How to Get an SSL Grade A+

An A grade means your certificate works. An A+ means you have eliminated the legacy protocols, weak ciphers and missing headers that attackers still exploit on otherwise 'secure' sites. This checklist is the shortest path from a passing SSL scan to a top grade — in the order that fixes the most points first.

The A+ requirements in order

1. 1Install the full certificate chain including intermediates — incomplete chains are the fastest way to lose trust on older clients.
2. 2Disable TLS 1.0, 1.1 and SSL entirely; enable TLS 1.2 as fallback and TLS 1.3 as preferred.
3. 3Remove weak cipher suites (RC4, 3DES, export ciphers) and prefer forward-secret ECDHE groups.
4. 4Redirect all HTTP to HTTPS with a single permanent 301 to your canonical hostname.
5. 5Send HSTS with max-age of at least one year; add includeSubDomains only when every subdomain is ready.

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;

The mistakes that cap you at A

• Missing intermediate certificate — some browsers trust you, graders and mobile clients do not.
• TLS 1.0 or 1.1 still enabled — one legacy protocol keeps the grade below A+.
• No HSTS — encryption works but downgrade attacks remain possible on first visit.
• Mixed content on HTTPS pages — breaks the padlock and undermines the whole setup.

Verify after every change

Run an SSL/TLS scan after each deploy. PatchPings reports protocol versions, cipher strength, chain validity, HSTS presence and expiry date in one grade — with AI-generated fixes when something drifts. Pair scanning with certificate expiry monitoring so a renewal never silently downgrades your configuration.

A+ is not cryptography expertise; it is turning off the old, turning on the new, and proving the chain is complete. Work through the checklist, rescan until the grade sticks, and download PatchPings to keep watching the score over time.