I have read these posts: https://www.cnet.com/news/fraudulent-google-certificate-points-to-internet-attack/
As far as I know, a certificate should be installed on a server.
So I don’t quite understand how issuing a fraudulent certificate for *.google.com (the spelling of the common name is correct – it is not phishing) could trigger these browser warnings without installing it on a server.
I understand that a private key is in their hands but how did they manage to throw this certificate from the official Google website to users?
Did they install it on a Gmail server?
Could you explain, please?