diff --git a/scripts/util/keystore-cert-import b/scripts/util/keystore-cert-import
index 23956d4f86f..c4ec3bea25a 100755
--- a/scripts/util/keystore-cert-import
+++ b/scripts/util/keystore-cert-import
@@ -121,6 +121,12 @@ if [ -f "$LIBVIRTD_FILE" ]; then
     ln -sf /etc/pki/libvirt/servercert.pem /etc/pki/libvirt-vnc/server-cert.pem
     ln -sf /etc/pki/libvirt/private/serverkey.pem /etc/pki/libvirt-vnc/server-key.pem
     cloudstack-setup-agent -s > /dev/null
+
+    QEMU_GROUP=$(sed -n 's/^group=//p' /etc/libvirt/qemu.conf | awk -F'"' '{print $2}' | tail -n1)
+    if [ ! -z "${QEMU_GROUP// }" ]; then
+      chgrp $QEMU_GROUP /etc/pki/libvirt /etc/pki/libvirt-vnc /etc/pki/CA /etc/pki/libvirt/private /etc/pki/libvirt/servercert.pem /etc/pki/libvirt/private/serverkey.pem /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
+      chmod 750 /etc/pki/libvirt /etc/pki/libvirt-vnc /etc/pki/CA /etc/pki/libvirt/private /etc/pki/libvirt/servercert.pem /etc/pki/libvirt/private/serverkey.pem /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
+    fi
 fi
 
 # Update ca-certs if we're in systemvm
@@ -138,6 +144,6 @@ if [ -f "$SYSTEM_FILE" ]; then
 fi
 
 # Fix file permission
-chmod 600 $CACERT_FILE
-chmod 600 $CERT_FILE
-chmod 600 $PRIVKEY_FILE
+chmod 750 $CACERT_FILE
+chmod 750 $CERT_FILE
+chmod 750 $PRIVKEY_FILE