Similar to the 6 Secure connection to the frontend documentation, which describes how to set up a self-signed certificate for use with the Zabbix frontend, similar documentation is needed on how to configure zabbix-web-service to use TLS with Google Chrome and self-signed certificates or private certificate authorities.

The current documentation encourages using TLS certificates with the Zabbix frontend and zabbix-web-service, but it does not provide clear instructions on how to configure Google Chrome to work with such certificates.

The following information could be included in the article, in addition to the basic setup steps required to get it working.

After installing Chrome, for each Zabbix server:

1. Install ca-certificates. For Debian/Ubuntu:

apt install ca-certificates 

For RHEL-based systems:

dnf install ca-certificates 

Or:

yum install ca-certificates 

1. Add self-signed certificates or private certificate authority certificates. For each certificate needed:
   1. Create individual pem based .crt file for either the self signed certificate or separate files for the certificate authority's root certificate and if any one for each certificate chain certificate;
   2. Create a  zabbix users specific NSS DB folder (As of 4/20/2026 chrome requires additional certificates be configured on a user by user bases and does not use the system default NSS DB):

sudo mkdir /FULL_PATH_TO_ZABBIX_HOME/.pki/nssdb/ 

Example:

sudo mkdir /var/lib/zabbix/.pki/nssdb/ 

• If using a self-signed certificate: 
  The exact trust flags may need to be confirmed. For example, "c,," may be enough, or "CT,," may be required:

sudo certutil -d sql:/FULL_PATH_TO_ZABBIX_HOME/.pki/nssdb -A -t "X,X,X" -n " Unique description of the self signed certificate" -i /Path_to_self_signed_certificate.crt 

• If using a private certificate authority:
  • Import Any internal Cert Authority certificate into the Database zabbix NSS DB. Where tag of X,X,X is as appropriate at least "CT,," but could be "CT,C,C" as appropriate for your certificate authority:

sudo certutil -d sql:/FULL_PATH_TO_ZABBIX_HOME/.pki/nssdb -A -t "CT,X,X" -n " Unique description of the root certificate" -i /Path_to_root_certificate.crt 

• Import any certificate chain files. (if multiple items in chain repeat for each chain certificate). Where tag of X,X,X is at least "c,," but could be "c,c,c" or other as appropriate for your certificate authority:

sudo certutil -d sql:/FULL_PATH_TO_ZABBIX_HOME/.pki/nssdb -A -t "c,c,c" -n "unique description of the chain certificate" -i /Path_to_chaning_certificate.crt 

• Set sql permissions such the zabbix users can read the database:

sudo chown -R zabbix:zabbix /FULL_PATH_TO_ZABBIX_HOME/.pki/nssdb/
sudo -c "chmod 0644 /FULL_PATH_TO_ZABBIX_HOME/.pki/nssdb/*" 

•  Verify you have either your private certificate loaded in or your root certificates and all chaining files loaded into the zabbix users nssdb certificate database:

certutil -d sql:/FULL_PATH_TO_ZABBIX_HOME/.pki/nssdb/ -L 

For example:

certutil -d sql:/var/lib/zabbix/.pki/nssdb/ -L 

• Testing that chrome works with your TLS certificates outside of the Zabbix user interface. (All flages are required) Look for the HTML of your main web page:

sudo -u zabbix google-chrome --headless --disable-gpu --dump-dom https://FQDN_OF_ZABBIX_SERVER 

It would also be useful to include troubleshooting tips for common Google Chrome TLS/certificate errors and their possible causes.

Without required documentation section configuring this can require significant troubleshooting. Adding this steps can help users.