diff --git a/pkg/app/cmd_create.go b/pkg/app/cmd_create.go
index 46b239c..c6b6750 100644
--- a/pkg/app/cmd_create.go
+++ b/pkg/app/cmd_create.go
@@ -48,13 +48,13 @@ func (app *app) cmdCreate(_ context.Context, args []string) error {
 	}
 
 	// write files
-	err = os.WriteFile(keyCertFileName, apcKeyCertFile, 0777)
+	err = os.WriteFile(keyCertFileName, apcKeyCertFile, 0600)
 	if err != nil {
 		return fmt.Errorf("create: failed to write apc p15 key+cert file (%s)", err)
 	}
 	app.stdLogger.Printf("create: apc p15 key+cert file %s written to disk", keyCertFileName)
 
-	err = os.WriteFile(keyFileName, keyFile, 0777)
+	err = os.WriteFile(keyFileName, keyFile, 0600)
 	if err != nil {
 		return fmt.Errorf("create: failed to write apc p15 key file (%s)", err)
 	}
@@ -64,21 +64,21 @@ func (app *app) cmdCreate(_ context.Context, args []string) error {
 	// easy to do e.g., https://lapo.it/asn1js)
 	if app.config.debugLogging != nil && *app.config.debugLogging {
 		keyCertFileNameDebug := keyCertFileName + ".noheader.b64"
-		err = os.WriteFile(keyCertFileNameDebug, []byte(base64.StdEncoding.EncodeToString(apcKeyCertFile[apcHeaderLen:])), 0777)
+		err = os.WriteFile(keyCertFileNameDebug, []byte(base64.StdEncoding.EncodeToString(apcKeyCertFile[apcHeaderLen:])), 0600)
 		if err != nil {
 			return fmt.Errorf("create: failed to write apc p15 key+cert file (%s)", err)
 		}
 		app.debugLogger.Printf("create: apc p15 key+cert file %s written to disk", keyCertFileNameDebug)
 
 		keyCertFileNameHeaderDebug := keyCertFileName + ".header.b64"
-		err = os.WriteFile(keyCertFileNameHeaderDebug, []byte(base64.StdEncoding.EncodeToString(apcKeyCertFile[apcHeaderLen:])), 0777)
+		err = os.WriteFile(keyCertFileNameHeaderDebug, []byte(base64.StdEncoding.EncodeToString(apcKeyCertFile[apcHeaderLen:])), 0600)
 		if err != nil {
 			return fmt.Errorf("create: failed to write apc p15 key+cert file (%s)", err)
 		}
 		app.debugLogger.Printf("create: apc p15 key+cert file header %s written to disk", keyCertFileNameHeaderDebug)
 
 		keyFileNameDebug := keyFileName + ".b64"
-		err = os.WriteFile(keyFileNameDebug, []byte(base64.StdEncoding.EncodeToString(keyFile)), 0777)
+		err = os.WriteFile(keyFileNameDebug, []byte(base64.StdEncoding.EncodeToString(keyFile)), 0600)
 		if err != nil {
 			return fmt.Errorf("create: failed to write apc p15 key file (%s)", err)
 		}