diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml
index e9261956..82f3b081 100644
--- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml
+++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml
@@ -35,7 +35,7 @@
   copy:
     src: "{{ master_certs_path }}/ca/{{ ca_key_name }}"
     dest: "{{ node_certs_source }}/{{ ca_key_name }}"
-    mode: '0664'
+    mode: '0440'
   when:
    - not generate_CA
    - node_certs_generator
@@ -45,7 +45,7 @@
   copy:
     src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
     dest: "{{ node_certs_source }}/{{ ca_cert_name }}"
-    mode: '0664'
+    mode: '0440'
   when:
     - not generate_CA
     - node_certs_generator
diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml
index b43b3755..ad4a3e4c 100644
--- a/roles/elastic-stack/ansible-kibana/tasks/main.yml
+++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml
@@ -41,7 +41,7 @@
   copy:
     src: "{{ item }}"
     dest: "{{ node_certs_destination }}/"
-    mode: '0664'
+    mode: '0444'
   with_items:
     - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key"
     - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt"