diff --git a/cyrus-imapd-init.service b/cyrus-imapd-init.service
index 650f451..10823b7 100644
--- a/cyrus-imapd-init.service
+++ b/cyrus-imapd-init.service
@@ -9,4 +9,4 @@ ConditionPathExists=!/etc/pki/cyrus-imapd/cyrus-imapd-ca.pem
 Type=oneshot
 Group=mail
 RemainAfterExit=no
-ExecStart=/usr/bin/sscg --package cyrus-imapd --cert-file /etc/pki/cyrus-imapd/cyrus-imapd.pem --cert-key-file /etc/pki/cyrus-imapd/cyrus-imapd-key.pem --ca-file /etc/pki/cyrus-imapd/cyrus-imapd-ca.pem
+ExecStart=/usr/bin/sscg --package cyrus-imapd --cert-file /etc/pki/cyrus-imapd/cyrus-imapd.pem --cert-key-file /etc/pki/cyrus-imapd/cyrus-imapd-key.pem --ca-file /etc/pki/cyrus-imapd/cyrus-imapd-ca.pem --cert-key-mode=0640 
diff --git a/cyrus-imapd.spec b/cyrus-imapd.spec
index 4bedaa7..5fa7f18 100644
--- a/cyrus-imapd.spec
+++ b/cyrus-imapd.spec
@@ -9,9 +9,9 @@
 
 Name: cyrus-imapd
 Version: 3.0.13
-Release: 3%{?dist}
+Release: 4%{?dist}
 
-%define ssl_pem_file /etc/pki/%name/%name.pem
+%define ssl_pem_file_prefix /etc/pki/%name/%name
 
 # UID/GID 76 have long been reserved for Cyrus
 %define uid 76
@@ -437,9 +437,6 @@ find %buildroot/%_libdir/perl5/ -type f -name "*.so" -exec chmod 755 {} \;
   sed -e 's/^ *//' -e 's/-nosync//' -e 's/ *$//' -e 's/"/=/'
   echo sieve_version=2.2.3 ) | sort > %buildroot/%_datadir/%name/rpm/db.cfg
 
-# create the ghost pem file
-touch %buildroot/%ssl_pem_file
-
 # Cyrus has various files with extremely conflicting names.  Some of these are
 # not unexpected ("imapd" itself) but some like "httpd" are rather surprising.
 
@@ -624,7 +621,9 @@ getent passwd cyrus >/dev/null || /usr/sbin/useradd -c "Cyrus IMAP Server" -d /v
 
 
 %dir /etc/pki/cyrus-imapd
-%attr(0640,root,%cyrusgroup) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %ssl_pem_file
+%attr(0644,root,%cyrusgroup) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %ssl_pem_file_prefix-ca.pem
+%attr(0644,root,%cyrusgroup) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %ssl_pem_file_prefix.pem
+%attr(0640,root,%cyrusgroup) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %ssl_pem_file_prefix-key.pem
 
 %config(noreplace) /etc/cyrus.conf
 %config(noreplace) /etc/imapd.conf
@@ -712,6 +711,9 @@ getent passwd cyrus >/dev/null || /usr/sbin/useradd -c "Cyrus IMAP Server" -d /v
 
 
 %changelog
+* Thu Apr 23 2020 Pavel Zhukov <pzhukov@redhat.com> - 3.0.13-4
+- Fix pem files permission
+
 * Wed Apr 01 2020 Petr Pisar <ppisar@redhat.com> - 3.0.13-3
 - Specify all Perl dependencies of Cassandane