosts/john-pc-ubuntu.nix
+++ b/modules/hosts/john-pc-ubuntu.nix
@@ -8,11 +8,9 @@ in
   flake.modules.homeManager."${hostname}" = { pkgs, config, ... }:
   let
     flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
-    certDir = "${config.home.homeDirectory}/.step/certs";
+    certDir = "${config.mtls.certDir}";
     CACert = "${certDir}/root_ca.crt";
-    tlsKey = "${certDir}/key.pem";
-    tlsCert = "${certDir}/cert.pem";
-    mtlsCert = "${certDir}/mtls.pem";
+    mtlsBundle = "${certDir}/${config.mtls.bundleFilename}";
   in
   {
     imports = with inputs.self.modules.homeManager; [
@@ -41,9 +39,9 @@ in
 
     mtls = {
       enable = true;
-      subject = hostname;
       caURL = "https://janus.john-stream.com/";
       provisioner = "admin";
+      subject = hostname;
       san = [
         "${hostname}"
         "192.168.1.85"
@@ -87,7 +85,7 @@ in
           "inherit" = "base";
           repository = "rest:https://soteria.john-stream.com/john-ubuntu";
           cacert = "${CACert}";
-          tls-client-cert = "${mtlsCert}";
+          tls-client-cert = "${mtlsBundle}";
           backup = {
             source = [
               "${config.xdg.userDirs.documents}"
diff --git a/modules/programs/step-client.nix b/modules/programs/step-client.nix
index 5fa0c91..4c05d2f 100644
--- a/modules/programs/step-client.nix
+++ b/modules/programs/step-client.nix
@@ -51,7 +51,7 @@ in
       home.file.".step/config/defaults.json".text = builtins.toJSON {
         "ca-url" = cfg.caURL;
         fingerprint = cfg.fingerprint;
-        root = "${cfg.rootCertFile.path}";
+        root = "${config.home.homeDirectory}/${cfg.rootCertFile.path}";
       };
       sops.secrets."janus/admin_jwk".mode = "0400";
       home.packages = with pkgs; [
diff --git a/modules/services/step-ca/mtls.nix b/modules/services/step-ca/mtls.nix
index b6c5ca0..bd4585b 100644
--- a/modules/services/step-ca/mtls.nix
+++ b/modules/services/step-ca/mtls.nix
@@ -10,11 +10,6 @@ let
       description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN.";
       type = lib.types.str;
     };
-    certDir = lib.mkOption {
-      description = "String path to where the mtls certs will be stored.";
-      type = lib.types.str;
-      default = "/etc/step";
-    };
     keyFilename = lib.mkOption {
       description = "String filename for the private key";
       type = lib.types.str;
@@ -170,19 +165,27 @@ in
     tlsKey = "${certDir}/${cfg.keyFilename}";
     tlsCert = "${certDir}/${cfg.certFilename}";
     mtlsBundle = "${certDir}/${cfg.bundleFilename}";
+    rootCA = "${certDir}/root_ca.crt";
+    sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
   in
   {
-    options.mtls = opts;
+    options.mtls = opts // {
+      certDir = lib.mkOption {
+        description = "String path to where the mtls certs will be stored.";
+        type = lib.types.str;
+        default ="${config.home.homeDirectory}/.step/certs";
+      };
+    };
 
     config = {
       home.packages = with pkgs; [
         step-cli
         (writeShellScriptBin "mtls-generate" ''
+          set -euo pipefail
           ${lib.getExe pkgs.step-cli} ca certificate \
             john-pc-ubuntu ${tlsCert} ${tlsKey} \
-            --provisioner admin \
-            --san 192.168.1.85 \
-            --san spiffe://john-stream.com/ubuntu
+            --provisioner ${cfg.provisioner} \
+            ${sanArgs}
           cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
         '')
         (writeShellScriptBin "mtls-check" ''