diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index a289941e4..c205a2aaa 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -70,7 +70,6 @@ from ipapython.dn import DN
 
 import ipaclient.ntpconf
 
-pw_name = None
 uninstalling = False
 installation_cleanup = True
 
@@ -567,7 +566,6 @@ def set_subject_in_config(realm_name, dm_password, suffix, subject_base):
 
 def main():
     global ds
-    global pw_name
     global uninstalling
     global installation_cleanup
     ds = None
@@ -697,6 +695,18 @@ def main():
                 sys.exit(1)
             cert = certdict[certissuer]
 
+    if options.http_pkcs12:
+        http_pin_file = ipautil.write_tmp_file(options.http_pin)
+        http_pkcs12_info = (options.dirsrv_pkcs12, http_pin_file.name)
+
+    if options.dirsrv_pkcs12:
+        dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin)
+        dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name)
+
+    if options.pkinit_pkcs12:
+        pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin)
+        pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name)
+
     # Figure out what external CA step we're in. See cainstance.py for more
     # info on the 3 states.
     if options.external_cert_file:
@@ -942,12 +952,6 @@ def main():
         except ipautil.CalledProcessError, e:
             root_logger.critical("failed to add DS group: %s" % e)
 
-    if options.dirsrv_pin:
-        [pw_fd, pw_name] = tempfile.mkstemp()
-        os.write(pw_fd, options.dirsrv_pin)
-        os.close(pw_fd)
-        pkcs12_info = (options.dirsrv_pkcs12, pw_name)
-
     if external != 2:
         # Configure ntpd
         if options.conf_ntp:
@@ -960,13 +964,10 @@ def main():
         ds = dsinstance.DsInstance(fstore=fstore)
 
         if options.dirsrv_pkcs12:
-            try:
-                ds.create_instance(realm_name, host_name, domain_name,
-                                dm_password, pkcs12_info,
-                                subject_base=options.subject,
-                                hbac_allow=not options.hbac_allow)
-            finally:
-                os.remove(pw_name)
+            ds.create_instance(realm_name, host_name, domain_name,
+                            dm_password, dirsrv_pkcs12_info,
+                            subject_base=options.subject,
+                            hbac_allow=not options.hbac_allow)
         else:
             ds.create_instance(realm_name, host_name, domain_name,
                             dm_password, self_signed_ca=options.selfsign,
@@ -1052,19 +1053,12 @@ def main():
     # Upload the CA cert to the directory
     ds.upload_ca_cert()
 
-    # Create a kerberos instance
-    if options.pkinit_pin:
-        [pw_fd, pw_name] = tempfile.mkstemp()
-        os.write(pw_fd, options.dirsrv_pin)
-        os.close(pw_fd)
-
     krb = krbinstance.KrbInstance(fstore)
     if options.pkinit_pkcs12:
-        pkcs12_info = (options.pkinit_pkcs12, pw_name)
         krb.create_instance(realm_name, host_name, domain_name,
                             dm_password, master_password,
                             setup_pkinit=options.setup_pkinit,
-                            pkcs12_info=pkcs12_info,
+                            pkcs12_info=pkinit_pkcs12_info,
                             subject_base=options.subject)
     else:
         krb.create_instance(realm_name, host_name, domain_name,
@@ -1073,28 +1067,21 @@ def main():
                             self_signed_ca=options.selfsign,
                             subject_base=options.subject)
 
-    if options.pkinit_pin:
-        os.remove(pw_name)
-
     # The DS instance is created before the keytab, add the SSL cert we
     # generated
     ds.add_cert_to_service()
 
     # Create a HTTP instance
 
-    if options.http_pin:
-        [pw_fd, pw_name] = tempfile.mkstemp()
-        os.write(pw_fd, options.http_pin)
-        os.close(pw_fd)
-
     memcache = memcacheinstance.MemcacheInstance()
     memcache.create_instance('MEMCACHE', host_name, dm_password, ipautil.realm_to_suffix(realm_name))
 
     http = httpinstance.HTTPInstance(fstore)
     if options.http_pkcs12:
-        pkcs12_info = (options.http_pkcs12, pw_name)
-        http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=False, pkcs12_info=pkcs12_info, subject_base=options.subject, auto_redirect=options.ui_redirect)
-        os.remove(pw_name)
+        http.create_instance(
+            realm_name, host_name, domain_name, dm_password, autoconfig=False,
+            pkcs12_info=http_pkcs12_info, subject_base=options.subject,
+            auto_redirect=options.ui_redirect)
     else:
         http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=options.selfsign, subject_base=options.subject, auto_redirect=options.ui_redirect)
     ipaservices.restore_context("/var/cache/ipa/sessions")
@@ -1220,9 +1207,6 @@ if __name__ == '__main__':
         success = True
 
     finally:
-        if pw_name and ipautil.file_exists(pw_name):
-            os.remove(pw_name)
-
         if not success and installation_cleanup:
             # Do a cautious clean up as we don't know what failed and what is
             # the state of the environment