[ssl_mgmt] Only set ownership & rights if gen ok

Only set ownership and rights if generated file are not corrupted and
certificate match the private key.

ssl_mgmt/ssl_mgmt

@@ -299,8 +299,6 @@ generate_cert ()
 	openssl ca -batch -config $opensslCnfFile -cert $CACertPath \
 		-keyfile $CAKeyPath -passin file:$rootCAPwdPath \
 		-out $certSubdir/$certFile -infiles $csrSubdir/$reqFile
-	getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile
-	chown --reference="$certPath" $certSubdir/$certFile
 
 	# Safety check
 	if ! openssl x509 -noout -text -in $certSubdir/$certFile >/dev/null 2>&1 ||
@@ -327,6 +325,8 @@ generate_cert ()
 	fi
 
 	# Notify and install the new certificate
+	getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile
+	chown --reference="$certPath" $certSubdir/$certFile
 	if [ -z "$no_overwrite" ]
 	then
 		if [ ! -f "$certDestDir/$certFile" ]