diff --git a/roles/pki/tasks/main.yml b/roles/pki/tasks/main.yml
index 8943497..aafc6fd 100644
--- a/roles/pki/tasks/main.yml
+++ b/roles/pki/tasks/main.yml
@@ -29,6 +29,14 @@
   ansible.builtin.set_fact:
     pki_cacert_hash: "{{ result.stdout }}"
 
+- name: fix private key directory permissions
+  ansible.builtin.file:
+    path: "{{ tls_private }}"
+    mode: 0750
+    owner: root
+    group: hostkey
+  when: ansible_system == "OpenBSD"
+
 - name: copy host certificate
   ansible.builtin.copy:
     src: "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"