Where to store service certificates and their associated private key?

Reading this explanation on /var/lib and this answer was very helpful.

It appears that the right place to store certificates and private keys generated and renewed by my program is in /var/lib/<program-name> with sub-directories certs and private.