By default, certcheck.sh resolves the hostname you enter using standard DNS resolution - the same way a web browser would. In most cases this is exactly what you want. However, there are scenarios where you need to check a TLS/SSL certificate on a specific server that authoritative DNS does not currently resolve to.
Scenarios
Pre-deployment verification: You have installed a TLS/SSL certificate on a new server but have not yet updated your DNS records to point to it. You want to verify the certificate is correctly installed before cutting over DNS.
Pre-propagation verification: You have updated your DNS records but propagation is not yet complete. Depending on where the DNS request originates, resolution may still return the old server IP address. Using the Authoritative DNS override text field allows you to target the new server directly, regardless of where DNS currently resolves.
Multi-origin and load balanced environments: In environments where a hostname resolves to multiple servers - such as behind a load balancer or CDN - individual servers may serve different certificates. The Authoritative DNS override text field allows you to target a specific server by IP address or a different hostname to verify its certificate independently.
Stacked CDN environments: If your web architecture uses multiple CDN providers in a stacked configuration - meaning requests to your hostname route to the first CDN provider, which forwards them to a second CDN provider, and finally to your origin servers - and you need to check the TLS/SSL certificate on the second CDN provider, they usually expose a unique hostname (such as hostname.cdn.second-provider.net) that resolves to their IP addresses.
How to use it
If any of the above scenarios apply, enter the target server’s hostname (this would differ from the hostname entered in the Hostname text field) or IP address in the Authoritative DNS override text field. The hostname you enter in the Hostname text field will still be sent as the SNI header in the TLS handshake, which ensures the correct certificate is returned for that hostname but the network destination of the TLS/SSL request changes.