diff --git a/magnum/templates/kubernetes/fragments/make-cert-client.sh b/magnum/templates/kubernetes/fragments/make-cert-client.sh
index 61cdeb3402..04f27943cf 100644
--- a/magnum/templates/kubernetes/fragments/make-cert-client.sh
+++ b/magnum/templates/kubernetes/fragments/make-cert-client.sh
@@ -61,6 +61,7 @@ EOF
 
 # Generate client's private key and csr
 openssl genrsa -out "${CLIENT_KEY}" 4096
+chmod 400 "${CLIENT_KEY}"
 openssl req -new -days 1000 \
         -key "${CLIENT_KEY}" \
         -out "${CLIENT_CSR}" \
@@ -75,6 +76,9 @@ curl -X POST \
     -d "$csr_req" \
     $MAGNUM_URL/certificates | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CLIENT_CERT}
 
+chmod 500 "${cert_dir}"
+chown -R kube:kube "${cert_dir}"
+
 sed -i '
   s|CA_CERT|'"$CA_CERT"'|
   s|CLIENT_CERT|'"$CLIENT_CERT"'|
diff --git a/magnum/templates/kubernetes/fragments/make-cert.sh b/magnum/templates/kubernetes/fragments/make-cert.sh
index 1396fa7226..5df95d3207 100644
--- a/magnum/templates/kubernetes/fragments/make-cert.sh
+++ b/magnum/templates/kubernetes/fragments/make-cert.sh
@@ -63,6 +63,7 @@ EOF
 
 # Generate server's private key and csr
 openssl genrsa -out "${SERVER_KEY}" 4096
+chmod 400 "${SERVER_KEY}"
 openssl req -new -days 1000 \
         -key "${SERVER_KEY}" \
         -out "${SERVER_CSR}" \
@@ -76,3 +77,6 @@ curl -X POST \
     -H "Content-Type: application/json" \
     -d "$csr_req" \
     $MAGNUM_URL/certificates | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${SERVER_CERT}
+
+chmod 500 "${cert_dir}"
+chown -R kube:kube "${cert_dir}"