OpenSSL does create keys in more components than just gen(r|d)sa. In
none of these functions any file permission mask is used.
All of the components in openssl/apps are using the file-BIO which
behaves like stdio and does not have idea about file permissions.
People using OpenSSL to generate their
openssl gen(r|d)sa -out foo.key creates foo.key with the user's
umask as far as read/write bits are concerned. Most people have an
umask that includes group- and world-readable bits.
I suggest that these commands create the files 0600 by default (unless
the user's umask is even more restrictive,