CA Verify Domain Identity ACME Challenge
We cannot issue certificates to the wrong person, as this would allow the certificate holder to impersonate others. Therefore, for all applicants, we must ensure they indeed have control over the domain before issuing a certificate. This means verifying the applicant’s identity.
The industry standard for this is called the ACME Challenge. The basic principle is: to prove to me (the CA) that you are super-bank.com, you need to make the URL super-bank.com/.well-known/acme-challenge/foo return the text bar. This demonstrates your control over the domain, and I will issue the certificate to you. (There are other methods supported as well, such as DNS TXT records.)