[bracewel]

There is a fifth, incredibly common, (arguably) non-malicious possibility.

You don't control the entirety of your web stack, and your hosting provider, or DNS provider, or someone else, has decided to be 'helpful' (either blindly, or due to some misconfiguration somewhere along the line) and issue a certificate on your behalf, as they are able to intercept CA validation traffic at the DNS, TLS, or HTTP layer.

[michaelt]

Or indeed you're in a position of overlapping authority.

Universities will often have a cash-strapped organisation-wide IT Department (e-mail for english majors) and another layer of IT in certain academic departments (computer labs for CS students) and another layer of IT after that (the centre for machine learning paid for that cluster, of course they have full authority over it) - and often it's that third-level body that's getting all the grant funding and publishing all the papers.

The people who control www.example.edu might basically be the marketing department for their glossy student recruitment brochure. Who's to say they have authority over certificate issuance for datasets.ml.cs.example.edu ?

[tinus_hn]

This is also arguably malicious, it is not for them to get certificates for your domain and snoop your traffic. I’d hope this is not ‘incredibly common’, in my opinion it is completely unacceptable.

The certificate certifies the holder is the owner of the domain, if some third party gets a certificate that’s fraudulent. In at least some jurisdictions making a fraudulent claim like that is illegal.