Free SSL Server Test — Grade Your TLS Config A+ to F

Q: Is the SSL test free?

Yes. The CertControl SSL test is free and requires no signup or account. Enter a hostname and you get a grade and a full breakdown in seconds. It tests publicly reachable servers on port 443.

Q: What does a T or M grade mean?

A T grade means the certificate is not trusted — it is self-signed, expired, or issued by an unknown authority — so the chain cannot be verified. An M grade means the certificate is valid but does not match the hostname you tested. Both are treated separately from the A–F scale because they are trust problems, not configuration weaknesses.

Q: Do you store my test results?

A result is cached briefly so that a shared link works without re-scanning the target, and so repeated tests of the same host don't generate unnecessary traffic. We do not require any personal data to run a test, and the service is EU hosted.

What the test checks

A grade is the headline — the breakdown is what you act on

The test inspects the parts of your TLS setup that decide whether browsers trust you, whether connections stay private, and whether anything is quietly about to break. Each result is explained, not just scored.

Protocol support

Which TLS versions your server accepts — from modern TLS 1.3 down to deprecated TLS 1.0 and 1.1. Old protocols drag the grade down because they expose connections to downgrade and known attacks.

Cipher strength

Whether your negotiated cipher suite provides strong, modern encryption with forward secrecy — or relies on weak algorithms that no longer belong on a production server.

Certificate validity and chain

Is the certificate trusted, in date, and served with a complete chain to a known root? We flag expired, self-signed, and untrusted certificates, and chains that are missing an intermediate.

Hostname match

Does the certificate actually cover the hostname you tested, including wildcards? A mismatch is one of the most common reasons browsers show a security warning.

HSTS and headers

Whether HTTP Strict Transport Security is enabled with a sufficient max-age. It's often the difference between an A and an A+, and genuine protection against protocol-stripping attacks.

A shareable verdict

Every result has its own link. Share it with a colleague, a supplier, or a developer who needs to fix the finding — no screenshots, no account, just the URL.

How the grade works

The same A+ to F scale you already trust

The score follows the established SSL Labs rating methodology, so a grade here means the same thing it does anywhere else. Three categories are scored and combined, then capping rules account for the things a number alone can't express.

The category score

Protocol support — 30% of the score
Key exchange strength — 30% of the score
Cipher strength — 40% of the score
Combined into a single 0–100 score, mapped to a letter

The capping rules

No TLS 1.3, or missing HSTS — capped at A-
TLS 1.0/1.1 or weak parameters — capped at B
Expired, self-signed, or untrusted certificate — grade T
SSL 2.0, export ciphers, or a known vulnerability — grade F

One test vs. continuous control

A single test tells you about today. It says nothing about next month.

A configuration that scores A+ today can fail next quarter — a certificate expires, an intermediate drops out, a new server ships with TLS 1.0 enabled. Running this test by hand, server by server, doesn't scale past a handful of endpoints. CertControl turns the one-off test into continuous control.

Every endpoint, automatically

CertControl scans all your certificates — internet-facing and internal, behind firewalls via the on-premise agent — and grades each one on the same scale, on every scan. No manual testing, host by host.

Alerts before it breaks

Get notified at the thresholds you set — before a certificate expires, and the moment a grade drops because of a new misconfiguration. Email and webhooks to Slack, Teams, and more.

One view of your whole estate

See every endpoint's grade, expiry, and risk in a single dashboard — with the history to prove compliance and catch drift before it reaches production.

Start free trial Run a single test first

Frequently asked questions

Is the SSL test free?

Yes. The test is free and needs no signup or account. Enter a hostname and you get a grade and a full breakdown in seconds. It tests publicly reachable servers on port 443.

How is the SSL grade calculated?

The grade follows the Qualys SSL Labs rating methodology. Three categories are scored 0–100 and combined: protocol support (30%), key exchange (30%), and cipher strength (40%). Capping rules then adjust for issues a number can't capture — no TLS 1.3 or a missing HSTS header caps the result at A-, while expired or untrusted certificates, SSL 2.0, or known vulnerabilities fail it.

How is this different from SSL Labs?

The methodology and the A+ to F scale are the same, so the grades are directly comparable. The difference is what happens next: a manual tool gives you a one-off snapshot, while CertControl turns that test into continuous monitoring across every certificate you own — internet-facing and internal — with alerts before anything expires or drifts out of policy. In short, it's the continuous alternative to SSL Labs for teams that need to stay compliant, not just check once.

What does a T or M grade mean?

A T grade means the certificate is not trusted — self-signed, expired, or issued by an unknown authority — so the chain cannot be verified. An M grade means the certificate is valid but does not match the hostname you tested. Both are kept separate from the A–F scale because they are trust problems, not configuration weaknesses.

Do you store my test results?

A result is cached briefly so a shared link works without re-scanning the target, and so repeated tests of the same host don't create unnecessary traffic. No personal data is needed to run a test, and the service is EU hosted.

Related resources

Understand what your grade is telling you

Guide

How to Read Your SSL Grade: What A+ to F Actually Means

What each category measures, why a strong score can still be capped, and how to reach A+.

Read the guide

Guide

What Is a Certificate Chain — and What Breaks When It's Wrong

A TLS certificate chain links your server certificate to a trusted root CA through one or more intermediates.

Read the guide

Guide

What Is OCSP — And Why Revoked Certificates Often Still Work

Revoking a TLS certificate does not immediately protect users — most browsers trust revoked certificates for hours.

Read the guide

Guide

TLS Certificate Monitoring: What It Is and How to Automate It

TLS certificate monitoring goes beyond expiry alerts to the full configuration picture.

Read the guide

Guide

Wildcard Certificates: Convenient but Riskier Than You Think

A wildcard TLS certificate covers all subdomains with a single private key — one compromise exposes them all.

Read the guide

Start free trial Book demo

Free SSL test: grade your TLS configuration from A+ to F

A grade is the headline — the breakdown is what you act on

Protocol support

Cipher strength

Certificate validity and chain

Hostname match

HSTS and headers

A shareable verdict

The same A+ to F scale you already trust

The category score

The capping rules

A single test tells you about today. It says nothing about next month.

Every endpoint, automatically

Alerts before it breaks

One view of your whole estate

Frequently asked questions

Understand what your grade is telling you

How to Read Your SSL Grade: What A+ to F Actually Means

What Is a Certificate Chain — and What Breaks When It's Wrong

What Is OCSP — And Why Revoked Certificates Often Still Work

TLS Certificate Monitoring: What It Is and How to Automate It

Wildcard Certificates: Convenient but Riskier Than You Think