diff --git a/site/profiles/manifests/helpers/certmanager.pp b/site/profiles/manifests/helpers/certmanager.pp
index 860d0ea..41d1730 100644
--- a/site/profiles/manifests/helpers/certmanager.pp
+++ b/site/profiles/manifests/helpers/certmanager.pp
@@ -60,7 +60,9 @@ class profiles::helpers::certmanager (
     # create the config from a template
     file { $config_path:
       ensure  => file,
-      mode    => '0600',
+      mode    => '0660',
+      owner   => 'puppet',
+      group   => 'root',
       content => Sensitive(template("profiles/helpers/${script_name}_config.yaml.erb")),
       require => Python::Pyvenv[$venv_path],
     }
diff --git a/site/profiles/templates/helpers/certmanager.erb b/site/profiles/templates/helpers/certmanager.erb
index 59c9ae8..44588e5 100644
--- a/site/profiles/templates/helpers/certmanager.erb
+++ b/site/profiles/templates/helpers/certmanager.erb
@@ -28,10 +28,18 @@ def request_certificate(common_name, alt_names, ip_sans, expiry_days, vault_conf
         print(f"Error requesting certificate: {response.text}")
         return None
 
-def save_cert_files(certificate_response, common_name, compress, config):
+def save_cert_files(certificate_response, common_name, compress, config, json_output):
     base_path = config.get('output_path', '.')
     cert_dir = os.path.join(base_path, common_name)
-    if not compress:
+    if json_output:
+        import json
+        output = {
+            'certificate': certificate_response['data']['certificate'],
+            'private_key': certificate_response['data']['private_key'],
+            'full_chain': certificate_response['data']['issuing_ca'] + "\n" + certificate_response['data']['certificate'],
+        }
+        print(json.dumps(output))
+    elif not compress:
         os.makedirs(cert_dir, exist_ok=True)
         with open(os.path.join(cert_dir, "certificate.crt"), "w") as cert_file:
             cert_file.write(certificate_response['data']['certificate'])
@@ -54,12 +62,16 @@ def main(config_file):
     parser.add_argument('-i', '--ip-sans', type=str, default='', help='Comma-separated IP Subject Alternative Names for the certificate')
     parser.add_argument('-e', '--expiry-days', type=int, default=365, help='Validity of the certificate in days (default: 365)')
     parser.add_argument('-c', '--compress', action='store_true', help='Compress the certificate, key, and full chain into a zip file')
+    parser.add_argument('--json', action='store_true', help='Output results in JSON format')
     args = parser.parse_args()
     alt_names = [name.strip() for name in args.alt_names.split(',') if name]
     ip_sans = [ip.strip() for ip in args.ip_sans.split(',') if ip]
     certificate_response = request_certificate(args.common_name, alt_names, ip_sans, args.expiry_days, config)
     if certificate_response:
-        save_cert_files(certificate_response, args.common_name, args.compress, config)
+        if args.json:
+            save_cert_files(certificate_response, args.common_name, args.compress, config, True)
+        else:
+            save_cert_files(certificate_response, args.common_name, args.compress, config, False)
     else:
         print("Failed to obtain certificate.")