diff --git a/certbot/main.py b/certbot/main.py
index f7421d75e..6964e9352 100644
--- a/certbot/main.py
+++ b/certbot/main.py
@@ -293,11 +293,12 @@ def _find_domains_or_certname(config, installer):
     return domains, certname
 
 
-def _report_new_cert(config, cert_path, fullchain_path):
+def _report_new_cert(config, cert_path, fullchain_path, key_path=None):
     """Reports the creation of a new certificate to the user.
 
     :param str cert_path: path to cert
     :param str fullchain_path: path to full chain
+    :param str key_path: path to private key, if available
 
     """
     if config.dry_run:
@@ -312,13 +313,17 @@ def _report_new_cert(config, cert_path, fullchain_path):
     # (Nginx and Apache2.4) will want.
 
     verbswitch = ' with the "certonly" option' if config.verb == "run" else ""
+    privkey_statement = 'Your key file has been saved at:{br}{0}{br}'.format(
+            key_path, br=os.linesep) if key_path else ""
     # XXX Perhaps one day we could detect the presence of known old webservers
     # and say something more informative here.
-    msg = ('Congratulations! Your certificate and chain have been saved at {0}.'
-           ' Your cert will expire on {1}. To obtain a new or tweaked version of this '
-           'certificate in the future, simply run {2} again{3}. '
-           'To non-interactively renew *all* of your certificates, run "{2} renew"'
-           .format(fullchain_path, expiry, cli.cli_command, verbswitch))
+    msg = ('Congratulations! Your certificate and chain have been saved at:{br}'
+           '{0}{br}{1}'
+           'Your cert will expire on {2}. To obtain a new or tweaked version of this '
+           'certificate in the future, simply run {3} again{4}. '
+           'To non-interactively renew *all* of your certificates, run "{3} renew"'
+           .format(fullchain_path, privkey_statement, expiry, cli.cli_command, verbswitch,
+               br=os.linesep))
     reporter_util.add_message(msg, reporter_util.MEDIUM_PRIORITY)
 
 
@@ -601,7 +606,8 @@ def run(config, plugins):  # pylint: disable=too-many-branches,too-many-locals
 
     cert_path = new_lineage.cert_path if new_lineage else None
     fullchain_path = new_lineage.fullchain_path if new_lineage else None
-    _report_new_cert(config, cert_path, fullchain_path)
+    key_path = new_lineage.key_path if new_lineage else None
+    _report_new_cert(config, cert_path, fullchain_path, key_path)
 
     _install_cert(config, le_client, domains, new_lineage)
 
@@ -686,7 +692,8 @@ def certonly(config, plugins):
 
     cert_path = lineage.cert_path if lineage else None
     fullchain_path = lineage.fullchain_path if lineage else None
-    _report_new_cert(config, cert_path, fullchain_path)
+    key_path = lineage.key_path if lineage else None
+    _report_new_cert(config, cert_path, fullchain_path, key_path)
     _suggest_donation_if_appropriate(config)
 
 def renew(config, unused_plugins):
diff --git a/certbot/tests/main_test.py b/certbot/tests/main_test.py
index 7c2016178..99e5ba0ee 100644
--- a/certbot/tests/main_test.py
+++ b/certbot/tests/main_test.py
@@ -678,11 +678,12 @@ class MainTest(test_util.TempDirTestCase):  # pylint: disable=too-many-public-me
     @test_util.patch_get_utility()
     def test_certonly_new_request_success(self, mock_get_utility, mock_notAfter):
         cert_path = '/etc/letsencrypt/live/foo.bar'
+        key_path = '/etc/letsencrypt/live/baz.qux'
         date = '1970-01-01'
         mock_notAfter().date.return_value = date
 
         mock_lineage = mock.MagicMock(cert=cert_path, fullchain=cert_path,
-                                      fullchain_path=cert_path)
+                                      fullchain_path=cert_path, key_path=key_path)
         mock_client = mock.MagicMock()
         mock_client.obtain_and_enroll_certificate.return_value = mock_lineage
         self._certonly_new_request_common(mock_client)
@@ -691,6 +692,7 @@ class MainTest(test_util.TempDirTestCase):  # pylint: disable=too-many-public-me
         cert_msg = mock_get_utility().add_message.call_args_list[0][0][0]
         self.assertTrue(cert_path in cert_msg)
         self.assertTrue(date in cert_msg)
+        self.assertTrue(key_path in cert_msg)
         self.assertTrue(
             'donate' in mock_get_utility().add_message.call_args[0][0])
 
@@ -1000,6 +1002,7 @@ class MainTest(test_util.TempDirTestCase):  # pylint: disable=too-many-public-me
         mock_get_utility = self._test_certonly_csr_common()
         cert_msg = mock_get_utility().add_message.call_args_list[0][0][0]
         self.assertTrue('fullchain.pem' in cert_msg)
+        self.assertFalse('Your key file has been saved at' in cert_msg)
         self.assertTrue(
             'donate' in mock_get_utility().add_message.call_args[0][0])