diff --git a/util/cert/cert.go b/util/cert/cert.go
index 7196cf89..92a44bfe 100644
--- a/util/cert/cert.go
+++ b/util/cert/cert.go
@@ -188,10 +188,10 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
 	}
 
 	if len(fixtureDirectory) > 0 {
-		if err := os.WriteFile(certFixturePath, certBuffer.Bytes(), 0644); err != nil {
+		if err := os.WriteFile(certFixturePath, certBuffer.Bytes(), 0600); err != nil {
 			return nil, nil, fmt.Errorf("failed to write cert fixture to %s: %v", certFixturePath, err)
 		}
-		if err := os.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0644); err != nil {
+		if err := os.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0600); err != nil {
 			return nil, nil, fmt.Errorf("failed to write key fixture to %s: %v", certFixturePath, err)
 		}
 	}
diff --git a/util/cert/io.go b/util/cert/io.go
index a70e5132..c3c5dca4 100644
--- a/util/cert/io.go
+++ b/util/cert/io.go
@@ -58,14 +58,14 @@ func canReadFile(path string) bool {
 }
 
 // WriteCert writes the pem-encoded certificate data to certPath.
-// The certificate file will be created with file mode 0644.
+// The certificate file will be created with file mode 000.
 // If the certificate file already exists, it will be overwritten.
-// The parent directory of the certPath will be created as needed with file mode 0755.
+// The parent directory of the certPath will be created as needed with file mode 0700.
 func WriteCert(certPath string, data []byte) error {
-	if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0755)); err != nil {
+	if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0700)); err != nil {
 		return err
 	}
-	return os.WriteFile(certPath, data, os.FileMode(0644))
+	return os.WriteFile(certPath, data, os.FileMode(0600))
 }
 
 // NewPool returns an x509.CertPool containing the certificates in the given PEM-encoded file.
diff --git a/util/certificate/certificate_store.go b/util/certificate/certificate_store.go
index e7ed58ee..769b8a50 100644
--- a/util/certificate/certificate_store.go
+++ b/util/certificate/certificate_store.go
@@ -188,7 +188,7 @@ func (s *fileStore) Update(certData, keyData []byte) (*tls.Certificate, error) {
 	ts := time.Now().Format("2006-01-02-15-04-05")
 	pemFilename := s.filename(ts)
 
-	if err := os.MkdirAll(s.certDirectory, 0755); err != nil {
+	if err := os.MkdirAll(s.certDirectory, 0700); err != nil {
 		return nil, fmt.Errorf("could not create directory %q to store certificates: %v", s.certDirectory, err)
 	}
 	certPath := filepath.Join(s.certDirectory, pemFilename)
diff --git a/util/keyutil/key.go b/util/keyutil/key.go
index ecd3e471..b2126ea3 100644
--- a/util/keyutil/key.go
+++ b/util/keyutil/key.go
@@ -63,9 +63,9 @@ func MakeEllipticPrivateKeyPEM() ([]byte, error) {
 // WriteKey writes the pem-encoded key data to keyPath.
 // The key file will be created with file mode 0600.
 // If the key file already exists, it will be overwritten.
-// The parent directory of the keyPath will be created as needed with file mode 0755.
+// The parent directory of the keyPath will be created as needed with file mode 0700.
 func WriteKey(keyPath string, data []byte) error {
-	if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0755)); err != nil {
+	if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0700)); err != nil {
 		return err
 	}
 	return os.WriteFile(keyPath, data, os.FileMode(0600))