I don't think this is actually compatible with the browser security model – specifically, CAs are required to revoke certificates for known-compromised private keys, according to point 4.9.1 here: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-...