I hope this is a typo because if someone is running a website on your behalf, you really should allow them to secure it with HTTPS!
However, if you really want to, as long as you have exclusive control of the DNS settings, you can prevent them getting a cert or (better) restrict them to using the certificate authority of your choice, by using a CAA record as mnordhoff mentioned above.