SSL Labs Score A+ - How to Achieve It

Qualys SSL Labs is the reference tool for evaluating a website's SSL/TLS configuration. An A+ score demonstrates optimal configuration in terms of security and best practices. It's a trust indicator for your visitors and partners.

Getting an A+ is not difficult if you follow best practices: valid certificate, modern protocols, secure cipher suites, and HSTS enabled. This guide shows you exactly what to configure.

MoniTao monitors your certificates and helps you maintain optimal SSL configuration. Combined with regular SSL Labs tests, you ensure maximum security.

How Does SSL Labs Score?

Understanding the evaluation criteria:

• Certificate (30%): validity, complete chain, signature algorithm, key size. A modern certificate with SHA-256 and RSA 2048+ is required.
• Protocol support (30%): TLS 1.2 and 1.3 supported, SSL and TLS 1.0/1.1 disabled. The score drops drastically if obsolete protocols are active.
• Key exchange (30%): use of ephemeral Diffie-Hellman key exchange (ECDHE) for Perfect Forward Secrecy.
• Cipher strength (10%): modern cipher suites like AES-GCM, no weak or obsolete cipher suites.

Requirements for A+

What you need to achieve A+:

• Base A score: you must first have an A (good certificate, good protocols, good ciphers) before aiming for A+.
• HSTS enabled: the HTTP Strict Transport Security header is mandatory for A+. It forces HTTPS usage.
• No vulnerabilities: no known vulnerabilities (BEAST, POODLE, Heartbleed, etc.) should be detected.
• Consistent configuration: all aspects of the configuration must be at the right level, no weak link.

Step by Step Optimization

How to achieve A+:

1. Update protocols: enable TLS 1.2 and 1.3, disable TLS 1.0, 1.1, and all SSL.
2. Configure cipher suites: use only modern ciphers (ECDHE+AESGCM, CHACHA20) and disable weak ones.
3. Enable HSTS: add the Strict-Transport-Security header with at least 6 months duration.
4. Verify the chain: ensure the certificate chain is complete (certificate + intermediates).

Optimal Configuration

Configuration examples for A+:

# Nginx - A+ Configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;

# HSTS (required for A+)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;

# Apache equivalent
SSLProtocol -all +TLSv1.2 +TLSv1.3
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

This configuration disables obsolete protocols, uses modern ciphers, and enables HSTS to get an A+.

Best Practices

Tips for maintaining an A+:

• Test regularly: SSL Labs criteria evolve. Test monthly to detect changes.
• Update OpenSSL: old OpenSSL versions may have vulnerabilities. Keep your server up to date.
• Document your config: keep track of your SSL configuration to facilitate audits and updates.
• Monitor your certificates: an expired certificate drops your score. Use MoniTao for proactive alerts.

Frequently Asked Questions

Aim for Excellence

An A+ score on SSL Labs demonstrates your commitment to security. It's an excellent indicator for your visitors, partners, and during security audits.

Combine optimal SSL configuration with MoniTao for proactive certificate monitoring. Security is an ongoing process, not a one-time configuration.

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing