diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index e5453c7..4041c84 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -351,7 +351,14 @@ in
     };
 
   flake.wrappers = {
-    mtlsCheck = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
+    mtlsCheck = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }:
+      let
+        singleOutputOpenSSL = config.pkgs.symlinkJoin {
+          name = "openssl";
+          paths = [ config.pkgs.openssl.bin config.pkgs.openssl.man ];
+          meta.mainProgram = "openssl";
+        };
+      in {
       options = {
         bundleFile = lib.mkOption {
           description = "String path for the mTLS key bundle";
@@ -361,7 +368,8 @@ in
 
       config = {
         binName = "mtls-check";
-        package = config.pkgs.openssl;
+        package = singleOutputOpenSSL;
+        exePath = "${singleOutputOpenSSL}/bin/openssl";
         args = [
           "x509"
           "-noout"