as a practical exercise review this post: Domain on Restricted List - LetsEncrypt Not Able to Issue Certificate
also review Certificate Transparency in action here: https://crt.sh/?q=%.mastercard.ro
The reason why this is a good exercise is that it shows someone trying to do something they shouldn’t be able to do.
CA Domain Restrictions coming to play and ultimately them going to Entrust (the CA who is allowed to issue those certs) and getting a certificate under the right process
Andrei