Steps to reproduce:

Currently Zabbix Server is working with no problems with self-sign certificate.
I have been asked to change certificate from self-sign to CA Certificate.

I have follow the instructions on the forum
( https://www.zabbix.com/forum/zabbix-help/383231-proxy-and-agent-encryption-cert-from-windows-ca)

Steps taken for Certificate files creation:
1. Open "Certificate Authority" --> Certificate Templates --> Manage --> Duplicate one template
2. Open "Certificate Authority" --> Right click on the organization --> Properties --> General --> View Certificate --> Details --> Copy to File --> Export in DER format – > Save file as ca_cert.cer
3. Copy the ca_cert.cer from the CA server to the working directory
4. openssl x509 -inform der -in ca_cert.cer -out ca_cert.pem
5. openssl req -new -newkey rsa:4096 -nodes -keyout client_csr.key -out client_csr.csr
6. openssl req -new -newkey rsa:4096 -nodes -keyout server_csr.key -out server_csr.csr
7. Go to Request a certificate on my CA's cert portal --> Submit a certificate request --> Paste in the client cert and select the template created before. Do the same for the server cert. Download the certs (not chain) and save to the working directory as client_cert.cer for the client and server_cert.cer for the Server.
8. openssl x509 -inform der -in client_cert.cer -out client.crt
9. openssl x509 -inform der -in server_cert.cer -out server.crt
10. openssl x509 -text -noout -in ca_cert.pem | cat > zabbix_ca_file && cat ca_cert.pem >> zabbix_ca_file
11. openssl x509 -text -noout -in client.crt | cat > zabbix_client.crt && cat client.crt >> zabbix_client.crt
12. openssl x509 -text -noout -in server.crt | cat > zabbix_server.crt && cat server.crt >> zabbix_server.crt
13. Copy zabbix_ca_file, zabbix_client.crt and client_csr.key to the Zabbix proxy. Place them under a directory like /etc/zabbix/certs
14. Copy zabbix_ca_file, zabbix_server.crt and server_csr.key to the Zabbix server. Place them under a directory like /etc/zabbix/certs
15. Update Proxy configuration files with TLS values:

TLSConnect=cert
TLSAccept=cert
TLSCAFile=/etc/zabbix/certs/zabbix_ca_file
TLSServerCertIssuer=CN=COMPANY,DC=DOMAIN,DC=com
TLSServerCertSubject=CN=ZABBIX.DOMAIN.COM,OU=DEPARTMENT,O=COMPANY,L=CITY,ST=STATE,C=COUNTRYCODE
TLSCertFile=/etc/zabbix/certs/zabbix_proxy.crt
TLSKeyFile=/etc/zabbix/certs/zabbix_proxy.key

16. Update Server configuration files with TLS values:

TLSCAFile=/etc/zabbix/certs/zabbix_ca_file
TLSCertFile=/etc/zabbix/certs/zabbix_server.crt
TLSKeyFile=/etc/zabbix/certs/zabbix_server.key

17. In the Zabbix UI, under the proxy encryption config, update the Issuer or Subject
18. restart Zabbix Server And Zabbix Proxy services.

ls - file - commands output:

[root@hostname]# ls -l zabbix_ca_file
-rwx------ 1 zabbix zabbix 5870 Jan 30 16:24 zabbix_ca_file

[root@hostname]# ls -l zabbix_server.crt
-rwx------ 1 zabbix zabbix 7704 Jan 30 16:24 zabbix_server.crt

[root@hostname]# ls -l server_csr.key
-rwx------ 1 zabbix zabbix 3272 Jan 30 16:25 server_csr.key

[root@hostname]# file zabbix_ca_file
zabbix_ca_file: ASCII text

[root@hostname]# file zabbix_server.crt
zabbix_server.crt: ASCII text, with CR, LF line terminators

[root@hostname]# file server_csr.key
server_csr.key: ASCII text

Result:

Checking /var/log/zabbix/zabbix_server.log:

3866930:20220130:171905.062 cannot connect to proxy "HOSTNAME": TCP successful, cannot establish TLS to [[HOST-IP]:10051]: unable to get issuer certificate: SSL_connect() set result code to SSL_ERROR_SSL: file ssl/statem/statem_clnt.c line 1915: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed: TLS write fatal alert "unknown CA"

Checking /var/log/zabbix/zabbix_proxy.log:

1589690:20220130:171908.611 failed to accept an incoming connection: from HOST-IP: TLS handshake set result code to 1: file ssl/record/rec_layer_s3.c line 1544: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48: TLS read fatal alert "unknown CA"

Expected:
See the connection successful.