diff --git a/bridgehead b/bridgehead
index 2362891..5548a7d 100755
--- a/bridgehead
+++ b/bridgehead
@@ -78,11 +78,12 @@ case "$ACTION" in
 		exec ./lib/remove-bridgehead-units.sh $PROJECT
 		;;
 	enroll)
-		if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
-			echo "Private key already exists at /etc/bridgehead/pki/${SITE_ID}.priv.pem. Please delete first to proceed."
+		if [ -e $PRIVATEKEYFILENAME ]; then
+			echo "Private key already exists at $PRIVATEKEYFILENAME. Please delete first to proceed."
 			exit 1
 		fi
-		docker run --rm -ti -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-path /etc/bridgehead/pki --proxy-id $PROXY_ID --admin-email $SUPPORT_EMAIL
+		docker run --rm -ti -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $PROXY_ID --admin-email $SUPPORT_EMAIL
+		chmod 600 $PRIVATEKEYFILENAME
 		;;
 	preRun | preUpdate)
 		fixPermissions
diff --git a/ccp/vars b/ccp/vars
index 6003ceb..d9c8789 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -6,3 +6,4 @@ SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
 REPORTHUB_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRET_SHORT}"
 SUPPORT_EMAIL=ccp-service@dkfz-heidelberg.de
+PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem