diff --git a/buildcert.go b/buildcert.go
index dc2362d..a4398e6 100644
--- a/buildcert.go
+++ b/buildcert.go
@@ -143,7 +143,7 @@ func (b *tCertificateBuilder) MustWrite(force bool) bool {
 // Write the file's data
 func (b *tCertificateBuilder) WriteFile() error {
 	log.WithField("file", b.Config.Path).Info("Writing certificate data to file")
-	err := ioutil.WriteFile(b.Config.Path, b.text, b.Config.Mode)
+	err := ioutil.WriteFile(b.Config.Path, b.text, b.Config.FileMode())
 	if err == nil {
 		b.changed = true
 	}
@@ -152,9 +152,9 @@ func (b *tCertificateBuilder) WriteFile() error {
 
 // Update the file's owner and group
 func (b *tCertificateBuilder) UpdatePrivileges() error {
-	update_mode := !b.changed && b.existing.mode != b.Config.Mode
+	update_mode := !b.changed && b.existing.mode != b.Config.FileMode()
 	if update_mode {
-		err := os.Chmod(b.Config.Path, b.Config.Mode)
+		err := os.Chmod(b.Config.Path, b.Config.FileMode())
 		if err != nil {
 			return err
 		}
diff --git a/config.go b/config.go
index 5737359..cd19c25 100644
--- a/config.go
+++ b/config.go
@@ -75,7 +75,7 @@ type (
 	// Certificate file configuration.
 	tCertificateFileConfig struct {
 		Path           string                `yaml:"path"`
-		Mode           os.FileMode           `yaml:"mode"`
+		Mode           *os.FileMode          `yaml:"mode"`
 		Owner          string                `yaml:"owner"`
 		Group          string                `yaml:"group"`
 		PrependFiles   []string              `yaml:"prepend_files"`
@@ -258,6 +258,15 @@ func (c *tCertFileUpdateConfig) Validate(handlers *tHandlers) error {
 	return nil
 }
 
+// Return the mode of a certificate file
+func (c *tCertificateFileConfig) FileMode() os.FileMode {
+	if c.Mode == nil {
+		return 0640
+	} else {
+		return *c.Mode
+	}
+}
+
 // Validate a certificate file configuration entry
 func (c *tCertificateFileConfig) Validate(handlers *tHandlers) error {
 	if !valid.IsUnixFilePath(c.Path) {