You can use the Google Safe Browsing API to prevent certificate issuance to malicious actors trying to get certificates for their phishing site.
The API is public, but you need an API key from Google. Google provides both a "Lookup API" and an "Update API". The "Lookup API" seems to be a good start, but support for the "Update API" could be added later.
Submit dnsNames in the certificate to the API and check for threats before issuance. A DnsNameValidator can do this.
Don't forget to add some documentation.