Please make the zabbix-web-service (and probably zabbix-server) more secure by behaving more like apache/ngnix where on start up it loads in the TLS*Files settings files, and than switches over to the zabbix users, to follow generally accepted certificate file best practices of having private keys and other certificate files stored on the box with ownership of root:root and permission of 0600 to try to protect those files and especially the key file from hackers. 

Currently if the files referenced by the zabbix-web-service, TLSCAFile, TLSCertFile or TLSKeyFile settings do not have at least root:zabbix 0640 and instead have the best practices settings of root:root 06000 the zabbix-web-service fails start up with an error along the lines of "zabbix_web_service [586638]: ERROR: failed to start: open /etc/zabbix/certs/zabbix_web.key: permission denied."