On systems which start the web server as root, then degrade the permissions, you should have:
The private key owned by root, with permissions rw_______,
and the public key owned by root, with permissions rw_r__r__
The directory which contains those keys is typically owned
by root with permissions rwxr_xr_x
also typically, the web server is started by root, then degrades permissions to those of www-data. If your system does not do that, please fill out the questionnaire which asks which system and server you are using. The folks on here are quite knowledgeable, and will be able to respond to your specific system much better than my SWAG above.
I confess that my hurried response above was motivated by worry that your private key was exposed by inappropriate permissions. Edit: as an addendum, after you get this 'right' you
might consider obtaining a new certificate, which has not been exposed to jeopardy.