diff --git a/CHANGELOG.md b/CHANGELOG.md
index 72f793e6..1ca523a4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -55,6 +55,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * varnish: fix missing state, that blocked the task
 * proftpd: Fix format of public key files controlled by ansible
 * proftpd: Fix mode of public key directory and files (they have to be accessible by proftpd:nobody)
+* openvpn: Fix mode of shellpki script
 
 ### Removed
 
diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml
index 463df8e9..b0201f0c 100644
--- a/openvpn/tasks/debian.yml
+++ b/openvpn/tasks/debian.yml
@@ -48,7 +48,7 @@
     group: "{{ item.group }}"
   with_items:
      - { source: "openssl.cnf", destination: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "shellpki", group: "shellpki" }
-     - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0755", owner: "root", group: "root" }
+     - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0750", owner: "root", group: "root" }
 
 - name: Add sudo rights
   lineinfile:
diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml
index a594e12d..b0e629be 100644
--- a/openvpn/tasks/openbsd.yml
+++ b/openvpn/tasks/openbsd.yml
@@ -38,7 +38,7 @@
     group: "{{ item.group }}"
   with_items:
      - { source: "openssl.cnf", destination: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "_shellpki", group: "_shellpki" }
-     - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0755", owner: "root", group: "wheel" }
+     - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0750", owner: "root", group: "wheel" }
 
 - name: Add sudo rights
   lineinfile: