As a verifier of Open Source compliance in open and proprietary code I sometimes come across such certs distributed with the source code (e.g https://github.com/bagder/ca-bundle/blob/e9175fec5d0c4d42de24ed6d84a06d504d5e5a09/ca-bundle.crt)
As I understand it the general idea of a CA / PKI / SSL certificate (e.g. as issued by CACert or Comodo) is that they be used as a public / private key pair, and hence it seems reasonable that a public key be freely distributable, but have found no opinion on the web to support that view. Neither on websites like Wikipedia, StackOverflow, nor in the documentation of the private certificate issuers.
Are such certs actually, or effectively, public domain; or do they need to be licensed for public distribution?
2
The license is specified in the README.md for the project:
The converted file is licensed under the same licenses as the Mozilla
source file: MPL 1.1, GPL v2.0 or LGPL 2.1
As such, the certificates are not public domain, and are explicitly licensed for public distribution under multiple licenses.
In other projects, the license of the certificate file would be the same as the license for any other source file in that project. Note that it is not an inconsistency if a single file is found in multiple projects with differing licenses as the author may license their work with multiple licenses. In the above example, the same file is released under three different licenses.
A developer would be in their rights to take this file, and release it under any one of those licenses. For instance, you might find it in Project A licensed under MPL 1.1 only, and Project B licensed under GPL v2.0 only. This is perfectly fine if the certificate file was take from this particular project, as it is explicitly released in all three.
Note that in this case, the developer just pulled the certificates from Mozilla and released them as a standalone project under the same licenses specified by the Mozilla project. He could have done the same, choosing just one license, or he could have pulled them directly into any project that was compatible with MPL 1.1, GPL v2.0 or LGPL 2.1. In this case, the file would be licensed (if acquired from there) only under the relevant license.
2