diff --git a/roles/lego/defaults/main.yml b/roles/lego/defaults/main.yml
index 8c80350..3776907 100644
--- a/roles/lego/defaults/main.yml
+++ b/roles/lego/defaults/main.yml
@@ -1,5 +1,9 @@
 ---
 lego_base_path: /opt/lego
+lego_certificate_store: "{{ lego_base_path }}/certificates"
+lego_certificate_store_user: "{{ lego_user_res.uid | default(lego_user) }}"
+lego_certificate_store_group: "{{ lego_user_res.group | default(lego_user) }}"
+lego_certificate_store_mode: "0750"
 lego_systemd_path: /etc/systemd/system
 lego_version: 4.5.2
 lego_system_type: "linux"
diff --git a/roles/lego/tasks/main.yml b/roles/lego/tasks/main.yml
index 9d6b7a4..ec11613 100644
--- a/roles/lego/tasks/main.yml
+++ b/roles/lego/tasks/main.yml
@@ -14,8 +14,17 @@
   file:
     path: "{{ lego_base_path }}"
     state: directory
-    owner: "{{ lego_user_res.uid }}"
-    group: "{{ lego_user_res.group }}"
+    owner: "{{ lego_certificate_store_user }}"
+    group: "{{ lego_certificate_store_group }}"
+    mode: "0755"
+
+- name: Ensure certificate directory exists and has the configured permissions
+  file:
+    path: "{{ lego_certificate_store }}"
+    state: directory
+    owner: "{{ lego_certificate_store_user }}"
+    group: "{{ lego_certificate_store_group }}"
+    mode: "{{ lego_certificate_store_mode }}"
 
 - name: Check if binary exsists and is the correct version
   command:
diff --git a/roles/lego/templates/lego.service.j2 b/roles/lego/templates/lego.service.j2
index 9de65d1..785c435 100644
--- a/roles/lego/templates/lego.service.j2
+++ b/roles/lego/templates/lego.service.j2
@@ -12,7 +12,11 @@ Type=oneshot
 Group={{ lego_user_res.group }}
 User={{ lego_user_res.name }}
 WorkingDirectory={{ lego_base_path }}
+ExecStartPre=+-chown {{ lego_certificate_store_user }}:{{ lego_certificate_store_group }} {{ lego_certificate_store }}
+ExecStartPre=+-chmod {{ lego_certificate_store_mode }} {{ lego_certificate_store }}
 ExecStart={{ lego_command_systemd }}
+ExecStartPost=+-/bin/sh -c 'chown {{ lego_certificate_store_user }}:{{ lego_certificate_store_group }} {{ lego_certificate_store }}/*'
+ExecStartPost=+-/bin/sh -c 'chmod 0640 {{ lego_certificate_store }}/*'
 
 [Install]
 WantedBy=multi-user.target