We don't recommend sending key's to clients. If for whatever reason a client needs a new key on 9.6 I would recommend they run through the process here : How to: Manually Request a Broker Certificate with BrokerConfig.exe
Nick is correct, sending the private key is basically giving someone the ability to unlock all the data encrypted by the associated certificate. It is not a good idea.
We also don't support network appliances that inspect ssl traffic
there will only be a private key listed when you generate a csr to send to a third party vendor we build the csr in /root/.certs
We have a vendor that hosts our CSA and they want to monitoring the traffic that comes in/out to the internet.
That will likely cause functionality issues for the csa.... please see previous post. THere are some hidden files in that directory.