diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml
index 3b50c7c..4173a17 100644
--- a/roles/mongodb/tasks/main.yml
+++ b/roles/mongodb/tasks/main.yml
@@ -55,23 +55,23 @@
     state: link
     follow: false
 
-- name: create combined certificate/private key file
-  ansible.builtin.shell:
-    cmd: >-
-      umask 077 &&
-      /bin/cat \
-          {{ tls_certs }}/{{ inventory_hostname }}.crt \
-          {{ tls_private }}/{{ inventory_hostname }}.key > \
-          {{ tls_private }}/mongodb.pem
-    creates: "{{ tls_private }}/mongodb.pem"
-  notify: restart mongod
+- name: generate combined certificate/private key file contents
+  ansible.builtin.command:
+    argv:
+      - /bin/cat
+      - "{{ tls_certs }}/{{ inventory_hostname }}.crt"
+      - "{{ tls_private }}/{{ inventory_hostname }}.key"
+  failed_when: false
+  register: mongodb_cert_key
 
-- name: fix certificate/key file permissions
-  ansible.builtin.file:
-    path: "{{ tls_private }}/mongodb.pem"
+- name: create combined certificate/private key file
+  ansible.builtin.copy:
+    dest: "{{ tls_private }}/mongodb.pem"
+    content: "{{ mongodb_cert_key.stdout }}"
     mode: 0640
     owner: root
     group: mongod
+  notify: restart mongod
 
 - name: configure logrotate
   ansible.builtin.copy: