How to Get an A+ SSL Rating

Getting an A+ SSL rating requires TLS 1.3 support, a strong certificate, and proper configuration.

Requirements for A+

  1. TLS 1.3 support — ensure your server supports the latest TLS version
  2. Valid certificate — from a trusted CA with at least 30 days until expiry
  3. Strong key — 2048-bit RSA or 256-bit ECC minimum
  4. OCSP stapling — improves verification performance and privacy
  5. CAA records — restrict which CAs can issue certificates for your domain

Steps to Achieve A+

1. Get a Certificate from Let's Encrypt

Let's Encrypt provides free, automated TLS certificates. Use Certbot to obtain and auto-renew.

2. Configure TLS 1.3

In nginx, set: ssl_protocols TLSv1.2 TLSv1.3; Disable TLS 1.0 and 1.1 — they are deprecated.

3. Enable OCSP Stapling

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;

4. Add CAA Records

Add a DNS CAA record: 0 issue "letsencrypt.org"

5. Enable HSTS

Add the Strict-Transport-Security header with a long max-age.

Check your domain now

See how your domain scores on SSL, security headers, and more.

$
How to Get an A+ SSL Rating | SiteProbe