diff --git a/utils/gen-ec-cert.sh b/utils/gen-ec-cert.sh
index 35cf09b..ee9ce7e 100644
--- a/utils/gen-ec-cert.sh
+++ b/utils/gen-ec-cert.sh
@@ -31,9 +31,9 @@ if [ -f "$domain.key" ]; then
 	printf "%s: key for %s already exists; reusing it.\n" \
 	    "${0##*/}" "$domain" >&2
 else
-	(umask 077 &&
+	(umask 0377 &&
 	    openssl ecparam -genkey -name "$curve" -out "$domain.key")
 fi
 
-openssl req -new -x509 -days "$days" -subj "/CN=$domain" \
+umask 0333 && openssl req -new -x509 -days "$days" -subj "/CN=$domain" \
     -key "$domain.key" -out "$domain.pem"