diff --git a/roles/freeradius/tasks/main.yml b/roles/freeradius/tasks/main.yml
index ec78671..d6eab4f 100644
--- a/roles/freeradius/tasks/main.yml
+++ b/roles/freeradius/tasks/main.yml
@@ -70,6 +70,12 @@
   command:
     openssl dhparam -out /etc/raddb/certs/dhparam {{ radiusd_dhparm_size }}
     creates=/etc/raddb/certs/dhparam
+- name: ensure dh parameters file permissions are correct
+  file:
+    path=/etc/raddb/certs/dhparam
+    mode=0640
+    owner=root
+    group=radiusd
 - name: ensure example certificates are removed
   command:
     rm -vf