[godzillabrennus]

My guess is that it is some larger corporate client with a middleware app they pinned the cert into. An app they built on Heroku hurriedly because it was fast and cheap to get started and they didn’t expect to need to scale. Then as can happen it became important and they scaled anyway. They probably lost the talent that built it so they don’t even remember how it works.

All of this is assumption based on how they seem to buy enough compute at Heroku to have sway over rolling back this change of cert provider.

[yjftsjthsd-h]

Ugh, yes, I assure you that some corporate clients will even try to pin the actual leaf certificate; pinning an intermediate or root is almost good behavior for them. (Honestly, the number of times I had to tell our support people that no, we would not support customers trying to pin our AWS-issued certificates, and no, I couldn't promise to notify them even if I wanted to since AWS could just rotate them at will...)