diff --git a/roles/pki/tasks/main.yml b/roles/pki/tasks/main.yml
index 0021280..6606ba5 100644
--- a/roles/pki/tasks/main.yml
+++ b/roles/pki/tasks/main.yml
@@ -1,5 +1,10 @@
 ---
 
+- name: create hostkey group
+  group:
+    name: hostkey
+    system: true
+
 - name: copy ca certificate
   copy:
     src: "/srv/ca/certs/ca.crt"
@@ -20,6 +25,6 @@
   copy:
     src: "/srv/ca/private/{{ inventory_hostname }}.key"
     dest: "{{ tls_private }}/{{ inventory_hostname }}.key"
-    mode: 0600
+    mode: 0640
     owner: root
-    group: "{{ ansible_wheel }}"
+    group: hostkey