Overview

Candex maintains strict security standards for all data in transit. This page provides technical details regarding our current public-facing SSL/TLS configuration, active certificates, rotation schedule and connectivity requirements.

Candex Wildcard (*.candex.com) applicable hosts

Candex utilizes the same wildcard certificate (*.candex.com) for all publicly available endpoints, and specifically applies to the following public endpoints:

• Production: www.candex.com

• Staging: stg.candex.com

Current Certificate Details

The certificate has been issued by the same intermediate and root as the certificate being replaced, ensuring compatibility of the trust chain.

📂 Full Chain Bundle .CRT Files (ZIP) | 📂 Full Chain Bundle .PEM Files (ZIP)

• Common Name: *.CANDEX.COM

• Root Authority: DigiCert Global Root G2

• Intermediate Authority: RapidSSL TLS RSA CA G1

• Valid Until: Oct 28, 2026

Connectivity Requirements & Cipher Suites

Candex enforces strict transport layer security. To ensure successful connectivity to our endpoints, client applications must support TLS 1.2 or higher.

Supported Configuration:

• Protocol: TLS 1.2, TLS 1.3

• Strong Ciphers Only: We have disabled older, insecure cipher suites (including weak TLS_RSA_* and CBC mode ciphers) to align with industry best practices.

For a real-time analysis of our SSL configuration, please refer to the Qualys SSL Labs Report.