diff --git a/xrdp.spec b/xrdp.spec
index c5f8fe0..4d7be3e 100644
--- a/xrdp.spec
+++ b/xrdp.spec
@@ -77,25 +77,22 @@ echo '#!/bin/bash -l
 #install 'bash -l' startwm script
 %{__install} -Dp -m 755 sesman/startwm-bash.sh %{buildroot}%{_sysconfdir}/xrdp/startwm-bash.sh
 
-#rsakeys.ini
-touch %{buildroot}%{_sysconfdir}/xrdp/rsakeys.ini
-%{__chmod} 0600 %{buildroot}%{_sysconfdir}/xrdp/rsakeys.ini
-
-
 %post
 %systemd_post xrdp.service
 
-if [ ! -f %{_sysconfdir}/xrdp/rsakeys.ini ]; then
-  xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini > /dev/null
-  %{__chmod} 0600 %{_sysconfdir}/xrdp/rsakeys.ini
+if [ ! -s %{_sysconfdir}/xrdp/rsakeys.ini ]; then
+  (umask 377; xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini >/dev/null)
 fi
+chmod 400 %{_sysconfdir}/xrdp/rsakeys.ini
 
-if [ ! -f %{_sysconfdir}/xrdp/cert.pem ]; then
-  openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \
+if [ ! -s %{_sysconfdir}/xrdp/cert.pem ]; then
+  (umask 377; openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \
     -keyout %{_sysconfdir}/xrdp/key.pem \
     -out %{_sysconfdir}/xrdp/cert.pem \
-    -config %{_sysconfdir}/xrdp/openssl.conf
+    -config %{_sysconfdir}/xrdp/openssl.conf >/dev/null 2>&1)
 fi
+chmod 400 %{_sysconfdir}/xrdp/cert.pem
+chmod 400 %{_sysconfdir}/xrdp/key.pem
 
 %preun
 %systemd_preun xrdp.service
@@ -178,14 +175,13 @@ fi
 %exclude %{_libdir}/xrdp/*.la
 %ghost %{_localstatedir}/log/xrdp.log
 %ghost %{_localstatedir}/log/xrdp-sesman.log
-%attr(0600,root,root) %verify(not size md5 mtime) %{_sysconfdir}/xrdp/rsakeys.ini
 
 %files devel
 %{_includedir}/*
 %{_libdir}/pkgconfig/xrdp.pc
 
 %changelog
-* Mon Jan 23 2017 Pavel Roskin <plroskin@gmail.com> - 1:0.9.1-2
+* Tue Jan 24 2017 Pavel Roskin <plroskin@gmail.com> - 1:0.9.1-2
 - Split out xrdp-devel
 - Generate certificate for TLS authentication on package install
 - Add fastpath hotfix