Exactly. Developers like this should never ever have access to the production SSL certificates or private keys.
The fact he had access shows how terrible DJIs internal development practises are. It's shocking.
These days private keys are held securely in systems which do not allow casually exporting. Instead they are packaged up and deployed securely when required.