diff --git a/doc/api/tls.md b/doc/api/tls.md
index e22286adb45ad3..2f600fb4249f77 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -358,7 +358,7 @@ added: v0.5.3
   `cert`, `ca`, etc).
 
 The `server.addContext()` method adds a secure context that will be used if
-the client request's SNI hostname matches the supplied `hostname` (or wildcard).
+the client request's SNI name matches the supplied `hostname` (or wildcard).
 
 ### server.address()
 <!-- YAML
@@ -796,17 +796,17 @@ and their processing can be delayed due to packet loss or reordering. However,
 smaller fragments add extra TLS framing bytes and CPU overhead, which may
 decrease overall server throughput.
 
-## tls.checkServerIdentity(host, cert)
+## tls.checkServerIdentity(hostname, cert)
 <!-- YAML
 added: v0.8.4
 -->
 
-* `host` {string} The hostname to verify the certificate against
+* `hostname` {string} The hostname to verify the certificate against
 * `cert` {Object} An object representing the peer's certificate. The returned
   object has some properties corresponding to the fields of the certificate.
 * Returns: {Error|undefined}
 
-Verifies the certificate `cert` is issued to host `host`.
+Verifies the certificate `cert` is issued to `hostname`.
 
 Returns {Error} object, populating it with the reason, host, and cert on
 failure. On success, returns {undefined}.
diff --git a/lib/tls.js b/lib/tls.js
index 1e444d5d8898c2..f4b72851907862 100644
--- a/lib/tls.js
+++ b/lib/tls.js
@@ -169,14 +169,14 @@ function check(hostParts, pattern, wildcards) {
   return true;
 }
 
-exports.checkServerIdentity = function checkServerIdentity(host, cert) {
+exports.checkServerIdentity = function checkServerIdentity(hostname, cert) {
   const subject = cert.subject;
   const altNames = cert.subjectaltname;
   const dnsNames = [];
   const uriNames = [];
   const ips = [];
 
-  host = '' + host;
+  hostname = '' + hostname;
 
   if (altNames) {
     for (const name of altNames.split(', ')) {
@@ -194,14 +194,14 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) {
   let valid = false;
   let reason = 'Unknown reason';
 
-  if (net.isIP(host)) {
-    valid = ips.includes(canonicalizeIP(host));
+  if (net.isIP(hostname)) {
+    valid = ips.includes(canonicalizeIP(hostname));
     if (!valid)
-      reason = `IP: ${host} is not in the cert's list: ${ips.join(', ')}`;
+      reason = `IP: ${hostname} is not in the cert's list: ${ips.join(', ')}`;
     // TODO(bnoordhuis) Also check URI SANs that are IP addresses.
   } else if (subject) {
-    host = unfqdn(host);  // Remove trailing dot for error messages.
-    const hostParts = splitHost(host);
+    hostname = unfqdn(hostname);  // Remove trailing dot for error messages.
+    const hostParts = splitHost(hostname);
     const wildcard = (pattern) => check(hostParts, pattern, true);
     const noWildcard = (pattern) => check(hostParts, pattern, false);
 
@@ -215,11 +215,12 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) {
         valid = wildcard(cn);
 
       if (!valid)
-        reason = `Host: ${host}. is not cert's CN: ${cn}`;
+        reason = `Host: ${hostname}. is not cert's CN: ${cn}`;
     } else {
       valid = dnsNames.some(wildcard) || uriNames.some(noWildcard);
       if (!valid)
-        reason = `Host: ${host}. is not in the cert's altnames: ${altNames}`;
+        reason =
+          `Host: ${hostname}. is not in the cert's altnames: ${altNames}`;
     }
   } else {
     reason = 'Cert is empty';
@@ -228,7 +229,7 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) {
   if (!valid) {
     const err = new ERR_TLS_CERT_ALTNAME_INVALID(reason);
     err.reason = reason;
-    err.host = host;
+    err.host = hostname;
     err.cert = cert;
     return err;
   }