With PSK-based encryption protecting our sensitive Zabbix trapper item, let's move to certificates. We will generate certificates for the Zabbix server and agent and require encrypted connections on the Zabbix agent side for passive items. Certificate authorities sign certificates, and Zabbix components can trust one or more authorities. By extension, they trust the certificates signed by those authorities.

You might have a certificate infrastructure in your organization, but for our first test, we will generate all required certificates ourselves. We will need a new certificate authority (CA) that will sign our certificate. Zabbix does not support self-signed certificates.