diff --git a/command/tls/ca/create/tls_ca_create.go b/command/tls/ca/create/tls_ca_create.go
index ceef70b376..810d452c40 100644
--- a/command/tls/ca/create/tls_ca_create.go
+++ b/command/tls/ca/create/tls_ca_create.go
@@ -83,7 +83,7 @@ func (c *cmd) Run(args []string) int {
 	}
 	c.UI.Output("==> Saved " + certFileName)
 
-	if err := file.WriteAtomicWithPerms(pkFileName, []byte(pk), 0755, 0666); err != nil {
+	if err := file.WriteAtomicWithPerms(pkFileName, []byte(pk), 0755, 0600); err != nil {
 		c.UI.Error(err.Error())
 		return 1
 	}
diff --git a/command/tls/ca/create/tls_ca_create_test.go b/command/tls/ca/create/tls_ca_create_test.go
index 5689589598..19c5fb965c 100644
--- a/command/tls/ca/create/tls_ca_create_test.go
+++ b/command/tls/ca/create/tls_ca_create_test.go
@@ -3,6 +3,7 @@ package create
 import (
 	"crypto"
 	"crypto/x509"
+	"io/fs"
 	"io/ioutil"
 	"os"
 	"strings"
@@ -120,6 +121,14 @@ func expectFiles(t *testing.T, caPath, keyPath string) (*x509.Certificate, crypt
 	require.FileExists(t, caPath)
 	require.FileExists(t, keyPath)
 
+	fi, err := os.Stat(keyPath)
+	if err != nil {
+		t.Fatal("should not happen", err)
+	}
+	if want, have := fs.FileMode(0600), fi.Mode().Perm(); want != have {
+		t.Fatalf("private key file %s: permissions: want: %o; have: %o", keyPath, want, have)
+	}
+
 	caData, err := ioutil.ReadFile(caPath)
 	require.NoError(t, err)
 	keyData, err := ioutil.ReadFile(keyPath)
diff --git a/command/tls/cert/create/tls_cert_create.go b/command/tls/cert/create/tls_cert_create.go
index 6281ca3ae2..b1cdaa131d 100644
--- a/command/tls/cert/create/tls_cert_create.go
+++ b/command/tls/cert/create/tls_cert_create.go
@@ -196,7 +196,7 @@ func (c *cmd) Run(args []string) int {
 	}
 	c.UI.Output("==> Saved " + certFileName)
 
-	if err := file.WriteAtomicWithPerms(pkFileName, []byte(priv), 0755, 0666); err != nil {
+	if err := file.WriteAtomicWithPerms(pkFileName, []byte(priv), 0755, 0600); err != nil {
 		c.UI.Error(err.Error())
 		return 1
 	}
diff --git a/command/tls/cert/create/tls_cert_create_test.go b/command/tls/cert/create/tls_cert_create_test.go
index 306eed8df2..78f75eb11d 100644
--- a/command/tls/cert/create/tls_cert_create_test.go
+++ b/command/tls/cert/create/tls_cert_create_test.go
@@ -3,6 +3,7 @@ package create
 import (
 	"crypto"
 	"crypto/x509"
+	"io/fs"
 	"io/ioutil"
 	"net"
 	"os"
@@ -242,6 +243,14 @@ func expectFiles(t *testing.T, certPath, keyPath string) (*x509.Certificate, cry
 	require.FileExists(t, certPath)
 	require.FileExists(t, keyPath)
 
+	fi, err := os.Stat(keyPath)
+	if err != nil {
+		t.Fatal("should not happen", err)
+	}
+	if want, have := fs.FileMode(0600), fi.Mode().Perm(); want != have {
+		t.Fatalf("private key file %s: permissions: want: %o; have: %o", keyPath, want, have)
+	}
+
 	certData, err := ioutil.ReadFile(certPath)
 	require.NoError(t, err)
 	keyData, err := ioutil.ReadFile(keyPath)