diff --git a/doc/netwatch-dns.md b/doc/netwatch-dns.md
index 286fe474..73829974 100644
--- a/doc/netwatch-dns.md
+++ b/doc/netwatch-dns.md
@@ -64,11 +64,13 @@ Be aware that you have to keep the ip address in sync with real world
 manually!
 
 Importing a certificate automatically is possible. You may want to find the
-[certificate name from browser](../CERTIFICATES.md).
+[certificate name from browser](../CERTIFICATES.md). Sometimes a service
+randomly switches the CA used to issue the certificate, or it just depends
+geolocation - give several certificate delimited with colon (`:`) then.
 
     /tool/netwatch/add comment="doh, doh-cert=SSL.com Root Certification Authority ECC" host=1.1.1.1;
     /tool/netwatch/add comment="doh, doh-cert=DigiCert Global Root G3" host=9.9.9.9;
-    /tool/netwatch/add comment="doh, doh-cert=GTS Root R1" host=8.8.8.8;
+    /tool/netwatch/add comment="doh, doh-cert=GTS Root R1:GTS Root R4" host=8.8.8.8;
 
 > ⚠️ **Warning**: Combining these techniques can cause some confusion and
 > troubles! Chances are that a service uses different certificates based