With PSK-based encryption protecting our sensitive Zabbix trapper item, let's move to certificates. We'll generate certificates for the Zabbix server and agent and require encrypted connections on the Zabbix agent side for passive items. Certificate authorities sign certificates, and Zabbix components can trust one or more authorities. By extension, they trust the certificates signed by those authorities.
You might have a certificate infrastructure in your organization, but for our first test, we'll generate all the required certificates ourselves. We'll need a new Certificate Authority (CA) that will sign our certificate. Zabbix doesn't support self-signed certificates.
It's strongly recommended to use intermediate certificate authorities to sign client and server certificates; we won't use them in the following simple example.