You're right. Although the certs are readable (and other services successfully read them already) it works after I created a script which copys the files into kresd's workdir and chowns them to knot-resolver.