It’s significantly more complicated than it sounds, actually. I’d encourage you to read the relevant section of RFC6962. In effect, the CA has to issue the certificate twice. First you generate a precertificate with a critical poison extension, then submit it to a CT log, receive the SCT, and then sign it again. There is potential for failure and delay at each step in the process, plus significant additional complexity, which is why the authors of the CT spec included easier options.
1 Like