Obtain A+ SSL Security Rating

In previous post, I have setup SSL with nginx on CentOS7 from letsencrypt. Please refer: Use Lets Encrypt Certbot to Install Free SSL on CentOS7.
By default, the security setting of the SSL rating is B. In this post, I will config necessary settings to obtain an A+ security rating.

Things to do to get A+.

  1. generate a 4096 bits dhpara.pem
  2. modify nginx.conf and demo.bulafish.com.conf

Extra things to do to increase security.

  1. config DNS CAA

Generate dhpara.pem, please change output location to fit your needs. It takes a while of time.

openssl dhparam -out /etc/letsencrypt/live/demo.bulafish.com/dhparam.pem 4096


Modify /etc/nginx/nginx.conf, add the following code inside http block, save and exit.

ssl_dhparam /etc/letsencrypt/live/demo.bulafish.com/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
server_tokens off;

ssl_stapling on;
ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 5s;


Modify your_server.conf, add the following code inside server block, save, exit and restart nginx.

ssl_certificate     /etc/letsencrypt/live/demo.bulafish.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/demo.bulafish.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/demo.bulafish.com/chain.pem;


Re-run the score test again to confirm an A+ rating is obtained.

What is a CAA record?

A Certification Authority Authorization (CAA) record is used to specify which certificate authorities (CAs) are allowed to issue certificates for a domain.

To configure CAA, login to your dns server and add a CAA record.

Wait for couple hours to let the CAA record take effect, run the rating test again to confirm if CAA policy is working.