What Should I Do If I Get a Low Grade on SSL Checker?

Understanding Your SSL Grade

SSL Checker grades your site on multiple security factors:

• Certificate validity and configuration
• TLS version support
• Cipher suite strength
• Security header implementation
• Known vulnerabilities
• Chain completeness

A low grade indicates security issues that need attention. Understanding what each issue means and how to fix it is crucial for improving your score.

Common Grade Issues and Fixes

Issue: Expired Certificate

Grade Impact: F (Fails)

Solution:

1. Obtain a new certificate from your CA
2. Install the new certificate on your server
3. Restart your web server
4. Test with SSL Checker

Timeline: Do immediately—expired certificates break HTTPS entirely.

Issue: Self-Signed Certificate

Grade Impact: F (Fails)

Solution for Production: Replace with a CA-signed certificate from:

• Let's Encrypt (free)
• Digicert, Sectigo, etc. (paid)

For Development/Testing: Accept self-signed certificates locally (explained in SSL Checker tool tips).

Issue: TLS 1.0 or 1.1 Still Enabled

Grade Impact: D or C (Major deduction)

Solution:

For Nginx:

ssl_protocols TLSv1.2 TLSv1.3;

For Apache:

SSLProtocol -all +TLSv1.2 +TLSv1.3

Restart and test immediately.

Issue: Weak Cipher Suites in Use

Grade Impact: C or D (Significant deduction)

Solutions depend on your web server. Configure strong cipher suites:

For Nginx:

ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;

For Apache:

SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on

Issue: Incomplete Certificate Chain

Grade Impact: C or D (Significant deduction)

Solution:

Most commonly, you're not sending the intermediate certificate. Your SSL certificate file should contain:

1. Your server certificate (leaf)
2. Intermediate certificate(s)
3. NOT the root certificate

If your certificate file only contains the leaf:

1. Request the intermediate certificate from your CA
2. Append it to your certificate file:

   cat your-cert.crt intermediate-ca.crt > combined.crt
   

3. Configure your server to use the combined file
4. Restart and test

Issue: Missing Security Headers

Grade Impact: A- to B (Minor deduction for each missing header)

Solution: Add headers to your web server

For Nginx (add to server block):

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;

For Apache (add to httpd.conf or .htaccess):

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), camera=(), microphone=()"

Restart and test.

Issue: No Forward Secrecy (ECDHE)

Grade Impact: B or C (Significant for security)

Solution: Ensure ECDHE ciphers are enabled and preferred

Check your cipher configuration includes ECDHE suites and is server-preferred (not client-preferred).

Priority Order for Fixes

Address issues in this order:

Critical (Fix Immediately):

1. Expired certificate
2. Missing certificate chain
3. TLS 1.0/1.1 enabled
4. Known critical vulnerabilities

High Priority (Fix Within Days):

1. Weak cipher suites
2. No ECDHE (no forward secrecy)
3. Missing HSTS header

Medium Priority (Fix Within Weeks):

1. Other missing security headers
2. Outdated certificate algorithms (SHA-1)
3. Minor TLS configuration issues

Low Priority (Fix When Convenient):

1. Certificate organization details
2. Non-critical configuration optimizations

Step-by-Step Improvement Plan

Step 1: Assess Current State

1. Run SSL Checker
2. Note the current grade
3. Read each issue description carefully
4. Categorize issues by priority

Step 2: Fix Critical Issues First

1. Address certificate issues (expired, missing chain, etc.)
2. Disable insecure TLS versions (1.0, 1.1)
3. Test after each fix with SSL Checker

Step 3: Implement Strong Configuration

1. Update cipher suites to only strong options
2. Enable ECDHE for forward secrecy
3. Test and verify configuration with openssl

# Test a specific TLS version
openssl s_client -connect example.com:443 -tls1_2

# View negotiated cipher
echo | openssl s_client -connect example.com:443 2>/dev/null | grep "Cipher"

Step 4: Add Security Headers

1. Add HSTS header
2. Add X-Frame-Options header
3. Add X-Content-Type-Options header
4. Add other recommended headers
5. Test header presence

# Check headers
curl -I https://example.com | grep -i "Strict-Transport-Security"

Step 5: Retest and Verify

1. Re-run SSL Checker
2. Verify grade improvement
3. Ensure no features are broken
4. Test with multiple browsers

Testing During Configuration Changes

Before deploying changes to production:

1. Test in staging - Apply changes to a test server first
2. Use SSL Checker - Run against staging to verify changes
3. Test in browsers - Ensure your site still loads correctly
4. Verify client compatibility - Check if old browsers can still access (if needed)
5. Deploy to production - Roll out changes
6. Verify production - Run SSL Checker against production

Performance Considerations

Some configuration changes might affect performance:

Cipher Suite Changes:

• Stronger ciphers (AES-256) might be slightly slower than weaker ones
• ECDHE is generally faster than RSA key exchange
• Modern processors have hardware acceleration for these operations
• Performance impact is usually negligible

TLS Version Changes:

• TLS 1.3 is actually faster than 1.2
• Removing old versions doesn't hurt performance
• Might slightly improve it due to negotiation overhead reduction

HSTS Header:

• No performance impact
• Saves one HTTP redirect on first visit

Most security improvements have neutral or positive performance impact.

Common Mistakes to Avoid

Removing All Legacy Cipher Suites Immediately: If your users include legacy clients (IE 6, old phones), immediately removing all legacy ciphers breaks compatibility. Plan migration carefully or maintain moderate compatibility.

Not Testing Changes: Deploying configuration changes without testing can break HTTPS entirely. Always test in staging first.

Configuring HSTS Prematurely: Don't add HSTS until you're absolutely sure all subdomains support HTTPS. HSTS is permanent for its max-age duration.

Too-Aggressive Cipher Restrictions: While strong ciphers are good, completely blocking legacy clients might not be necessary. Balance security and compatibility.

Forgetting to Restart Services: Configuration changes don't take effect without restarting (nginx, Apache, etc.). Always restart after changes:

# Nginx
nginx -t  # Test configuration
systemctl restart nginx

# Apache
apachectl configtest
systemctl restart apache2

Real-World Upgrade Example

Starting Point: Grade C

• TLS 1.0 enabled (bad)
• Missing intermediate certificate (bad)
• No ECDHE ciphers (bad)
• No security headers (bad)

Changes Made:

1. Add intermediate certificate to server config
2. Disable TLS 1.0, 1.1
3. Update ciphers to ECDHE-only strong suites
4. Add HSTS header with max-age=31536000
5. Add other security headers

Result: Grade A or A+

When to Seek Professional Help

Consider hiring an expert if:

• You don't have a sysadmin familiar with SSL/TLS
• Your score is very low (D or F) and you're unsure how to fix it
• You have complex infrastructure (load balancers, multiple servers)
• You need to maintain backward compatibility with unusual clients
• You want a security audit along with configuration improvements

Professional consultants can:

• Assess your entire SSL/TLS infrastructure
• Provide custom configuration for your setup
• Ensure compatibility with your users
• Implement industry best practices
• Document the configuration for future maintenance

Monitoring After Improvements

After improving your grade:

1. Set monthly reminders to re-check with SSL Checker
2. Monitor certificate expiration (30+ days in advance)
3. Subscribe to vulnerability alerts for your TLS implementation
4. Keep software updated (OpenSSL, web server, etc.)
5. Review configuration quarterly for drift or needed changes

Conclusion: Improving Your SSL Grade Is Achievable

A low SSL grade indicates fixable problems. By understanding what each issue means, prioritizing fixes, and testing changes carefully, you can improve your grade significantly. Most improvements require configuration changes rather than new hardware or costly upgrades. Start with critical security issues (expired certificates, weak TLS versions), progress to configuration optimization (cipher suites, ECDHE), and finish with security headers. The investment in improving your SSL/TLS configuration pays dividends in security, compliance, and user trust. Use SSL Checker regularly to ensure improvements are maintained and catch any new issues early.