The article links to https://badssl.com/, which shows a list of links to good and bad configurations. Calomel gives more details about what is right and wrong, and sometimes surprises with its rating.
But it won't change a lot of the things mentioned in the article: people will still need to configure servers, fix browser errors, researchers need a source for large-scale SSL scans, inspect packets, lookup domain contact info without junk results.
We're working on the configuring servers stuff BTW: we landed patches in node.js to ensure their TLS implementation passes SSL Labs out of the box and I'm hoping to do the same for nginx in future.
The 'freshness' is possible because it's a domain validated certificate - domain validated certificates are < 1 min, and normally cheap or free, as all you have to do to get a domain-validated cert is have an official sounding email address, publish a DNS text record, or some other way to show you have control of the domain. Domain validation doesn't require any investigation of the identity behind that domain, which is why they don't show the company name or the green bar. In Edge, domain validated certs show a hollow grey lock. 
EV certificates require checking the actual company - government registration, business status (eg, do you pay your taxes), does the person requesting the certificate have authority to take actions on behalf of the company, does the company have a verifiable physical address, and more . They then show that company's identity in the certificate and browser - as the company name in a green bar.
Nearly everyone you speak to will quote a either a vague figure or 7-10 days to provide an EV cert.
CertSimple only does EV, and our average certificate issuance time is 5 hours. We've been doing them even faster than that recently - check the tweets on the front page of the site. A big part of that is that CertSimple checks a whole bunch of your company's information before you pay us any money. 
If you're not a company, or registered organization, or government department, you can't get an EV certificate right now. The cabforum EV guidelines  don't currently have provision for individuals.
I know that sucks. Especially when there is already capability to use government IDs for individuals in the EV guidelines for checking e.g. company directors in some cases .
But here's why:
- The certificate subject for an EV cert, i.e. the thing the CA is attesting to by signing your certificate is the unique in the jurisdiction registration ID.
Eg, visit https://github.com and click the certificate in Chrome - you can see GitHub is Delaware company 5157550.
The subject for an individual version of an EV cert would needs to be:
- unique in the jurisdiction
- publicly revealable
You couldn't use the number of the ID checked, since passport numbers, drivers license numbers and other are considered 'High Risk Confidential Information' in much of the world 
Unfortunately such a document don't exist in much of the world.
And of course the Date Of Birth is really Date/Time of Birth.
First, the link is missing an 'l' at the end.  Second, exactly what makes SSL Labs the 'industry standard'? I'm well-aware of their services and use in the industry, but I would tend to think that the actual RFCs are industry standard, and not a rather specious high-school grading system for whether a particular TLS provider is secure.
So at this point the biggest thing I'm looking at is the "Chain issues" line that reads "Contains anchor". Assuming this has something to do with the bundle file I created?
I was using mod_gnutls for some sites, but it did not make it into Debian Jessie. mod_nss is still in Debian Stable though.
dget --build http://ftp.debian.org/debian/pool/main/m/mod-gnutls/mod-gnutls_0.6-1.4.dsc
mk-build-deps --install --remove mod-gnutls_0.6-1.4.dsc
sudo dpkg --install libapache2-mod-gnutls_0.6-1.4_$(dpkg-architecture -qDEB_HOST_ARCH).deb
It also gives a summary grade. Very few sites are 10/10 (I only remember github having this grade)
The Qualys SSLlabs scan does not accept an IP address. I'm often in the situation where the cert is installed and ready, but the name is not yet pointing to the new IP address. The above URL can verify that you haven't left out the intermediate cert.
`openssl x509 -in $FILE -text | less`
GnuTLS has some useful stuff too, IIRC
But for quick or simple auditing it works great!
whois -h whois.nic.ninja domains.ninja
This should be on the list of valuable tools as well. It's a site which has strong example configurations for Apache, nginx, Openssh and many many others.. It's a great reference site. It's updated as new vulnerabilities are released, and as new technologies become available too.
Careful about implementing it all though - as their warning says, unless you understand things like HSTS or HPKP, implementing them incorrectly could make your site unavailable for a very, VERY long time.
That said, it's an easy way to get an A+! If you disable everything but TLS1.2, you can get a perfect 100/100/100/100.
I also found Mozilla's documentation for TLS very helpful: https://wiki.mozilla.org/Security/Server_Side_TLS
The tool performs a similar function to sslscan, THCSSLCheck and sslyze, but differs by crafting part of the SSL handshake instead of using an SSL library to establish a full connection. [...] Libraries either become outdated and therefore incapable of testing for new protocols such as TLSv1.2 or exotic cipher suites; or they are updated and lose support for older protocols – namely SSLv2.
Support for SSL testing over SMTP (STARTTLS), RDP and FTP (AUTH SSL)
Source for self-hosting:
Other than the fact that certsimple sells EVs exclusively, I don't really see any meaningful benefit. The arguments for EV are the Verisign sales pitch from 1999. (Ie. We are very careful!)
(edit: inb4 kneejerk about sourceforge)
Thanks for correcting. :-)