Comment 1 for bug 1668944

The recommended way is "chown _apt:root FILE && chmod 400 FILE" at the moment. Ideally we wouldn't need the chown (or have it root:root), but that isn't very realistic to be implementable without rolling our own TLS stack in the process at the moment, so we have to make due with that for now.
Disabling the feature or making the file world readable does work as well, but totally defeats the point of course…

I don't see what the point of trying to us groups here is. Are you trying to share the same certificate for multiple things? If so that's a bad idea. You should have a certificate for each and every usecase (= client), not a single one shared between multiple clients on the same machine.