SSL/TLS Explained: How to Get an A+ Certificate Grade
The padlock is only the beginning. Understand certificates, TLS versions and the chain of trust — and the exact steps to reach an A+ grade.
Almost everyone recognises the padlock in their browser's address bar, but very few know what it actually promises. SSL/TLS is the technology that encrypts the connection between a visitor and your website, and the difference between a passing grade and an A+ comes down to details most site owners never see. This guide explains them in plain language.
SSL vs TLS: the names that confuse everyone
SSL (Secure Sockets Layer) was the original protocol. It has been fully replaced by TLS (Transport Layer Security), but the old name stuck — so when people say 'SSL certificate' they almost always mean a TLS certificate. The modern, secure versions are TLS 1.2 and TLS 1.3. Anything older (SSL 3.0, TLS 1.0, TLS 1.1) is broken and should be switched off entirely.
What actually happens behind the padlock
When a browser connects, three things are checked in a fraction of a second: the certificate must be valid and unexpired, it must be issued for the domain being visited, and it must chain back to a trusted root authority. If any of those fail, the visitor sees a frightening full-page warning instead of your site.
- Certificate validity — is it within its date range and not revoked?
- Domain match — does it cover the exact hostname, including
wwwand any subdomains? - Chain of trust — does it link, certificate by certificate, to a root your visitor's device already trusts?
- Cipher strength — are the encryption algorithms modern, or weak and deprecated?
It is rarely the certificate itself — it is an incomplete chain. Your server serves the leaf certificate but forgets the intermediate, so some browsers trust it and others do not. Always install the full chain.
The checklist for an A+ grade
- 1Use a certificate from a trusted authority and install the complete chain, including intermediates.
- 2Enable TLS 1.3 and keep TLS 1.2 as a fallback. Disable TLS 1.0, 1.1 and all SSL versions.
- 3Offer only strong cipher suites with forward secrecy; remove RC4, 3DES and other weak ciphers.
- 4Enforce HSTS so browsers never attempt an insecure connection.
- 5Redirect all HTTP traffic to HTTPS with a permanent 301 redirect.
- 6Renew well before expiry — ideally automate it so a human is never the single point of failure.
Certificate expiry is the silent outage
The most common way a perfectly configured site goes down has nothing to do with attackers — it is an expired certificate. Free certificates from Let's Encrypt last 90 days, and even paid certificates need renewing. The day it lapses, every visitor hits a security warning and your traffic falls off a cliff. Automated renewal solves it, but you still want a monitor watching the expiry date as a safety net.
PatchPings can watch your certificate and alert you well before it expires, so a missed renewal never becomes a customer-facing outage.
How to grade your own setup
Run a scan against your domain. A good SSL/TLS check reports the certificate's validity and expiry date, the TLS versions you support, whether HSTS is enforced, and whether the chain validates — then rolls it all into a single grade from A+ to F. Where you fall short, you get the specific fix rather than a wall of cryptographic jargon. Encryption is a solved problem; reaching A+ is mostly about turning off the old and turning on the new.
