I recall that subdomains are their own record inside a DNS, which would imply that anyone can claim that their server is a non-existent subdomain of the real domain
I recall that subdomains are their own record inside a DNS, which would imply that anyone can claim that their server is a non-existent subdomain of the real domain
Two things here to consider:
To register a subdomain you need yo have control over the domain itself at DNS level.
To certify a subdomain it needs to be reachable over the network. (Not always true/necessary)
So maybe you could somehow make the subdomain available to your victim by, for example, hacking the university or coffeeshop router. You still need the domain and its associated IP reachable by certificate authority so they can check it. For example this simply will not work with Let’s Encrypt. Having a manual authority would be more complex because they will immediately see you are a scammer and won’t allow you to have this sub domain certified.
On another side there is a bunch of security put in place to restrict the validity of certificates. For example a domain can have a list of certificate authorities allowed to certify its subdomains. This makes it even harder to spoof a subdomain and get it certified by someone else.