diff --git a/netjsonconfig/backends/openvpn/openvpn.py b/netjsonconfig/backends/openvpn/openvpn.py
index 03bbf158c..225c5983d 100644
--- a/netjsonconfig/backends/openvpn/openvpn.py
+++ b/netjsonconfig/backends/openvpn/openvpn.py
@@ -1,4 +1,4 @@
-from ...schema import DEFAULT_FILE_MODE
+from ...schema import X509_FILE_MODE
 from ..base.backend import BaseBackend
 from . import converters
 from .parser import OpenVpnParser, config_suffix, vpn_pattern
@@ -121,15 +121,15 @@ def _auto_client_files(cls, client, ca_path=None, ca_contents=None, cert_path=No
             client['ca'] = ca_path
             files.append(dict(path=ca_path,
                               contents=ca_contents,
-                              mode=DEFAULT_FILE_MODE))
+                              mode=X509_FILE_MODE))
         if cert_path and cert_contents:
             client['cert'] = cert_path
             files.append(dict(path=cert_path,
                               contents=cert_contents,
-                              mode=DEFAULT_FILE_MODE))
+                              mode=X509_FILE_MODE))
         if key_path and key_contents:
             client['key'] = key_path
             files.append(dict(path=key_path,
                               contents=key_contents,
-                              mode=DEFAULT_FILE_MODE,))
+                              mode=X509_FILE_MODE,))
         return files
diff --git a/netjsonconfig/schema.py b/netjsonconfig/schema.py
index 5a14cdd3c..9d74e95c5 100644
--- a/netjsonconfig/schema.py
+++ b/netjsonconfig/schema.py
@@ -7,6 +7,7 @@
 from .countries import countries
 
 DEFAULT_FILE_MODE = '0644'
+X509_FILE_MODE = '0600'
 MAC_PATTERN = '([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})'
 MAC_PATTERN_BLANK = '^({0}|)$'.format(MAC_PATTERN)
 
diff --git a/tests/openvpn/test_backend.py b/tests/openvpn/test_backend.py
index de7bdb568..f699cc284 100644
--- a/tests/openvpn/test_backend.py
+++ b/tests/openvpn/test_backend.py
@@ -586,17 +586,17 @@ def test_auto_client_complex(self):
 # ---------- files ---------- #
 
 # path: {{ca_path_1}}
-# mode: 0644
+# mode: 0600
 
 {{ca_contents_1}}
 
 # path: {{cert_path_1}}
-# mode: 0644
+# mode: 0600
 
 {{cert_contents_1}}
 
 # path: {{key_path_1}}
-# mode: 0644
+# mode: 0600
 
 {{key_contents_1}}
 
diff --git a/tests/openwisp/test_backend.py b/tests/openwisp/test_backend.py
index 6b33c0fe7..b0d19b032 100644
--- a/tests/openwisp/test_backend.py
+++ b/tests/openwisp/test_backend.py
@@ -107,12 +107,12 @@ class TestBackend(unittest.TestCase, _TabsMixin):
         "files": [
             {
                 "path": "/openvpn/x509/ca_1_service.pem",
-                "mode": "0644",
+                "mode": "0600",
                 "contents": "-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----\n"  # noqa
             },
             {
                 "path": "/openvpn/x509/l2vpn_client_2693.pem",
-                "mode": "0644",
+                "mode": "0600",
                 "contents": "-----BEGIN CERTIFICATE-----\ntest==\n-----END CERTIFICATE-----\n-----BEGIN RSA PRIVATE KEY-----\ntest\n-----END RSA PRIVATE KEY-----\n"  # noqa
             }
         ]