Hi here are often the CA/B rules mentioned. But i think that nobody really rad them.
I am referring to the version https://www.cabforum.org/wp-content/uploads/Baseline_Requirements_V1.pdf
10.3.2Agreement Requirements (Page 18 )
For example under Point 4
Use of Certificate: An obligation and warranty to install the Certificate only on servers that are accessible at the subjectAltName(s) listed in the Certificate,
With this the test page https://cryptoreport.thawte.com/checker/views/sslCheck.jsp would be an break of the contract and could be called illegal. Because the linked https://wronghost.websecurity.symantec.com/ is explicit on an FQDN not mentioned in the SAN.
Or another example
Termination of Use of Certificate: An obligation and warranty to promptly cease all use of the Private Key corresponding to the Public Key included in the Certificate upon revocation of that Certificate for reasons of Key Compromise.
If the key is compromised and the certificate is revoked it mean the key is out of control and how should you take care that he will not be used if he is somehow become public ?
Also for LE the Point 3 is interesting:
Acceptance of Certificate: An obligation and warranty that the Subscriber will review and verify the Certificate contents for accuracy.
This would require that each issued certificate is reviewed after issuing before use. Since LE is proud of the automation how should this be done ?