If you understand a vulnerability, you can often tell for sure if it can lead to exposure of private keys. For example if a PHP app runs in a separate process with separate user credentials than nginx SSL endpoint, and if file access control flags for certificates are configured correctly, you can tell for sure that php bug alone won't allow for certificates access. This of course assumes that other components work correctly (like Linux access control mechanism), but without such assumptions you wouldn't be able to do anything productive.