@kuno2001, I think you are absolutely right, that is the correct way to setup security for the certificates, unfortunately am I not able to make HA work with those settings. As the user Homeassistant am I able to read the certificates but HA complains about not being able to. If I chmod to 755, as per the official instruction, does HA accept that, but then Sendmail stops, refusing to accept a world readable certificate. The workaround I am forced to use is to copy the certificates to somewhere else, for HA to read. But that makes renewal of the certificates a bit annoying.
This issue seems resolved, from version 98, maybe earlier, is HA happy with having the certificates at 640. Thanks!