SSLTLSHTTPSConfiguration

How to Get an A+ SSL Rating: Complete Configuration Guide

WebSentry Team
· · 7 min read

What Does an A+ SSL Rating Mean?

An A+ SSL rating means your server's TLS configuration follows current best practices — strong encryption, no legacy protocol support, and HSTS enabled. It tells your users and search engines that your site takes security seriously.

Step 1: Get a Valid Certificate

Use a certificate from a trusted Certificate Authority (CA). Let's Encrypt provides free, automated certificates that work perfectly.

# Using Certbot for Nginx
sudo certbot --nginx -d example.com -d www.example.com

# Auto-renewal
sudo certbot renew --dry-run

Make sure your certificate chain is complete — missing intermediate certificates cause trust errors.

Step 2: Disable Old TLS Versions

TLS 1.0 and 1.1 have known vulnerabilities and are deprecated by all major browsers. Only allow TLS 1.2 and 1.3:

Nginx

ssl_protocols TLSv1.2 TLSv1.3;

Apache

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

Step 3: Configure Strong Cipher Suites

Remove weak ciphers and prioritize modern ones:

# Nginx — modern configuration
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;

Tip: With TLS 1.3, cipher suites are fixed and always secure. Focus on TLS 1.2 cipher configuration.

Step 4: Enable HSTS

HSTS is required for an A+ rating. Without it, you'll max out at A.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

See our complete HSTS guide for details.

Step 5: Enable OCSP Stapling

OCSP stapling improves performance and privacy by having your server staple the certificate revocation status:

# Nginx
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;

Step 6: Generate Strong DH Parameters

openssl dhparam -out /etc/ssl/dhparam.pem 4096
# Nginx
ssl_dhparam /etc/ssl/dhparam.pem;

Using Mozilla SSL Config Generator

Mozilla provides an excellent SSL Configuration Generator that creates optimized configs for Nginx, Apache, HAProxy, and more. Select the "Modern" profile for maximum security.

Common Pitfalls

  • Mixed content — Loading HTTP resources on an HTTPS page breaks security. Fix all http:// URLs
  • Expired certificates — Set up auto-renewal with Certbot or your CA's tools
  • Incomplete certificate chain — Test with openssl s_client to verify
  • Allowing old TLS — Some developers keep TLS 1.0 "just in case" — don't

Verify Your SSL Configuration

Run a WebSentry audit to check your SSL configuration. The scanner validates your certificate, TLS version support, cipher suites, and HSTS configuration all at once.

Check Your Website's Security

Run a free security scan and get your A-F grade in seconds.

Scan Your Site Free
← Previous
Content Security Policy (CSP) Explained: A Complete Beginner's Guide
Next →
How to Scan Your Website for Security Vulnerabilities (Free)