If the original TOR cert was discovered in an unlawful search, and then they did a scan of the public internet to find it again in a legal search, that's parallel construction.
And let's not forget: NSA already have an almost-irresistibly useful database designed for exactly this purpose (selecting and correlating on attributes of SIGINT-captured SSL/TLS sessions, such as certificates - and they could easily just put a selector on the CommonName or the certificate fingerprint).
You don't have to be the NSA to make a database like that, but it helps. I could build a database broadly like that for certificates/ciphersuites/other metadata myself with active scanning and zmap (and it might make a good weekend project, to examine and contrast RC4 proliferation amongst TLS-encrypted web and mail servers) - but they have a near-realtime-updating passively-constructed one. If the FBI asked them for help, they'd definitely use that.
You don't have to be the NSA to make a database like that, but it helps. I could build a database broadly like that for certificates/ciphersuites/other metadata myself with active scanning and zmap (and it might make a good weekend project, to examine and contrast RC4 proliferation amongst TLS-encrypted web and mail servers) - but they have a near-realtime-updating passively-constructed one. If the FBI asked them for help, they'd definitely use that.