Overview

Candex maintains strict security standards for all data in transit. This page provides technical details regarding our current public-facing SSL/TLS configuration, active certificates, rotation schedule and connectivity requirements.

Candex Wildcard (*.candex.com) applicable hosts

Candex utilizes the same wildcard certificate (*.candex.com) for all publicly available endpoints, and specifically applies to the following public endpoints:

• Production: www.candex.com

• Staging: stg.candex.com

Current Certificate Details (Expires May 15, 2026)

This is the certificate that is currently installed:

Download link: 📂 Full Chain Bundle (ZIP)

• Common Name: *.CANDEX.COM

• Root Authority: DigiCert Global Root G2

• Intermediate Authority: RapidSSL TLS RSA CA G1

• Valid Until: May 15, 2026

New Certificate Details (To be installed on Friday, May 15 2026)

A new certificate will be installed on Saturday, May 15 2026, at 3AM UTC. The certificate has been issued by the same intermediate and root as the certificate being replaced, ensuring compatibility of the trust chain.

📂 Full Chain Bundle .CRT Files (ZIP) | 📂 Full Chain Bundle .PEM Files (ZIP)

• Common Name: *.CANDEX.COM

• Root Authority: DigiCert Global Root G2

• Intermediate Authority: RapidSSL TLS RSA CA G1

• Valid Until: Oct 28, 2026

Connectivity Requirements & Cipher Suites

Candex enforces strict transport layer security. To ensure successful connectivity to our endpoints, client applications must support TLS 1.2 or higher.

Supported Configuration:

• Protocol: TLS 1.2, TLS 1.3

• Strong Ciphers Only: We have disabled older, insecure cipher suites (including weak TLS_RSA_* and CBC mode ciphers) to align with industry best practices.

For a real-time analysis of our SSL configuration, please refer to the Qualys SSL Labs Report.