diff --git a/pkg/pki/cert.go b/pkg/pki/cert.go
index a2b77ec3bcd0c37cf0b6f47a3cd14dce12a941e9..fbd18477fa5768b144eb2ed8d90c03d20ec05b69 100644
--- a/pkg/pki/cert.go
+++ b/pkg/pki/cert.go
@@ -90,6 +90,16 @@ func (c *Certificate) Save() error {
 	return nil
 }
 
+// Get the key file path
+func (c *Certificate) KeyPath() string {
+	return c.IO.Path(KeyType)
+}
+
+// Get the certificate file path
+func (c *Certificate) CertPath() string {
+	return c.IO.Path(CertType)
+}
+
 // Get a cert signer
 func (c *Certificate) Signer() crypto.Signer {
 	return c.Key
diff --git a/pkg/pki/io.go b/pkg/pki/io.go
index ee66c423165f2b4ac971afddca610a7728f9bbd9..6e72fc33c721165f047c85419581d57e2d232f2a 100644
--- a/pkg/pki/io.go
+++ b/pkg/pki/io.go
@@ -18,23 +18,11 @@ const (
 type CertIO interface {
 	Load(Type) ([]byte, error)
 	Save([]byte, Type) error
+	Path(Type) string
 }
 
 type FileIO struct {
-	Path string
-}
-
-func (f FileIO) pathFor(t Type) string {
-	var ext string
-	switch t {
-	case KeyType:
-		ext = ".key"
-	case CertType:
-		ext = ".pem"
-	case CSRType:
-		ext = ".csr"
-	}
-	return f.Path + ext
+	path string
 }
 
 func (f FileIO) blockFor(t Type) *pem.Block {
@@ -53,7 +41,7 @@ func (f FileIO) blockFor(t Type) *pem.Block {
 }
 
 func (f FileIO) Load(t Type) ([]byte, error) {
-	path := f.pathFor(t)
+	path := f.Path(t)
 	bytes, err := ioutil.ReadFile(path)
 	if err != nil {
 		return nil, err
@@ -68,7 +56,7 @@ func (f FileIO) Load(t Type) ([]byte, error) {
 func (f FileIO) Save(bytes []byte, t Type) error {
 	block := f.blockFor(t)
 	block.Bytes = bytes
-	path := f.pathFor(t)
+	path := f.Path(t)
 	file, err := os.Create(path)
 	if err != nil {
 		return err
@@ -79,3 +67,16 @@ func (f FileIO) Save(bytes []byte, t Type) error {
 	}
 	return file.Close()
 }
+
+func (f FileIO) Path(t Type) string {
+	var ext string
+	switch t {
+	case KeyType:
+		ext = ".key"
+	case CertType:
+		ext = ".pem"
+	case CSRType:
+		ext = ".csr"
+	}
+	return f.path + ext
+}