To issue a certificate for a specific subdomain, you just need to have an http server and serve the secret under the .well-known directory.