diff --git a/bin/gen-tls-cert b/bin/gen-tls-cert
index 9a2e9cb..1858e37 100755
--- a/bin/gen-tls-cert
+++ b/bin/gen-tls-cert
@@ -1,6 +1,6 @@
 #!/bin/sh
 tmp=$(mktemp -d)
-trap 'rm -rf -- "$keyfile"' EXIT
+trap 'rm -rf -- "$tmp"' EXIT
 
 # ref https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
 openssl req -x509 -nodes \
@@ -8,7 +8,7 @@ openssl req -x509 -nodes \
   -keyout "$tmp/ca.key" \
   -days 365 \
   -out "$tmp/ca.cert" \
-  -subj '/CN=hd_root' \
+  -subj '/CN=hd_root'
 
 rm secrets/tlskey.age
 openssl req -nodes \
@@ -27,4 +27,4 @@ openssl x509 -req \
   -CAcreateserial \
   -extfile <(printf "subjectAltName=DNS:roam.lan,DNS:*.roam.lan\nauthorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage=digitalSignature,keyEncipherment\nextendedKeyUsage=serverAuth")
 
-mv "$tmp/ca.cert" pki/ca.cert
\ No newline at end of file
+mv "$tmp/ca.cert" pki/ca.cert