Why not use DNS?
Create some new type of DNS record, or just reuse TXT.
It can indicate what types of SSL certs are valid for this domain.
e.g. only certs with these serial number, only certs from this CA, etc.
Browser would check the DNS record for the site, to look for any
constraints on the SSL cert, and error out if they were violated.
Without DNSSEC, this doesn't add that much -- attacker just has to MITM
DNS as well -- although it does make their work a bit harder. But with
DNSSEC, this could be a solution to the problem.