- openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem" \
- -signkey "$arg1-privkey.pem" -req -text 2>&3
+ # Create both the private key and certificate with restricted permissions.
+ (umask 077 && \
+ openssl x509 -in "$arg1-req.pem" -out "$arg1-cert.pem.tmp" \
+ -signkey "$arg1-privkey.pem" -req -text) 2>&3 || exit $?
+
+ # Reset the permissions on the certificate to the user's default.
+ cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
+ rm -f "$arg1-cert.pem.tmp"