As to the signing and how it’s done- when you buy a cert from a CA, they ask you to prove that you own the domain that it covers (just talking about HTTPS certs here). Generally you make a special change to the website hosted on that domain, or else receive a code at the postmaster address listed in the whois record.

However…

You can buy an “Extended validation” cert from a CA (Symantec, Geotrust, Digicert, etc) and they will verify business records, talk to human contacts, use letters from attorneys and so on, before signing. These cost more and are generally valid for longer.

I once had to work on cert validation for an entity that had 30+ international domain names on their cert and the CA had to find a human contact that owned the domain in each of those countries; it took almost six months to complete. What international security powerhouse required this insane level of work for their website? Mary Kay Cosmetics (I checked just now, they’re not like that any more).