When using Certificate Transparency and embedding SCTs retrieved by submitting pre-certificates to CT logs (which is the normal use case for CT).
We had one corner case where the SCTs in the final certificate could not properly be verified because of altName ordering causing a different TBSCertificate encoding in the pre-certificate and the final certificate. To ensure that issued certificates are correct we should verify the SCTs in the final certificate before completing the issuance. Just as we verify the certificate signature today.
If my pull request gets accepted the git version of certificate-transparency-java will be able to verify SCTs in the final certificate. My fork can be used in the meantime, but we should probably wait until it's reviewed and merged so the API is stable.