diff --git a/ssl/manifests/init.pp b/ssl/manifests/init.pp
index a419020..0268e7f 100644
--- a/ssl/manifests/init.pp
+++ b/ssl/manifests/init.pp
@@ -17,8 +17,12 @@ class ssl::openssl {
 #       Certificate output file.
 #   $cn:
 #       Common name.
+#   $mode, $owner, $group:
+#       Certificate file permissions.
 #   $keyout:
 #       Key output file. Defaults to ${name}.
+#   $keymode, $keyowner, $keygroup:
+#       Key file permissions.
 #   $days:
 #       Validity in days, defaults to 3650.
 #   $keysize:
@@ -26,12 +30,17 @@ class ssl::openssl {
 #   $subject:
 #       Extra subject information.
 #
-define ssl::certificate($cn, $keyout="", $days="3650", $keysize="2048", $subject="") {
+define ssl::certificate($cn, $mode, $owner, $group,
+                        $keyout="", $keymode="", $keyowner="", $keygroup="",
+                        $days="3650", $keysize="2048", $subject="") {
 
     include ssl::openssl
 
     if $keyout {
         $keyout_real = $keyout
+        if !$keymode or !$keyowner or !$keygroup {
+            fail("\$keymode, \$keyowner and \$keygroup must be defined.")
+        }
     } else {
         $keyout_real = $name
     }
@@ -48,6 +57,24 @@ define ssl::certificate($cn, $keyout="", $days="3650", $keysize="2048", $subject
         creates => [ "${name}", "${keyout_real}" ],
     }
 
+    file { "${name}":
+        ensure  => present,
+        mode    => $mode,
+        owner   => $owner,
+        group   => $group,
+        require => Exec["openssl-req-${name}"],
+    }
+
+    if $keyout {
+        file { "${keyout}":
+            ensure  => present,
+            mode    => $keymode,
+            owner   => $keyowner,
+            group   => $keygroup,
+            require => Exec["openssl-req-${name}"],
+        }
+    }
+
 }
 
 
@@ -57,10 +84,12 @@ define ssl::certificate($cn, $keyout="", $days="3650", $keysize="2048", $subject
 #
 #   $name:
 #       Output file.
+#   $mode, $owner, $group:
+#       Output file permissions.
 #   $keysize:
 #       Key size. Defaults to 1024.
 #
-define ssl::dhparam($keysize="1024") {
+define ssl::dhparam($mode, $owner, $group, $keysize="1024") {
 
     exec { "openssl-dhparam-${name}":
         path    => "/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin",
@@ -68,4 +97,12 @@ define ssl::dhparam($keysize="1024") {
         creates => "${name}",
     }
 
+    file { "${name}":
+        ensure  => present,
+        mode    => $mode,
+        owner   => $owner,
+        group   => $group,
+        require => Exec["openssl-dhparam-${name}"],
+    }
+
 }