diff --git a/charmhelpers/contrib/openstack/context.py b/charmhelpers/contrib/openstack/context.py
index 6c4497b1..c077ca31 100644
--- a/charmhelpers/contrib/openstack/context.py
+++ b/charmhelpers/contrib/openstack/context.py
@@ -797,9 +797,9 @@ class ApacheSSLContext(OSContextGenerator):
             key_filename = 'key'
 
         write_file(path=os.path.join(ssl_dir, cert_filename),
-                   content=b64decode(cert))
+                   content=b64decode(cert), perms=0o640)
         write_file(path=os.path.join(ssl_dir, key_filename),
-                   content=b64decode(key))
+                   content=b64decode(key), perms=0o640)
 
     def configure_ca(self):
         ca_cert = get_ca_cert()
diff --git a/hooks/keystone_context.py b/hooks/keystone_context.py
index 832431d4..edf138f6 100644
--- a/hooks/keystone_context.py
+++ b/hooks/keystone_context.py
@@ -94,10 +94,10 @@ class SSLContext(context.ApacheSSLContext):
 
         write_file(path=os.path.join(self.ssl_dir, 'cert_{}'.format(cn)),
                    content=cert, owner=SSH_USER, group=KEYSTONE_USER,
-                   perms=0o644)
+                   perms=0o640)
         write_file(path=os.path.join(self.ssl_dir, 'key_{}'.format(cn)),
                    content=key, owner=SSH_USER, group=KEYSTONE_USER,
-                   perms=0o644)
+                   perms=0o640)
 
     def configure_ca(self):
         from keystone_utils import (