diff --git a/cert/cert.go b/cert/cert.go
index e94b900..92dd483 100644
--- a/cert/cert.go
+++ b/cert/cert.go
@@ -63,7 +63,7 @@ func (c *Cert) GenerateSelfSignedCert() error {
 	}
 
 	if _, err := os.Stat(path.Dir(c.CertFile)); os.IsNotExist(err) {
-		os.MkdirAll(path.Dir(c.CertFile), 0666)
+		os.MkdirAll(path.Dir(c.CertFile), 0700)
 	}
 
 	certOut, err := os.Create(c.CertFile)
@@ -73,8 +73,13 @@ func (c *Cert) GenerateSelfSignedCert() error {
 	defer certOut.Close()
 	pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: certDER})
 
+	// Set permission to 0600 (read/write by owner only)
+	if err := os.Chmod(c.CertFile, 0600); err != nil {
+		return err
+	}
+
 	if _, err := os.Stat(path.Dir(c.KeyFile)); os.IsNotExist(err) {
-		os.MkdirAll(path.Dir(c.KeyFile), 0666)
+		os.MkdirAll(path.Dir(c.KeyFile), 0700)
 	}
 
 	keyOut, err := os.Create(c.KeyFile)
@@ -85,5 +90,10 @@ func (c *Cert) GenerateSelfSignedCert() error {
 
 	pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
 
+	// Set permission to 0600 (read/write by owner only)
+	if err := os.Chmod(c.KeyFile, 0600); err != nil {
+		return err
+	}
+
 	return nil
 }