Or even better don’t register CNAMES or A records for your sub domain until you’re ready to tell the world. The cert is meaningless if there’s nowhere for the traffic to route.
That’s fair point for giving intent if there’s a human facing name for the DNS entry. I was referring to the security implications of having a public endpoint exposed, or more accurately not being exposed because there’s no way to route traffic to it.
The cert has a meaning: it reveals your intent to do something with it.
I.e. if apple was to buy a cert for car.apple.com before they announce a car, that could be bad for them.