either create a cert group and give that group permission to the certs, or add a handler to distribute the cert+key on renew to your service’s folder, and change owner/group to whats relevant to the service
Note: the “live” folder only contains links to the archive folder
Grate werk! God speel