The certificate authority can issue certificates for absolutely anything (any domain) they want and your software will happily claim it's valid if the CA is trusted.

That is why the CA-system is a joke, you only need to compromise any of the CA's that are trusted by default to fool all certificate users.