diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml
index 032cda18ff..c29ce8e8da 100644
--- a/roles/openvpn/client/tasks/main.yml
+++ b/roles/openvpn/client/tasks/main.yml
@@ -19,7 +19,7 @@
       mode: '0644' }
   - { file: "{{ puppet_private }}/vpn/openvpn/keys/{{ inventory_hostname }}.crt",
       dest: "/etc/openvpn/client.crt",
-      mode: '0644' }
+      mode: '0600' }
   - { file: "{{ puppet_private }}/vpn/openvpn/keys/{{ inventory_hostname }}.key",
       dest: "/etc/openvpn/client.key",
       mode: '0600' }