diff --git a/examples/generate-csr.sh b/examples/generate-csr.sh
index 617319c3d..fa9327095 100755
--- a/examples/generate-csr.sh
+++ b/examples/generate-csr.sh
@@ -20,7 +20,7 @@ done
 SAN="$domains" openssl req -config "${OPENSSL_CNF:-openssl.cnf}" \
   -new -nodes -subj '/' -reqexts san \
   -out "${CSR_PATH:-csr.der}" \
-  -keyout key.pem \
+  -keyout "${KEY_PATH:-key.pem}" \
   -newkey rsa:2048 \
   -outform DER
 # 512 or 1024 too low for Boulder, 2048 is smallest for tests
diff --git a/letsencrypt/cli.py b/letsencrypt/cli.py
index 62d2c4793..3e4b5718c 100644
--- a/letsencrypt/cli.py
+++ b/letsencrypt/cli.py
@@ -207,7 +207,7 @@ def install(args, config, plugins):
     domains = _find_domains(args, installer)
     acme = _init_acme(config, acc, authenticator=None, installer=installer)
     assert args.cert_path is not None  # required=True in the subparser
-    acme.deploy_certificate(domains, acc.key.file, args.cert_path, args.chain_path)
+    acme.deploy_certificate(domains, args.key_path, args.cert_path, args.chain_path)
     acme.enhance_config(domains, args.redirect)
 
 
@@ -532,9 +532,10 @@ def _create_subparsers(helpful):
     parser_install.add_argument(
         "--cert-path", required=True, help="Path to a certificate that "
         "is going to be installed.")
+    parser_install.add_argument(
+        "--key-path", required=True, help="Accompynying private key")
     parser_install.add_argument(
         "--chain-path", help="Accompanying path to a certificate chain.")
-
     parser_revoke.add_argument(
         "--cert-path", type=read_file, help="Revoke a specific certificate.")
     parser_revoke.add_argument(
diff --git a/tests/boulder-integration.sh b/tests/boulder-integration.sh
index decba5859..41a0e2aa5 100755
--- a/tests/boulder-integration.sh
+++ b/tests/boulder-integration.sh
@@ -26,7 +26,8 @@ common() {
 common --domains le1.wtf auth
 common --domains le2.wtf run
 
-export CSR_PATH="${root}/csr.der" OPENSSL_CNF=examples/openssl.cnf
+export CSR_PATH="${root}/csr.der" KEY_PATH="${root}/key.pem" \
+       OPENSSL_CNF=examples/openssl.cnf
 ./examples/generate-csr.sh le3.wtf
 common auth --csr "$CSR_PATH" \
        --cert-path "${root}/csr/cert.pem" \
@@ -34,7 +35,9 @@ common auth --csr "$CSR_PATH" \
 openssl x509 -in "${root}/csr/0000_cert.pem" -text
 openssl x509 -in "${root}/csr/0000_chain.pem" -text
 
-common --domain le3.wtf install --cert-path "${root}/csr/cert.pem"
+common --domain le3.wtf install \
+       --cert-path "${root}/csr/cert.pem" \
+       --key-path "${root}/csr/key.pem"
 
 # the following assumes that Boulder issues certificates for less than
 # 10 years, otherwise renewal will not take place