Overview ๐ฅ
In some cases, the TLS/SSL Inspector may display certificate details that appear different from what is shown in a web browser.
Common examples include differences in:
Certificate Issuer
Expiration Date
Friendly Name
Certificate Chain
Registrar Information
This behavior is typically caused by the root domain and the www subdomain serving different SSL certificates from different infrastructure endpoints.
Example:
example.com
Although both URLs may appear to represent the same website, they can point to completely different backend services and therefore return different certificates.
Why Does This Happen? ๐ค
Modern websites commonly use multiple hosting layers, including:
CDN providers
Reverse proxies
Load balancers
Cloud-managed frontends
Traditional backend web servers
Because of this, the certificate presented depends entirely on which hostname the connection targets.
For example:
Endpoint | Possible Infrastructure | Possible Certificate Authority |
| Backend origin server | Let's Encrypt |
CDN or cloud frontend | Google Trust Services / DigiCert / Cloudflare |
Both certificates can be valid simultaneously.
How Liongard Retrieves SSL Certificates ๐งโ๐ซ
The Liongard TLS/SSL Inspector retrieves the certificate directly from the hostname configured in the Inspector target.
If the Inspector target is configured as:
example.com
Liongard connects specifically to:
example.com:443
If the browser automatically redirects traffic to:
www.example.com
then the browser may display an entirely different certificate.
This creates the appearance of a mismatch even though both systems are technically correct.
Common Scenario Example ๐
Root Domain
example.com
May return:
Issuer: Let's Encrypt
Expiration: July 31, 2026
WWW Subdomain
www.example.com
May return:
Issuer: Google Trust Services (WE1)
Expiration: August 4, 2026
Result
Source | Endpoint Connected | Certificate Displayed |
Liongard |
| Let's Encrypt |
Browser | WE1 |
Both results are valid because the endpoints are different.
How to Verify the Active Certificate ๐จโ๐ป
1๏ธโฃ Browser Verification
Open the website in a browser
Select the lock/security icon
Open the certificate details
Review:
Issuer
Expiration Date
Common Name
Subject Alternative Names (SANs)
2๏ธโฃ OpenSSL Verification
You can manually validate certificates using OpenSSL.
Check Root Domain
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -text
Check WWW Subdomain
echo | openssl s_client -servername www.example.com -connect www.example.com:443 2>/dev/null | openssl x509 -noout -text
Compare the returned:
Issuer
Validity Dates
SANs
Certificate Chain
How to Make Liongard Match the Browser Certificate ๐
If you want Liongard to monitor the same certificate users see in their browsers:
Navigate to: Admin โ Inspectors โ TLS/SSL
Locate the affected Inspector
Select the three-dot menu (โฎ)
Select Edit
Update the target hostname
Example:
Change:
example.com
To:
www.example.com
Save the Inspector and run inspection in Clear Cache + Debug Mode
Once updated, Liongard will begin retrieving the certificate presented by the www endpoint instead of the root domain.
Important Notes ๐จ
Redirects Do Not Change the Original SSL Handshake
SSL certificates are negotiated before HTTP redirects occur.
Even if:
example.com
redirects users to:
www.example.com
the initial TLS handshake for example.com still presents its own certificate first.
Multiple Valid Certificates Can Exist Simultaneously
This behavior is normal and common in environments using:
Cloudflare
Google Cloud
AWS CloudFront
Azure Front Door
Reverse proxies
CDN services
Different hostnames may intentionally serve different certificates.
Liongard Reports the Exact Endpoint Configured
The TLS/SSL Inspector does not automatically follow browser behavior or infer preferred subdomains.
It reports the certificate directly returned by the configured target hostname.
Troubleshooting Checklist ๐
Validation Step | Expected Result |
Verify Inspector target hostname | Matches intended endpoint |
Compare | Confirm whether certificates differ |
Run OpenSSL lookup | Validate live certificate response |
Check browser certificate | Confirm frontend certificate |
Run Debug + Clear Cache | Refresh cached Inspector data |
Update Inspector target if necessary | Align Liongard with browser-visible certificate |
When to Contact Liongard Support ๐ฆ
If the Inspector still reports unexpected certificate information after validating the endpoint configuration:
Provide the following:
Inspector name
Target hostname configured in Liongard
OpenSSL command output
Browser certificate screenshots
Any redirect behavior observed between root and subdomains
This information helps accelerate troubleshooting and validation.