Greetings, and thank you for a great service.
I work in an organization where we (security team) frequently run phishing campaigns against our users to raise awareness and to demonstrate what a phishing attack might look like. We also own several typosquatting domains for our main domain to prevent users from visiting them.
We had the idea of using one of these domains in our next campaign, with a valid certificate to demonstrate that, while a site might have a valid certificate, it is not necessarily the one you want to visit. We are planning to use LetsEncrypt for that reason, hence my question here. I'd like to make sure we're not breaking some terms of service before going ahead with this.
The attack will only last a few days, after which we will remove the certificate and send an explanation e-mail to our users.