TLS/SSL Certificate Grading Explained: What A+, A, B, C Mean for UK Websites
SSL Labs grades your TLS configuration from A+ to F. This guide explains each grade, common UK website failures, and how to check your certificate with VP Pulse.
Why TLS Grade Matters
Every UK website served over HTTPS relies on a TLS (Transport Layer Security) certificate to encrypt traffic between servers and browsers. But not all TLS configurations are equal. A poorly configured server might use outdated protocols, weak cipher suites, or certificates with short key lengths β leaving users vulnerable even when the padlock is green.
SSL Labs, operated by Qualys, is the industry-standard tool for assessing TLS configuration. VP Pulse integrates with SSL Labs to show the current grade for UK domains directly in the dashboard.
The Grading System
A+ β Outstanding
An A+ grade means TLS 1.3 support, HSTS preloading, strong cipher suites, OCSP stapling, and DNS CAA records. This is the gold standard. Major UK banks and government services achieving A+ include HMRC and many financial institutions. Getting A+ requires deliberate configuration β it is not the default on any hosting platform.
A β Good
Most well-configured UK websites score A. This means TLS 1.2 minimum (ideally TLS 1.3 preferred), no known vulnerabilities, valid chain of trust, and reasonable cipher suite selection. An A grade is acceptable for most organisations.
B β Acceptable with Caveats
A B grade typically indicates TLS 1.0 or 1.1 support (deprecated protocols), or weak cipher suites in the configuration. Browsers still accept B-grade sites, but they represent a security gap. Common cause in UK: shared hosting environments defaulting to legacy configurations.
C β Needs Attention
A C grade signals significant configuration problems β often POODLE or BEAST vulnerability exposure, RC4 cipher support, or certificate chain issues. UK financial services firms with Cyber Essentials Plus certification should be addressing any C-grade TLS immediately.
F β Failed
F grades indicate critical failures: expired certificates, untrusted certificate authorities, protocol downgrade vulnerabilities, or DNS resolution failures. An F-grade website shows browser security warnings to all visitors.
T β Trust Issues
A T grade means the certificate is untrusted β typically a self-signed certificate or a certificate from a private CA not in browser trust stores. Common in development environments accidentally exposed to the internet.
Common TLS Failures on UK Websites
- Expired certificates: The most visible failure β browsers block access entirely
- Incomplete chain: Intermediate certificates missing from the server configuration
- TLS 1.0/1.1 support: Deprecated protocols still enabled on legacy servers
- Weak cipher suites: RC4, 3DES, or export ciphers still in configuration
- No HSTS: Missing Strict-Transport-Security header allows downgrade attacks
- Short key length: RSA keys under 2048 bits (now very rare but still found)
Certificate Expiry: The Silent Business Risk
Certificate expiry is the most common cause of TLS-related outages for UK businesses. Let's Encrypt certificates expire every 90 days; commercial certificates every 1β2 years. VP Pulse's TLS Certificate Watch shows the SSL Labs grade and days until expiry for any domain you enter. Set up push notifications to be alerted before your certificate expires.
How to Improve Your TLS Grade
- Enable TLS 1.3 and disable TLS 1.0/1.1
- Configure HSTS with a minimum max-age of 31536000 (one year)
- Submit your domain to the HSTS preload list for A+ potential
- Enable OCSP stapling to speed up certificate validation
- Add a DNS CAA record restricting which CAs can issue certificates for your domain
- Use automated certificate renewal (Let's Encrypt with Certbot, or your CDN's managed certificates)
Check your domain's current TLS grade using VP Pulse's domain scan tool at pulse.vpnetworks.co.uk/scan β results include SSL Labs grade, expiry date, and protocol support in seconds.