diff --git a/src/gam/__init__.py b/src/gam/__init__.py
index f69b65b8..c15450be 100755
--- a/src/gam/__init__.py
+++ b/src/gam/__init__.py
@@ -9499,6 +9499,26 @@ def getOSPlatform():
     pltfrm = platform.platform()
   return f'{myos} {pltfrm}'
 
+def inspect_untrusted_cert(url):
+    """Bypasses validation momentarily to extract the untrusted Issuer."""
+    parsed = urlparse(url if '://' in url else f'https://{url}')
+    host = parsed.hostname
+    port = parsed.port or 443
+    # Create an unverified context purely for diagnostic extraction
+    ctx = ssl.create_default_context()
+    ctx.check_hostname = False
+    ctx.verify_mode = ssl.CERT_NONE
+    try:
+        with socket.create_connection((host, port), timeout=5) as sock:
+            with ctx.wrap_socket(sock, server_hostname=host) as ssock:
+                der_cert = ssock.getpeercert(binary_form=True)
+                cert = x509.load_der_x509_certificate(der_cert, default_backend())
+                issuer = cert.issuer.rfc4514_string()
+                subject = cert.subject.rfc4514_string()
+                return f"Untrusted Issuer: {issuer}\n    Server Subject: {subject}"
+    except Exception as e:
+        return f"Failed to retrieve diagnostic certificate: {e}"
+
 # gam checkconnection
 def doCheckConnection():
 
@@ -9535,8 +9555,9 @@ def doCheckConnection():
     except httplib2.error.ServerNotFoundError:
       writeStdout(f'{not_okay}\n    Failed to find server. Your DNS is probably misconfigured.\n')
     except ssl.SSLCertVerificationError as e:
+      diag_info = inspect_untrusted_cert(host)
       # e.verify_message contains the specific OpenSSL error string
-      writeStdout(f'{not_okay}\n    Certificate verification failed: {e.verify_message}\n    If you are behind a firewall / proxy server that does TLS / SSL inspection you may need to point GAM at your certificate authority file by setting cacerts_pem = /path/to/your/certauth.pem in gam.cfg.\n') 
+      writeStdout(f'{not_okay}\n    Certificate verification failed: {e.verify_message}\n    Diagnostic Info:\n   {diag_info}\nIf you are behind a firewall / proxy server that does TLS / SSL inspection you may need to point GAM at your certificate authority file by setting cacerts_pem = /path/to/your/certauth.pem in gam.cfg.\n') 
     except ssl.SSLError as e:
       if e.reason == 'SSLV3_ALERT_HANDSHAKE_FAILURE':
         writeStdout(f'{not_okay}\n    GAM expects to connect with TLS 1.3 or newer and that failed. If your firewall / proxy server is not compatible with TLS 1.3 then you can tell GAM to allow TLS 1.2 by setting tls_min_version = TLSv1.2 in gam.cfg.\n')