diff --git a/lib/pathutils.py b/lib/pathutils.py
index c50c6da30ff715402687857dc3f25c26ffc3d390..b5800c0502b0b38d131789186fa535ac6133675d 100644
--- a/lib/pathutils.py
+++ b/lib/pathutils.py
@@ -74,7 +74,6 @@ UIDPOOL_LOCKDIR = RUN_DIR + "/uid-pool"
 SSCONF_LOCK_FILE = LOCK_DIR + "/ganeti-ssconf.lock"
 
 CLUSTER_CONF_FILE = DATA_DIR + "/config.data"
-NODED_CERT_FILE = DATA_DIR + "/server.pem"
 RAPI_CERT_FILE = DATA_DIR + "/rapi.pem"
 CONFD_HMAC_KEY = DATA_DIR + "/hmac.key"
 SPICE_CERT_FILE = DATA_DIR + "/spice.pem"
@@ -90,6 +89,12 @@ HOOKS_BASE_DIR = CONF_DIR + "/hooks"
 FILE_STORAGE_PATHS_FILE = CONF_DIR + "/file-storage-paths"
 RESTRICTED_COMMANDS_DIR = CONF_DIR + "/restricted-commands"
 
+#: Node daemon certificate path
+NODED_CERT_FILE = DATA_DIR + "/server.pem"
+
+#: Node daemon certificate file permissions
+NODED_CERT_MODE = 0440
+
 #: Locked in exclusive mode while noded verifies a remote command
 RESTRICTED_COMMANDS_LOCK_FILE = LOCK_DIR + "/ganeti-restricted-commands.lock"
 
diff --git a/lib/tools/ensure_dirs.py b/lib/tools/ensure_dirs.py
index 48a7b441511933e9fa2c91c920c323f740a862ec..bb20e5d8eba677d0d1b95ae7ba573f2efaa837ed 100644
--- a/lib/tools/ensure_dirs.py
+++ b/lib/tools/ensure_dirs.py
@@ -144,8 +144,8 @@ def GetPaths():
      getent.masterd_gid, False),
     (pathutils.SPICE_CACERT_FILE, FILE, 0440, getent.noded_uid,
      getent.masterd_gid, False),
-    (pathutils.NODED_CERT_FILE, FILE, 0440, getent.masterd_uid,
-     getent.masterd_gid, False),
+    (pathutils.NODED_CERT_FILE, FILE, pathutils.NODED_CERT_MODE,
+     getent.masterd_uid, getent.masterd_gid, False),
     ]
 
   ss = ssconf.SimpleStore()