You run an SSL test, you get a letter — A+, B, T — and a colour. On its own, that letter tells you almost nothing about what to fix. The grade is a summary of four very different things, and understanding what sits behind each one is the difference between guessing and knowing exactly which line in your server config to change.

Almost every SSL test uses the grading scheme published by Qualys SSL Labs. It is well documented and deterministic: the same configuration always produces the same grade. This guide walks through how that grade is built, why a strong server can still be held back, what the unusual T and M grades mean, and how to get to A+.

The grade is built from three category scores

Three aspects of your TLS configuration are each scored from 0 to 100, then combined into a single number with fixed weights:

  • Protocol support — 30%. Which TLS versions the server accepts. TLS 1.2 and 1.3 score full marks; TLS 1.0 and 1.1 score lower because they are deprecated and exposed to downgrade attacks. The category uses the average of your best and worst supported protocol, so offering one old protocol alongside modern ones still drags the score down.
  • Key exchange — 30%. The strength of the key used to establish the session — effectively the size of your certificate key (or the Diffie-Hellman parameters for forward-secret suites). A 2048-bit RSA key or a modern elliptic-curve key scores well; anything weaker, or anonymous key exchange, scores poorly.
  • Cipher strength — 40%. The strength of the symmetric encryption actually negotiated. Modern 128-bit and 256-bit AEAD ciphers score full marks; anything below 128-bit drags it down, and a server offering no encryption scores zero.

The weighted total maps to a letter: 80 or above is an A, 65 a B, 50 a C, and so on down to F. If that were the whole story, almost every reasonably configured server would land on an A — which is exactly why a second layer of rules exists.

Capping rules can override a high score

A numeric score cannot capture everything that matters. So after the categories are combined, a set of rules caps the grade — they can only push it down, never up. This is the part that surprises people: you can score 95 on the numbers and still come out with a B.

  • Capped at A-: the server does not support TLS 1.3, or it does not send a valid HTTP Strict Transport Security (HSTS) header. These are warnings, not faults — but they keep you out of the top band.
  • Capped at B: the server still accepts TLS 1.0 or 1.1, supports the RC4 cipher, uses weak Diffie-Hellman parameters, or serves an incomplete certificate chain. Any one of these caps the grade at B no matter how good the rest is.
  • Capped at C or lower: more serious issues, such as no support for TLS 1.2 at all.
  • Grade F: an outright security failure — SSL 2.0 support, export-grade ciphers, a NULL cipher, or a known protocol or cipher vulnerability.

The practical takeaway: if your grade is lower than your score suggests it should be, a capping rule is the reason. The test breakdown will name the exact rule.

T and M are trust grades, not configuration grades

Two grades sit outside the A-to-F scale entirely, because they describe the certificate's trust rather than the strength of the configuration:

  • T — not trusted. The certificate cannot be validated to a root that browsers trust. It is self-signed, expired, or issued by an unknown authority. The protocols and ciphers might be excellent — but the chain doesn't verify, so the configuration grade is set aside. Expired certificates are the most common cause, which is precisely the failure that continuous monitoring exists to prevent.
  • M — name mismatch. The certificate is valid and trusted, but it does not cover the hostname you tested. A certificate for www.example.com served on example.com, or a missing entry in the Subject Alternative Names, triggers this. It is one of the most common reasons a browser shows a security warning.

Both are worth treating as urgent: to a visitor's browser, an untrusted or mismatched certificate looks exactly like an attack, and most users will abandon the site at the warning page.

How to get from B to A+

Most real-world servers land between B and A. Closing the gap to A+ is usually a short, specific list:

  1. Enable TLS 1.3 and disable TLS 1.0 and 1.1. This removes the most common A- and B caps in one change.
  2. Offer only strong cipher suites. Modern AEAD ciphers (AES-GCM, ChaCha20-Poly1305) with forward secrecy via ECDHE. Remove RC4, 3DES, and anything export-grade.
  3. Serve a complete certificate chain. Include the intermediate, not just the end-entity certificate, so every client can validate without guessing. See our guide on why incomplete chains break some clients but not others.
  4. Use a strong key. A 2048-bit RSA key or a P-256 elliptic-curve key. Bigger is not always better — modern elliptic-curve keys are both strong and fast.
  5. Enable HSTS with a long max-age. A max-age of at least six months is what separates A from A+. Be deliberate: HSTS is hard to undo quickly, so apply it once you are confident HTTPS is solid everywhere.

Then re-test. A+ is simply an A with no remaining warnings and a durable HSTS policy.

One grade is a snapshot — configurations drift

Here is the limitation of any single test: it describes one host, at one moment. An A+ today can quietly become a B next quarter when a certificate renews onto a different chain, a new server ships with TLS 1.0 enabled, or an HSTS header is dropped during a migration. And testing by hand, host by host, does not scale beyond a handful of endpoints.

This is the gap continuous TLS certificate monitoring closes. CertControl grades every endpoint you own — internet-facing and internal, behind firewalls via an on-premise agent — on the same A+ to F scale, on every scan, and alerts you the moment a grade drops or a certificate approaches expiry. The one-off test tells you where you stand today; monitoring keeps you there.

Frequently asked questions

What does an A+ SSL grade mean?

A+ means the configuration scores in the top band on every category — modern protocols, strong key exchange, and strong ciphers — and additionally enables HSTS with a long max-age. It is the reward grade for a configuration with no warnings.

Why is my SSL grade capped at A- or B despite a high score?

Capping rules override the numeric score for issues a number can't express. Missing TLS 1.3 or a missing HSTS header caps the grade at A-. Support for TLS 1.0 or 1.1, RC4, weak Diffie-Hellman parameters, or an incomplete chain caps it at B, regardless of how high the category scores are.

What is the difference between a T grade and an F grade?

A T grade is a trust problem: the certificate is self-signed, expired, or issued by an unknown authority, so the chain cannot be verified — the configuration itself may be fine. An F is a security failure: SSL 2.0, export ciphers, or a known vulnerability.

How do I improve my SSL grade to A+?

Enable TLS 1.3 and disable TLS 1.0 and 1.1, offer only strong AEAD cipher suites with forward secrecy, serve a complete certificate chain from a trusted CA, and enable HSTS with a max-age of at least six months. Then re-test to confirm no warnings remain.

Run the free SSL test See continuous monitoring