diff --git a/config.go b/config.go
index cd19c25..6706ef2 100644
--- a/config.go
+++ b/config.go
@@ -261,7 +261,7 @@ func (c *tCertFileUpdateConfig) Validate(handlers *tHandlers) error {
 // Return the mode of a certificate file
 func (c *tCertificateFileConfig) FileMode() os.FileMode {
 	if c.Mode == nil {
-		return 0640
+		return 0644
 	} else {
 		return *c.Mode
 	}
diff --git a/fetch-certificates.yml.example b/fetch-certificates.yml.example
index 8942d74..373e524 100644
--- a/fetch-certificates.yml.example
+++ b/fetch-certificates.yml.example
@@ -76,7 +76,8 @@ certificates:
 
     # Path to the file to generate
   - path: /etc/ssl/private/cert1.pem
-    # Access mode, owner and group for the file. May be omitted.
+    # Access mode, owner and group for the file. May be omitted. The mode
+    # will default to 0644 if unspecified.
     mode: 0640
     owner: root
     group: somegroup