diff --git a/certpusher.py b/certpusher.py
index 57ad726..086fcf6 100644
--- a/certpusher.py
+++ b/certpusher.py
@@ -744,25 +744,44 @@ class CertPusher:
             upload_needed = True
             
             if check_first:
-                if not ssh.check_remote_certificate(remote_cert_path, source_cert):
-                    upload_needed = False
-                elif check_url:
-                    logger.info(f"SSH check failed. Trying URL: {check_url}")
+                # Try SSH check first
+                ssh_check_passed = not ssh.check_remote_certificate(remote_cert_path, source_cert)
+                
+                # If SSH says certificates match, double-check with URL if provided
+                if ssh_check_passed and check_url:
+                    logger.info(f"SSH check passed. Verifying via URL: {check_url}")
                     remote_cert = self.cert_manager.get_cert_from_url(check_url)
-                    if remote_cert and self.cert_manager.compare_certificates(source_cert, remote_cert):
-                        logger.info("✓ Certificate up to date via URL. Skipping.")
+                    
+                    if remote_cert:
+                        if self.cert_manager.compare_certificates(source_cert, remote_cert):
+                            logger.info("✓ URL check confirms: Certificates match. Skipping.")
+                            upload_needed = False
+                        else:
+                            logger.warning("⚠ URL check disagrees with SSH check!")
+                            logger.warning("Certificates differ via URL. Upload needed.")
+                            upload_needed = True
+                    else:
+                        logger.warning("Could not retrieve cert via URL. Trusting SSH check.")
                         upload_needed = False
+                elif ssh_check_passed:
+                    # SSH check passed, no URL to verify
+                    upload_needed = False
+                else:
+                    # SSH check failed, upload needed
+                    upload_needed = True
             
             if not upload_needed:
                 ssh.disconnect()
                 self.stats['skipped'] += 1
                 return True
             
+            # Upload certificate
             if not ssh.upload_file(source_cert_path, remote_cert_path):
                 ssh.disconnect()
                 self.stats['failed'] += 1
                 return False
             
+            # Upload key if specified
             if self.config.has_option(section, 'remote_key_path'):
                 remote_key_path = self.config.get(section, 'remote_key_path')
                 source_key_path = self.get_key_path(section, source_cert_path)
@@ -770,12 +789,14 @@ class CertPusher:
                 if os.path.exists(source_key_path):
                     ssh.upload_file(source_key_path, remote_key_path)
             
+            # Additional files
             if self.config.has_option(section, 'additional_files'):
                 for file_pair in self.config.get(section, 'additional_files').split(','):
                     if ':' in file_pair:
                         local, remote = file_pair.strip().split(':', 1)
                         ssh.upload_file(local, remote)
             
+            # Post-upload command
             if post_upload_command:
                 logger.info("Executing post-upload command")
                 ssh.execute_command(post_upload_command)
@@ -789,6 +810,7 @@ class CertPusher:
             logger.error(f"Failed: {e}")
             self.stats['failed'] += 1
             return False
+
     
     def run(self):
         """Main execution"""