I’m using a wildcard cert from letsencrypt. Currently there is only one way how to verify that you hold the domain you are requesting cert for: creating TXT record in that domain. You can do it by hand when asked by certbot but you don’t want to do this each 90 days. If you are running your own DNS servers with PowerDNS like me there’s an elegant solution: RFC2136. This allows you to update your zones without writing config files and restarting anything.