I think there is one thing to look at. When enrolling in the RA GUI (I just use username/password with entity added in admin GUI), and CAA (or key validation) fails, the error is just an error code.
This error code is perfectly correct in itself, but it's not user friendly and may cause support issues. For other errors we display a nicer user friendly error message. It would be good if validation errors could display a more user friendly message in the RA UI.
Perhaps ValidationException should be a NonSensitiveException? (we then have to roll it up a couple of times I think).