diff --git a/CHANGES.d/20240812_145407_cz_certificate_user.md b/CHANGES.d/20240812_145407_cz_certificate_user.md
new file mode 100644
index 0000000..3feece2
--- /dev/null
+++ b/CHANGES.d/20240812_145407_cz_certificate_user.md
@@ -0,0 +1 @@
+- `ssl.Certificate`: Set proper ACL for non-let's encrypt certificates.
diff --git a/src/batou_ext/ssl.py b/src/batou_ext/ssl.py
index 3e1d999..cb54589 100644
--- a/src/batou_ext/ssl.py
+++ b/src/batou_ext/ssl.py
@@ -11,6 +11,8 @@
 import pkg_resources
 import six
 
+from .acl import ACL
+
 
 class Certificate(batou.component.Component):
     """SSL certificate management using let's encrypt -- or not
@@ -132,12 +134,21 @@ def configure(self):
                 sensitive_data=True,
             )
             self += self.key_file
+            self += ACL(
+                self.key_file.path,
+                ruleset=[
+                    "user::rw-",
+                    f"user:{self.granted_user}:r--",
+                    "group::---",
+                    "mask::r--",
+                    "other::---",
+                ],
+            )
 
             if self.trusted_crt_content:
                 self.trusted_file = batou.lib.file.File(
                     "{}/{}.trust.crt".format(self.workdir, self.domain),
                     content=self.trusted_crt_content,
-                    mode=0o600,
                 )
                 self += self.trusted_file
                 self.trusted = self.trusted_file.path
@@ -257,7 +268,6 @@ def update(self):
 
 
 class ActivateLetsEncrypt(batou.component.Component):
-
     cert: Certificate = None
 
     def verify(self):
@@ -275,7 +285,6 @@ def namevar_for_breadcrumb(self):
 
 
 class CertificateCheck(batou.component.Component):
-
     namevar = "public_name"
     warning_days = 25
     critical_days = 14