diff --git a/internal/cert/storage.go b/internal/cert/storage.go
index 367aa0b..8c05f16 100644
--- a/internal/cert/storage.go
+++ b/internal/cert/storage.go
@@ -79,8 +79,9 @@ func (s *Storage) loadFromDisk() error {
 }
 
 func (s *Storage) StoreFromBase64(id, base64Content string) (string, error) {
-	if err := os.MkdirAll(s.basePath, 0700); err != nil {
-		return "", fmt.Errorf("creating cert directory: %w", err)
+	tmpDir := filepath.Join(s.basePath, "tmp")
+	if err := os.MkdirAll(tmpDir, 0700); err != nil {
+		return "", fmt.Errorf("creating tmp directory: %w", err)
 	}
 
 	der, err := base64.StdEncoding.DecodeString(base64Content)
@@ -88,7 +89,7 @@ func (s *Storage) StoreFromBase64(id, base64Content string) (string, error) {
 		return "", fmt.Errorf("invalid base64: %w", err)
 	}
 
-	storedPath := filepath.Join(s.basePath, id+".p12")
+	storedPath := filepath.Join(tmpDir, id+".p12")
 	if err := os.WriteFile(storedPath, der, 0600); err != nil {
 		return "", fmt.Errorf("writing certificate: %w", err)
 	}