Use install for certificate and key file installation

Replace separate cp and chmod operations with single install commands
for certificate, key, and PEM file installation to ensure proper
permissions and ownership are set in one operation

certman.sh

@@ -125,13 +125,17 @@ download_and_verify_cert() {
     fi
 
     # Validate certificate and key match
-    local cert_fingerprint
+    local cert_fingerprint key_fingerprint
     cert_fingerprint=$(openssl x509 -in "$temp_cert" -noout -pubkey |
-        openssl pkey -pubin -outform DER 2>/dev/null |
-        openssl dgst -sha256)
-    local key_fingerprint
-    key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER 2>/dev/null |
-        openssl dgst -sha256)
+        openssl pkey -pubin -outform DER |
+        openssl dgst -sha256) || true
+    key_fingerprint=$(openssl pkey -in "$temp_key" -pubout -outform DER |
+        openssl dgst -sha256) || true
+
+    if [ -z "$cert_fingerprint" ] || [ -z "$key_fingerprint" ]; then
+        echo -e "${RED}Failed to extract fingerprints for $domain${NC}"
+        return 1
+    fi
 
     if [ "$cert_fingerprint" != "$key_fingerprint" ]; then
         echo -e "${RED}Certificate and key do not match for $domain${NC}"
@@ -141,9 +145,13 @@ download_and_verify_cert() {
     if [ "$FULLCHAIN_PEM" = "true" ]; then
         local pem_fingerprint
         pem_fingerprint=$(openssl x509 -in "$temp_pem" -noout -pubkey |
-            openssl pkey -pubin -outform DER 2>/dev/null |
-            openssl dgst -sha256)
-        if [[ "$cert_fingerprint" != "$pem_fingerprint" ]]; then
+            openssl pkey -pubin -outform DER |
+            openssl dgst -sha256) || true
+        if [ -z "$pem_fingerprint" ]; then
+            echo -e "${RED}Failed to extract PEM fingerprint for $domain${NC}"
+            return 1
+        fi
+        if [ "$cert_fingerprint" != "$pem_fingerprint" ]; then
             echo -e "${RED}Certificate and PEM file do not match for $domain${NC}"
             return 1
         fi
@@ -177,33 +185,20 @@ install_certificate() {
 
     # Install new certificate and key
     if [ $needs_reload -eq 1 ]; then
-        if ! cp -f "$temp_cert" "$final_cert" || ! cp -f "$temp_key" "$final_key"; then
-            echo -e "${RED}Failed to install certificate files for $domain${NC}"
+        if ! install -m "$CERT_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_cert" "$final_cert"; then
+            echo -e "${RED}Failed to install certificate for $domain${NC}"
             return 1
         fi
-
-        # Set permissions and ownership for cert and key separately
-        if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_cert" || \
-           ! chmod "$CERT_PERMISSIONS" "$final_cert"; then
-            echo -e "${RED}Failed to set permissions for $final_cert${NC}"
-            return 1
-        fi
-        if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_key" || \
-           ! chmod "$KEY_PERMISSIONS" "$final_key"; then
-            echo -e "${RED}Failed to set permissions for $final_key${NC}"
+        if ! install -m "$KEY_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_key" "$final_key"; then
+            echo -e "${RED}Failed to install private key for $domain${NC}"
             return 1
         fi
 
         if [ "$FULLCHAIN_PEM" = "true" ]; then
-            if ! cp -f "$temp_pem" "$final_pem"; then
+            if ! install -m "$KEY_PERMISSIONS" -o "$CERT_OWNER" -g "$CERT_GROUP" "$temp_pem" "$final_pem"; then
                 echo -e "${RED}Failed to install PEM file for $domain${NC}"
                 return 1
             fi
-            if ! chown "$CERT_OWNER:$CERT_GROUP" "$final_pem" || \
-               ! chmod "$KEY_PERMISSIONS" "$final_pem"; then
-                echo -e "${RED}Failed to set permissions for $final_pem${NC}"
-                return 1
-            fi
         fi
 
         echo -e "${GREEN}Certificate updated for $domain${NC}"