Misuse of trusted certificate authority

Question

Currently I'm working with mitmproxy and intercepting some HTTPs traffic using it. Before I could use it in my browser, I had to trust the certificate via my OS settings. After that, the certificate was trusted by my machine and browser didn't complain. This self signed certificate sent from mitmproxy server got me thinking if it would be possible for an attacker to get his certificate signed by some trusted authority (not mitmproxy like in example above) and to use his own keypair which would be in that certificate to serve it and perform MITM attack and escape the fact that someone needs to trust the certificate after receiving it? It would be the same as getting certificate signed for any newly formed https website, just in this scenario, attacker would be using it to serve certificate for sake of having his own key pair so he can sniff traffic and for victim to have it trusted initially in his browser.

So the procedure would be following:

1. Attacker generates certificate with his own keypair
2. He gets trusted certificate authority to sign it
3. He starts mitm proxy server and places that newly signed certificate instead old self signed certificate
4. Victim starts using that proxy and tries to navigate some web page and now due to the fact that the certificate that person got was signed by trusted authority, browser won't complain and the victim won't notice anything.
5. Attacker will sniff all traffic

Is there something I'm missing here? Is this possible to do and are trusted certificate authorities trying to prevent something like this because for me it sounds really easy thing to achieve? Please correct me if I'm wrong on something.

Answer 1

Actually I think I understood what is the catch... When some trusted certificate authority signs certificate, they to place a domain for what It will be used for, right? That means if an attacker takes some certificate and sends it to victim accessing Google but in that signed certificate it says example.com the browser will not trust it... And the difference with mitmproxy and self signed certificates is that each time victim goes on some other site, it creates new ssl certificate having that particular site name in the certificate. So if mitmproxy with its own self signed certificate gets a request to proxy victim accessing site "tralala.com" it will create the certificate and have "tralala.com" in domain part in that certificate and put Issued to (CN) to be "tralala.com".