diff --git a/lib/srv/db/common/kerberos/kinit/kinit.go b/lib/srv/db/common/kerberos/kinit/kinit.go
index 21508054a0d1b..90d2a8811549b 100644
--- a/lib/srv/db/common/kerberos/kinit/kinit.go
+++ b/lib/srv/db/common/kerberos/kinit/kinit.go
@@ -222,17 +222,17 @@ func (k *kinitProvider) CreateClient(ctx context.Context, username string) (*cli
 		return nil, trace.Wrap(err)
 	}
 
-	err = os.WriteFile(certPath, certResult.certPEM, 0644)
+	err = os.WriteFile(certPath, certResult.certPEM, 0600)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
 
-	err = os.WriteFile(keyPath, certResult.keyPEM, 0644)
+	err = os.WriteFile(keyPath, certResult.keyPEM, 0600)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
 
-	err = os.WriteFile(userCAPath, k.buildAnchorsFileContents(certResult.caCert), 0644)
+	err = os.WriteFile(userCAPath, k.buildAnchorsFileContents(certResult.caCert), 0600)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}