diff --git a/certman.sh b/certman.sh
index 0798e43..291a807 100755
--- a/certman.sh
+++ b/certman.sh
@@ -125,13 +125,17 @@ download_and_verify_cert() {
     fi
 
     # Validate certificate and key match
-    local cert_fingerprint
+    local cert_fingerprint key_fingerprint
     cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey |
-        openssl pkey -pubin -outform DER 2>/dev/null |
-        openssl dgst -sha256)
-    local key_fingerprint
-    key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER 2>/dev/null |
-        openssl dgst -sha256)
+        openssl pkey -pubin -outform DER |
+        openssl dgst -sha256) || true
+    key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER |
+        openssl dgst -sha256) || true
+
+    if [ -z "$cert_fingerprint" ] || [ -z "$key_fingerprint" ]; then
+        echo -e "${RED}Failed to extract fingerprints for $domain${NC}"
+        return 1
+    fi
 
     if [ "$cert_fingerprint" != "$key_fingerprint" ]; then
         echo -e "${RED}Certificate and key do not match for $domain${NC}"
@@ -141,9 +145,13 @@ download_and_verify_cert() {
     if [ "$FULLCHAIN_PEM" = "true" ]; then
         local pem_fingerprint
         pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
-            openssl pkey -pubin -outform DER 2>/dev/null |
-            openssl dgst -sha256)
-        if [[ "$cert_fingerprint" != "$pem_fingerprint" ]]; then
+            openssl pkey -pubin -outform DER |
+            openssl dgst -sha256) || true
+        if [ -z "$pem_fingerprint" ]; then
+            echo -e "${RED}Failed to extract PEM fingerprint for $domain${NC}"
+            return 1
+        fi
+        if [ "$cert_fingerprint" != "$pem_fingerprint" ]; then
             echo -e "${RED}Certificate and PEM file do not match for $domain${NC}"
             return 1
         fi
@@ -177,33 +185,20 @@ install_certificate() {
 
     # Install new certificate and key
     if [ $needs_reload -eq 1 ]; then
-        if ! cp -f "$temp_cert" "$final_cert" || ! cp -f "$temp_key" "$final_key"; then
-            echo -e "${RED}Failed to install certificate files for $domain${NC}"
+        if ! install -m "$CERT_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_cert" "$final_cert"; then
+            echo -e "${RED}Failed to install certificate for $domain${NC}"
             return 1
         fi
-
-        # Set permissions and ownership for cert and key separately
-        if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_cert" || \
-           ! chmod "$CERT_PERMISSIONS" "$final_cert"; then
-            echo -e "${RED}Failed to set permissions for $final_cert${NC}"
-            return 1
-        fi
-        if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_key" || \
-           ! chmod "$KEY_PERMISSIONS" "$final_key"; then
-            echo -e "${RED}Failed to set permissions for $final_key${NC}"
+        if ! install -m "$KEY_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_key" "$final_key"; then
+            echo -e "${RED}Failed to install private key for $domain${NC}"
             return 1
         fi
 
         if [ "$FULLCHAIN_PEM" = "true" ]; then
-            if ! cp -f "$temp_pem" "$final_pem"; then
+            if ! install -m "$KEY_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_pem" "$final_pem"; then
                 echo -e "${RED}Failed to install PEM file for $domain${NC}"
                 return 1
             fi
-            if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_pem" || \
-               ! chmod "$KEY_PERMISSIONS" "$final_pem"; then
-                echo -e "${RED}Failed to set permissions for $final_pem${NC}"
-                return 1
-            fi
         fi
 
         echo -e "${GREEN}Certificate updated for $domain${NC}"