There's government CA in Kazakhstan issuing certificates for people and for some government websites. They have software for people, so their website can talk to USB tokens. This website connects to that software via secure websockets at 127.0.0.1. And they bundle private key for 127.0.0.1 issued by that CA inside that application. Is it bad? I guess there's no point to report it to them, because they are CA and developers. It's not browser CA, it's some kind of "private" CA (users must import their certificate as a trusted root to work with their website and software).
I worked for a place that did something similar, they were running a server on their local machines listening to https://localhost.company.com:someport (resolving to 127.0.0.1) so their javascript frontend hosted at example.com could communicate with their local machine. It was set up so the server would only respond to requests originating from company.com. They distributed the private key for the certificate localhost.company.com which was trusted by all browsers.
What kind of risk is there to having the private key to localhost.company.com?
Well, CA forbid that kind of usage, so if they found out, they'd revoke that certificate, that would be the major concern for me.
Other than that, obvious attack is to extract private key from your application, launch fake server and forge DNS responses for some poor guy (for example if he's using some untrusted WiFi). So his requests would be redirected into that fake server instead of localhost application.
Ordinary people, for example I own one. It's a USB crypto device which stores private key and certificate. It handles all cryptographic operations inside, so private key can't be extracted (at least trivially). Actually most people use simple files, but it's significantly less secure, because file could be easily stolen.
As to certificates, they are required for some internet services. There's portal http://egov.kz/cms/en which provides almost all government services for citizens and to use it, you should own certificate (so you sign your request with digital signature and it's treated by law like you signed it with your hand).
