How do you confirm the person asking for the certificate actually owns the domain?