We don't recommend sending key's to clients. If for whatever reason a client needs a new key on 9.6 I would recommend they run through the process here : How to Manually Request a Broker Certificate with BrokerConfig.exe
Nick is correct, sending the private key is basically giving someone the ability to unlock all the data encrypted by the associated certificate. It is not a good idea.
We also don't support network appliances that inspect ssl traffic
there will only be a private key listed when you generate a csr to send to a third party vendor we build the csr in /root/.certs
We have a vendor that hosts our CSA and they want to monitoring the traffic that comes in/out to the internet.
That will likely cause functionality issues for the csa.... please see previous post. THere are some hidden files in that directory.
I came across this discussion looking for the same answer. Our IT security team insists on using the private key to configure the F5 ASM security policies, which apparently need the public\private keys to do its job.