diff --git a/smallapp/unbound-control-setup.sh.in b/smallapp/unbound-control-setup.sh.in
index eaf1d082c..daa95d949 100644
--- a/smallapp/unbound-control-setup.sh.in
+++ b/smallapp/unbound-control-setup.sh.in
@@ -204,6 +204,11 @@ chmod o-rw \
       "$CTL_BASE.pem" \
       "$CTL_BASE.key"
 
+# Ensure expected group permissions
+chmod g+r \
+      "$SVR_BASE.key" \
+      "$CTL_BASE.key" \
+
 cleanup
 
 echo "Setup success. Certificates created. Enable in unbound.conf file to use"
diff --git a/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup b/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup
index ff205be19..e6d10a062 100755
--- a/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup
+++ b/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup
@@ -158,6 +158,9 @@ test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
 # remove unused permissions
 chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
 
+# add needed group permissions
+chmod g+r $SVR_BASE.key $CTL_BASE.key
+
 # remove crap
 rm -f request.cfg
 rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl"