diff --git a/Makefile b/Makefile
index 916984c22..6b6bf5bd9 100644
--- a/Makefile
+++ b/Makefile
@@ -266,7 +266,10 @@ modify_composefile:
 modify_sourcefiles:
 	@echo "change mode of source files."
 	@chmod 600 $(MAKEPATH)/common/templates/notary/notary-signer.key
+	@chmod 600 $(MAKEPATH)/common/templates/notary/notary-signer.crt
+	@chmod 600 $(MAKEPATH)/common/templates/notary/notary-signer-ca.crt
 	@chmod 600 $(MAKEPATH)/common/templates/ui/private_key.pem
+	@chmod 600 $(MAKEPATH)/common/templates/registry/root.crt
 	
 install: compile build modify_sourcefiles prepare modify_composefile start
 	
diff --git a/make/prepare b/make/prepare
index 459ecdd6d..0366ebc30 100755
--- a/make/prepare
+++ b/make/prepare
@@ -305,6 +305,7 @@ if customize_crt == 'on' and openssl_installed():
     root_crt = os.path.join(config_dir, "registry", "root.crt")
     create_root_cert(empty_subj, key_path=private_key_pem, cert_path=root_crt)
     os.chmod(private_key_pem, 0600)
+    os.chmod(root_crt, 0600)
 else:
     print("Copied configuration file: %s" % ui_config_dir + "private_key.pem")
     shutil.copyfile(os.path.join(templates_dir, "ui", "private_key.pem"), os.path.join(ui_config_dir, "private_key.pem"))
@@ -332,8 +333,10 @@ if args.notary_mode:
             create_root_cert(ca_subj, key_path=signer_ca_key, cert_path=signer_ca_cert)
             create_cert(cert_subj, signer_ca_key, signer_ca_cert, key_path=signer_key_path, cert_path=signer_cert_path)
             print("Copying certs for notary signer")
+	    os.chmod(signer_cert_path, 0600)
+	    os.chmod(signer_key_path, 0600)
+	    os.chmod(signer_ca_cert, 0600)
             shutil.copy2(signer_cert_path, notary_config_dir)
- 	    os.chmod(signer_key_path, 0600)
             shutil.copy2(signer_key_path, notary_config_dir)
             shutil.copy2(signer_ca_cert, notary_config_dir)
         finally: