so someone can generate certificates for me without me even knowing?
Anyone can create any certificates they like. And anyone can sign any certificates they like.
The trick is getting someone else to trust certificates you sign. With the (half-assed, wholly-broken) public X.509 PKI, that generally means the victim has to have the root certificate for your signing chain installed as a trusted certificate.1
If you're a member of the CA club, then you've already talked major software vendors - browser and OS manufacturers - into including your root certs in their trusted collections, because who wouldn't take, say, TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 at their word? I know I trust them implicitly, so it's no surprise that Mozilla do too.
Thawte is a member of the club, so they can create any certificates they like, and sign them with one of their trusted roots, and impersonate anyone. And tough luck, losers.
1Which means, of course, that you can just ship victims a copy of your root, and use a bit of social engineering to get them to install it. But let's all pretend that can't happen.
Biting the hand that feeds IT
