Encryption - Where to put Certificates

We're setting up Encryption - TDE. My familiarity level is not great.

I was backing up the Certificates onto the SQL Server. Is there any point to the encryption if I leave them there? i.e. if I hacker breaks in and sees these, I'm worried they could take they .cert files along with the .bak files.

I'm asking because I understand ideally I should put the .cert files in a vault or something but our department hasn't yet determined what that vault should be.

We just put all our certificates in Keepass along with passwords etc. I also put the SQL script to restore them in the comments to save having to look up the syntax if there is a panic.