diff --git a/manifests/server.pp b/manifests/server.pp
index 8bb7e806..1c3bbe38 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -367,7 +367,6 @@
 
   File {
     group   => $group_to_set,
-    recurse => true,
   }
 
   file {
@@ -375,8 +374,9 @@
       "/etc/openvpn/${name}/auth",
       "/etc/openvpn/${name}/client-configs",
       "/etc/openvpn/${name}/download-configs" ]:
-        ensure => directory,
-        mode   => '0750',
+        ensure  => directory,
+        mode    => '0750',
+        recurse => true,
   }
 
   exec { "copy easy-rsa to openvpn config folder ${name}":
@@ -394,6 +394,7 @@
   file { "/etc/openvpn/${name}/easy-rsa/revoked":
     ensure  => directory,
     mode    => '0750',
+    recurse => true,
     require => Exec["copy easy-rsa to openvpn config folder ${name}"],
   }
 
@@ -447,6 +448,12 @@
     require => Exec["copy easy-rsa to openvpn config folder ${name}"],
   }
 
+  file { "/etc/openvpn/${name}/crl.pem":
+    mode    => '0750',
+    group   =>  $group_to_set,
+    require => [Exec["create crl.pem on ${name}"], File["/etc/openvpn/${name}"]],
+  }
+
   exec { "create crl.pem on ${name}":
     command  => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out /etc/openvpn/${name}/crl.pem -config /etc/openvpn/${name}/easy-rsa/openssl.cnf",
     cwd      => "/etc/openvpn/${name}/easy-rsa",
diff --git a/spec/defines/openvpn_server_spec.rb b/spec/defines/openvpn_server_spec.rb
index d9d77baa..037f0c8c 100644
--- a/spec/defines/openvpn_server_spec.rb
+++ b/spec/defines/openvpn_server_spec.rb
@@ -35,7 +35,8 @@
     it { should contain_file('/etc/openvpn/test_server/easy-rsa/revoked').
          with(:ensure =>'directory', :mode =>'0750', :recurse =>true, :group =>'nogroup') }
     it { should contain_file('/etc/openvpn/test_server/easy-rsa/vars')}
-    it { should contain_file('/etc/openvpn/test_server/easy-rsa/openssl.cnf') }
+    it { should contain_file('/etc/openvpn/test_server/easy-rsa/openssl.cnf').
+         with(:recurse =>nil, :group =>'nogroup') }
     it { should contain_file('/etc/openvpn/test_server/easy-rsa/keys/crl.pem').
          with(:ensure =>'link', :target =>'/etc/openvpn/test_server/crl.pem') }
     it { should contain_file('/etc/openvpn/test_server/keys').
@@ -221,11 +222,18 @@
 
     it { should contain_file('/etc/openvpn/test_server/easy-rsa/openssl.cnf').with(
       'ensure'  => 'link',
-      'target'  => '/etc/openvpn/test_server/easy-rsa/openssl-1.0.0.cnf'
+      'target'  => '/etc/openvpn/test_server/easy-rsa/openssl-1.0.0.cnf',
+      'recurse' => nil,
+      'group'   => 'nobody'
     )}
 
     it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^group\s+nobody$/) }
 
+    it { should contain_file('/etc/openvpn/test_server/crl.pem').with(
+      'mode'    => '0750',
+      'group'   => 'nobody'
+    )}
+
   end
 
   context "when Debian based machine" do
@@ -272,7 +280,9 @@
 
     it { should contain_file('/etc/openvpn/test_server/easy-rsa/openssl.cnf').with(
       'ensure'  => 'link',
-      'target'  => '/etc/openvpn/test_server/easy-rsa/openssl-1.0.0.cnf'
+      'target'  => '/etc/openvpn/test_server/easy-rsa/openssl-1.0.0.cnf',
+      'recurse' => nil,
+      'group'   => 'nogroup'
     )}
 
     it { should contain_exec('copy easy-rsa to openvpn config folder test_server').with(
@@ -287,6 +297,11 @@
 
     it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^group\s+nogroup$/) }
 
+    it { should contain_file('/etc/openvpn/test_server/crl.pem').with(
+      'mode'    => '0750',
+      'group'   => 'nogroup'
+    )}
+
   end
 
   context 'ldap' do