diff --git a/certman.sh b/certman.sh
index 291a807..0798e43 100755
--- a/certman.sh
+++ b/certman.sh
@@ -125,17 +125,13 @@ download_and_verify_cert() {
     fi
 
     # Validate certificate and key match
-    local cert_fingerprint key_fingerprint
+    local cert_fingerprint
     cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey |
-        openssl pkey -pubin -outform DER |
-        openssl dgst -sha256) || true
-    key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER |
-        openssl dgst -sha256) || true
-
-    if [ -z "$cert_fingerprint" ] || [ -z "$key_fingerprint" ]; then
-        echo -e "${RED}Failed to extract fingerprints for $domain${NC}"
-        return 1
-    fi
+        openssl pkey -pubin -outform DER 2>/dev/null |
+        openssl dgst -sha256)
+    local key_fingerprint
+    key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER 2>/dev/null |
+        openssl dgst -sha256)
 
     if [ "$cert_fingerprint" != "$key_fingerprint" ]; then
         echo -e "${RED}Certificate and key do not match for $domain${NC}"
@@ -145,13 +141,9 @@ download_and_verify_cert() {
     if [ "$FULLCHAIN_PEM" = "true" ]; then
         local pem_fingerprint
         pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
-            openssl pkey -pubin -outform DER |
-            openssl dgst -sha256) || true
-        if [ -z "$pem_fingerprint" ]; then
-            echo -e "${RED}Failed to extract PEM fingerprint for $domain${NC}"
-            return 1
-        fi
-        if [ "$cert_fingerprint" != "$pem_fingerprint" ]; then
+            openssl pkey -pubin -outform DER 2>/dev/null |
+            openssl dgst -sha256)
+        if [[ "$cert_fingerprint" != "$pem_fingerprint" ]]; then
             echo -e "${RED}Certificate and PEM file do not match for $domain${NC}"
             return 1
         fi
@@ -185,20 +177,33 @@ install_certificate() {
 
     # Install new certificate and key
     if [ $needs_reload -eq 1 ]; then
-        if ! install -m "$CERT_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_cert" "$final_cert"; then
-            echo -e "${RED}Failed to install certificate for $domain${NC}"
+        if ! cp -f "$temp_cert" "$final_cert" || ! cp -f "$temp_key" "$final_key"; then
+            echo -e "${RED}Failed to install certificate files for $domain${NC}"
             return 1
         fi
-        if ! install -m "$KEY_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_key" "$final_key"; then
-            echo -e "${RED}Failed to install private key for $domain${NC}"
+
+        # Set permissions and ownership for cert and key separately
+        if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_cert" || \
+           ! chmod "$CERT_PERMISSIONS" "$final_cert"; then
+            echo -e "${RED}Failed to set permissions for $final_cert${NC}"
+            return 1
+        fi
+        if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_key" || \
+           ! chmod "$KEY_PERMISSIONS" "$final_key"; then
+            echo -e "${RED}Failed to set permissions for $final_key${NC}"
             return 1
         fi
 
         if [ "$FULLCHAIN_PEM" = "true" ]; then
-            if ! install -m "$KEY_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_pem" "$final_pem"; then
+            if ! cp -f "$temp_pem" "$final_pem"; then
                 echo -e "${RED}Failed to install PEM file for $domain${NC}"
                 return 1
             fi
+            if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_pem" || \
+               ! chmod "$KEY_PERMISSIONS" "$final_pem"; then
+                echo -e "${RED}Failed to set permissions for $final_pem${NC}"
+                return 1
+            fi
         fi
 
         echo -e "${GREEN}Certificate updated for $domain${NC}"