All TLS/HTTPS clients have a set of Certificate Authority keys which they trust. Your client will only accept a public key which is signed by a trusted CA's key. A proper CA will not sign a key for a domain when it has not verified that the entity that wants it's key signed actually controls the domain.
All TLS/HTTPS clients have a set of Certificate Authority keys which they trust. Your client will only accept a public key which is signed by a trusted CA's key. A proper CA will not sign a key for a domain when it has not verified that the entity that wants it's key signed actually controls the domain.