What is a good practice of how to deal with old/expired SSL certs and private keys? Is it safe to delete them or should they be moved to an archive directory for any reason? I recently updated the SSL certificate for our organization's web site which was recently verified and signed by the CA. I've updated the certificate by changing the SSL configuration file /etc/httpd/conf.d/ssl.conf to point to the new certificate file, and restarting httpd. I left the old file there but I don't want to leave the old cert there if it shouldn't be. I no longer see a reason to keep the old certificate and would like to know how handle this in the wild. Thanks guys!

actually I can't find any reason to keep it. But probably someone knows...

Add them to your CRL. You do have one of those, don't you?