How to Get an A+ SSL Rating: Complete TLS Configuration Guide

How to Get an A+ SSL Rating: Complete TLS Configuration Guide

Your SSL/TLS configuration is one of the first things security scanners, browsers, and informed users check about your website. A poor SSL rating signals outdated infrastructure, potential vulnerabilities, and a lack of attention to security basics. An A+ rating signals that you take security seriously and have implemented modern encryption standards correctly.

This guide covers everything you need to know to achieve and maintain an A+ SSL rating, from choosing the right TLS version to configuring cipher suites, implementing HSTS, and avoiding the common pitfalls that keep sites stuck at a B or C grade.

Why Your SSL/TLS Configuration Matters

Security

TLS (Transport Layer Security) encrypts all data between the user''s browser and your server. Without proper TLS configuration, sensitive data like passwords, credit card numbers, and personal information can be intercepted by anyone on the network path between the user and your server.

Older TLS versions (1.0 and 1.1) have known vulnerabilities that allow attackers to decrypt traffic. Using them is equivalent to using a broken lock on your front door.

SEO and Search Rankings

Google has used HTTPS as a ranking signal since 2014, and the weighting has increased over time. Sites with poor SSL configurations may see ranking penalties compared to properly secured competitors.

User Trust

Modern browsers display warnings for insecure connections and certificates. Chrome, Firefox, and Safari all show prominent security indicators that users have learned to check. A security warning can cause visitors to immediately leave your site.

Compliance

PCI DSS requires TLS 1.2 or higher for all payment processing. HIPAA, GDPR, and other regulatory frameworks also mandate encryption in transit. Using deprecated TLS versions can put you out of compliance.

TLS Version Guide

TLS 1.0 and 1.1: Disable Immediately

TLS 1.0 was released in 1999 and TLS 1.1 in 2006. Both have known vulnerabilities:

• BEAST attack (TLS 1.0) — allows decryption of encrypted data
• POODLE attack — downgrades connections to exploit vulnerabilities
• Weak cipher suites — many ciphers available in TLS 1.0/1.1 are now broken

All major browsers stopped supporting TLS 1.0 and 1.1 in 2020. There is no legitimate reason to keep them enabled.

TLS 1.2: Required Minimum

TLS 1.2 is the current baseline. It supports strong cipher suites and is compatible with virtually all modern software. Key features:

• Authenticated encryption with associated data (AEAD) cipher suites
• SHA-256 and stronger hash algorithms
• Support for forward secrecy via ECDHE key exchange
• Wide compatibility with clients and servers

TLS 1.3: Recommended

TLS 1.3 is the latest version, bringing significant improvements:

• Faster handshakes — reduced from 2 round trips to 1 (or 0 with 0-RTT)
• Stronger security — removed all legacy cipher suites, only AEAD ciphers allowed
• Simplified configuration — fewer choices means fewer mistakes
• Forward secrecy by default — every connection uses ephemeral keys

Enable TLS 1.3 alongside TLS 1.2 for the best balance of security and compatibility.

Cipher Suite Configuration

Cipher suites determine the specific algorithms used for key exchange, encryption, and message authentication. Choosing the right cipher suites is critical for an A+ rating.

Recommended Cipher Suites for TLS 1.2

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Key principles:

• Use ECDHE for key exchange (provides forward secrecy)
• Use AES-GCM or ChaCha20-Poly1305 for encryption (AEAD ciphers)
• Avoid CBC mode ciphers (vulnerable to padding oracle attacks)
• Avoid RSA key exchange (no forward secrecy)
• Avoid 3DES, RC4, and DES (broken or weak)

TLS 1.3 Cipher Suites

TLS 1.3 only allows three cipher suites, all of which are strong:

TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256

No configuration needed — all three are secure.

Certificate Management with Let''s Encrypt

Let''s Encrypt provides free, automated TLS certificates that are trusted by all major browsers. Here is how to set it up properly.

Installation with Certbot

# Install Certbot
sudo apt install certbot python3-certbot-nginx

# Obtain certificate for Nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

# Set up automatic renewal
sudo certbot renew --dry-run

Certificate Best Practices

• Use 2048-bit RSA keys minimum, or preferably ECDSA P-256 keys (faster and equally secure)
• Enable automatic renewal — Let''s Encrypt certificates expire every 90 days
• Monitor certificate expiration — set up alerts for 14 days before expiry
• Use separate certificates for each domain rather than wildcard certificates when possible
• Keep your private key secure — restrict file permissions to root only

HSTS Configuration for A+ Rating

HSTS (HTTP Strict-Transport-Security) is required for an A+ rating on most scanners. It tells browsers to always use HTTPS for your domain.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

HSTS Preloading

For maximum protection, submit your domain to the HSTS preload list. This ensures browsers use HTTPS for your site even on the very first visit.

Requirements for preloading:

1. 1Serve a valid HTTPS certificate
2. 2Redirect all HTTP traffic to HTTPS
3. 3Set the HSTS header with max-age of at least 31536000 (1 year)
4. 4Include includeSubDomains directive
5. 5Include preload directive
6. 6Ensure all subdomains support HTTPS

OCSP Stapling

OCSP (Online Certificate Status Protocol) allows browsers to check whether a certificate has been revoked. Without OCSP stapling, the browser must contact the certificate authority directly, adding latency and a privacy concern.

With OCSP stapling, your server fetches the OCSP response and includes it in the TLS handshake, eliminating the extra round trip.

Nginx Configuration

server {
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
}

Apache Configuration

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off

Complete Nginx TLS Configuration for A+

Here is a complete Nginx configuration that achieves an A+ rating:

server {
    listen 443 ssl http2;
    server_name yourdomain.com;

    # Certificate
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    # TLS versions
    ssl_protocols TLSv1.2 TLSv1.3;

    # Cipher suites
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers on;

    # ECDH curve
    ssl_ecdh_curve secp384r1;

    # Session settings
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;
    resolver 8.8.8.8 8.8.4.4 valid=300s;

    # HSTS
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
}

# HTTP to HTTPS redirect
server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://$server_name$request_uri;
}

Testing Your TLS Configuration with ZeriFlow

After implementing your TLS configuration, you need to verify it actually achieves the desired rating.

ZeriFlow''s free scan checks your TLS configuration automatically and provides:

• TLS version detection (flags deprecated versions)
• Cipher suite analysis (identifies weak ciphers)
• Certificate validity and chain verification
• HSTS header presence and configuration
• OCSP stapling detection
• Overall SSL/TLS grade

For a deeper analysis, the ZeriFlow advanced scan tests additional TLS parameters and provides expert-level recommendations for hardening your configuration.

Common Mistakes That Prevent A+ Rating

1. Leaving TLS 1.0 or 1.1 enabled. This alone will drop your rating to a B or lower. Disable both immediately.

2. Using weak cipher suites. Ciphers like DES, 3DES, RC4, or CBC-mode ciphers will lower your score. Remove them from your configuration.

3. Missing HSTS header. Without HSTS, most scanners cap your rating at A instead of A+.

4. Short HSTS max-age. A max-age of less than 6 months may be penalized. Use 31536000 (1 year) or longer.

5. Expired or soon-to-expire certificates. Automate renewal with Certbot and monitor expiration dates.

6. Missing intermediate certificates. Your server must send the full certificate chain, not just the leaf certificate. Use fullchain.pem with Let''s Encrypt.

7. Self-signed certificates. These will always fail validation. Use Let''s Encrypt for free, trusted certificates.

8. Using RSA key exchange. RSA key exchange does not provide forward secrecy. Use ECDHE instead.

Your A+ Action Plan

1. 1Scan your site with ZeriFlow to see your current SSL/TLS rating
2. 2Disable TLS 1.0 and 1.1 in your server configuration
3. 3Configure strong cipher suites (ECDHE + AEAD only)
4. 4Install a valid certificate from Let''s Encrypt
5. 5Enable OCSP stapling
6. 6Add HSTS header with max-age of 1 year, includeSubDomains, and preload
7. 7Set up automatic certificate renewal
8. 8Re-scan to confirm your A+ rating

An A+ SSL rating is achievable for any website. It requires no special software, no expensive certificates, and no complex infrastructure. Just proper configuration and the discipline to keep it maintained.

Upgrade your ZeriFlow plan for continuous monitoring and instant alerts when your TLS configuration degrades.