What Is SSL Grade A+?

What Is SSL/TLS?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that encrypt communication between web browsers and web servers. They ensure that data transmitted over the internet (such as passwords, credit card numbers, and personal information) cannot be intercepted in transit.

In practice, SSL was deprecated in 2015 (SSL 3.0 had critical vulnerabilities). Today, TLS 1.2 and TLS 1.3 are the accepted standards, though people still commonly refer to the technology as "SSL" out of habit.

Protocol	Status	Notes
SSL 2.0	Deprecated	Critical vulnerabilities — must not be used
SSL 3.0	Deprecated	POODLE vulnerability — must not be used
TLS 1.0	Deprecated	BEAST vulnerability — should not be used
TLS 1.1	Deprecated	Major browsers have dropped support
TLS 1.2	Active	Current minimum standard
TLS 1.3	Recommended	Faster, more secure, latest standard

What Does SSL Grade A+ Mean?

SSL Grade is the security rating of an SSL/TLS configuration as assessed by the Qualys SSL Labs SSL Server Test — the globally recognized benchmark for SSL/TLS security. Scores range from F (lowest) to A+ (highest).

The test evaluates four main areas:

1. Certificate — Valid, not expired, issued by a trusted CA
2. Protocol Support — Supports secure TLS versions, deprecated protocols disabled
3. Key Exchange — Uses strong ECDHE or DHE key exchange
4. Cipher Strength — Uses secure cipher suites, no weak ciphers

What Do the Different Grades Mean?

Grade	Meaning	Key Criteria
A+	Excellent (Best Practice)	Passes all Grade A criteria + HSTS (HTTP Strict Transport Security) enabled
A	Very Good	Valid certificate, TLS 1.2+, strong ciphers, no vulnerabilities
B	Adequate — Has Weaknesses	May still support TLS 1.0/1.1 or weak ciphers
C	Poor — At Risk	Uses RC4 or outdated ciphers
F	Fail — Dangerous	Expired certificate, critical vulnerabilities (Heartbleed, POODLE), or SSL 3.0 still enabled
T	Certificate Not Trusted	Self-signed certificate or untrusted CA

Why Must Government Agencies Achieve SSL Grade A+?

Thailand has established information security standards enforced by the Electronic Transactions Development Agency (ETDA), specifically:

• Thailand's Information Security Standard (based on ISO 27001) — Requires government information systems to use appropriate encryption
• Personal Data Protection Act (PDPA) — Mandates appropriate security measures to protect personal data
• Cybersecurity Act B.E. 2562 (2019) — Establishes minimum security standards for critical infrastructure

Achieving SSL Grade A+ is one of the key indicators that a system's security configuration meets international best practices. Auditing bodies can verify this instantly through SSL Labs.

How to Test Your SSL Grade

Testing is straightforward using the Qualys SSL Labs tool:

1. Visit ssllabs.com/ssltest
2. Enter the domain name you want to test
3. Wait approximately 1-2 minutes
4. The system will display the grade (A+, A, B, C, F) with full details

The test results include:

• Overall Grade
• Scores for each area (Certificate, Protocol Support, Key Exchange, Cipher Strength)
• Supported Cipher Suites
• Detected vulnerabilities (Heartbleed, POODLE, ROBOT, Zombie POODLE, etc.)
• HSTS status

What You Need to Do to Achieve SSL Grade A+

Achieving Grade A+ isn't as difficult as you might think, but every configuration item must be addressed:

Item	Details	Importance
Valid SSL Certificate	Issued by a trusted CA (Let's Encrypt, DigiCert, Sectigo), not expired, covers all required domains	Required
Disable SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1	Enable only TLS 1.2 and TLS 1.3	Required
Strong Cipher Suite	Use AES-256-GCM, ChaCha20-Poly1305; disable RC4, 3DES, MD5	Required
Forward Secrecy	Use ECDHE for key exchange to prevent retrospective decryption	Required
HSTS (HTTP Strict Transport Security)	Forces browsers to always use HTTPS — required to achieve A+ (without it you only get A)	Required (for A+)
OCSP Stapling	Server validates certificate status on behalf of the browser — faster and more secure	Recommended
Complete Certificate Chain	Install all intermediate certificates — no missing chain links	Required
RSA 2048-bit or Higher	Minimum 2048-bit key size (4096-bit or ECDSA P-256 recommended)	Required

Example Nginx Configuration for SSL Grade A+

# /etc/nginx/conf.d/ssl.conf

# Enable only TLS 1.2 and 1.3
ssl_protocols TLSv1.2 TLSv1.3;

# Strong Cipher Suite
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;

# HSTS — Force HTTPS (required for A+)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# Session
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

Saeree ERP Achieves SSL Grade A+ — Case Studies

Saeree ERP by Grand Linux Solution Co., Ltd. prioritizes system security at the highest level. All Saeree ERP clients achieve SSL Grade A+, with notable case studies including:

Thai Media Fund (TMF)

The Thai Media Fund (TMF) is a government agency that migrated from MS Dynamics AX to Saeree ERP. They use Saeree ERP for accounting, finance, procurement, and budget management. All systems have achieved SSL Grade A+, meeting the required security standards.

Biodiversity-Based Economy Development Office (BEDO)

The Biodiversity-Based Economy Development Office (BEDO) is a public organization under the Ministry of Natural Resources and Environment. They use Saeree ERP and have also achieved SSL Grade A+.

Additional Security Measures Beyond SSL

SSL Grade A+ is just one component of comprehensive system security. Additional measures that should be implemented include:

• Two-Factor Authentication (2FA) — Prevents unauthorized system access
• Backup and Disaster Recovery — Protects against data loss
• Information Security Policies — Establishes rules and procedures for system usage
• Security Headers — Configure Content-Security-Policy, X-Frame-Options, X-Content-Type-Options
• Web Application Firewall (WAF) — Protects against SQL Injection, XSS, and other attacks

For organizations considering an ERP system change, choosing a system with built-in high security standards from the start significantly reduces the burden of post-deployment hardening.

SSL Grade A+ isn't just about having a certificate — it's about configuring the entire system for genuine security, from protocols and cipher suites to HSTS. At Saeree ERP, we configure every system to pass A+ from the first day of go-live, because the security of our clients' data is non-negotiable.

— Paitoon Butri, Network & Server Security Specialist, Grand Linux Solution

Summary

Topic	Details
SSL Grade A+ is	The highest rating from the Qualys SSL Labs SSL Server Test
Difference from Grade A	HSTS must be enabled for A+ (A does not require HSTS)
Required protocols	TLS 1.2 and TLS 1.3 only
Test at	ssllabs.com/ssltest (free)
Thai standards	National Information Security Standard, PDPA, Cybersecurity Act 2019
Saeree ERP	Achieves Grade A+ on every deployment (TMF, BEDO, and all clients)

If you're looking for an ERP system with Grade A+ security built in from day one, schedule a demo or contact the Saeree ERP consulting team today.

References

• Qualys SSL Labs — SSL Server Test
• Qualys SSL Labs — SSL/TLS Deployment Best Practices
• Electronic Transactions Development Agency (ETDA), Thailand
• RFC 6797 — HTTP Strict Transport Security (HSTS)