diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index ade5353f0..f7fc44233 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -613,6 +613,7 @@ class CAInstance(DogtagInstance):
         if not os.path.isdir(directory):
             os.mkdir(directory)
         with open(conf, 'w') as f:
+            os.fchmod(f.fileno(), 0o644)
             f.write('[Service]\n')
             f.write('ExecStartPost={}\n'.format(paths.IPA_PKI_WAIT_RUNNING))
         tasks.systemd_daemon_reload()