Similar to your Zabbix-frontend_encrypt 6 Secure connection to the frontend which document how to set up a self signed certificate for use with the zabbix-front end, I think similar documentation is needed on how to configure the zabbix web service to use TLS with google-chrome and self signed certificates/private cert authorities, as your documentation encourages using TLS certificate with the zabbix-front end and zabbix-web-server services but it doesn't provide any instruction on how to get google chrome to work with it.

I spent about 3.75 business days trying to get it to work and many communications with your support staff before we got it working. 

Things I think should be included in the article In addition to the setup stuff to get it working. 

After installing chrome. 
For each Zabbix server. 
1. install ca-certificates
apt install ca-certificates
dnf install ca-certificates

yum install ca-certificates

 

2. Adding the self signed certificates/ or private Certificates authority and changing files. 

For each certificate needed. 

A. create individual pem based .crt file for either the self signed certificate or separate files for the certificate authority's root certificate and if any one for each certificate chain certificate

B. Create a  zabbix users specific nss db folder (As of 4/20/2026 chrome requires additional certificates be configured on a users by users bases and does not use the system default NSS DB. )

sudo mkdir /FULL_PATH_TO_ZABBIX_HOME/.pki/nssdb/
e.g.
sudo mkdir /var/lib/zabbix/.pki/nssdb/

C. If using a Self signed certificate. 

{I did not do this not sure of actual "X,X,X" tags needed might  "c,," be enough, might you need "CT,,"

sudo certutil -d sql:/FULL_PATH_TO_ZABBIX_HOME/.pki/nssdb -A -t "X,X,X" -n " Unique description of the self signed certificate" -i /Path_to_self_signed_certificate.crt

 
D. If using a Private Certificate authority. 
i. Import Any internal Cert Authority certificate into the Database zabbix NSS DB. 
Where tag of X,X,X is as appropriate at least "CT,," but could be "CT,C,C" as appropriate for your certificate authority.

sudo certutil -d sql:/FULL_PATH_TO_ZABBIX_HOME/.pki/nssdb -A -t "CT,X,X" -n " Unique description of the root certificate" -i /Path_to_root_certificate.crt

ii. Import any certificate chain files. (if multiple items in chain repeat for each chain certificate) 
Where tag of X,X,X is at least "c,," but could be "c,c,c" or other as appropriate for your certificate authority. 

sudo certutil -d sql:/FULL_PATH_TO_ZABBIX_HOME/.pki/nssdb -A -t "c,c,c" -n "unique description of the chain certificate" -i /Path_to_chaning_certificate.crt

3. set sql permissions such the zabbix users can read the database. 
sudo chown -R zabbix:zabbix /FULL_PATH_TO_ZABBIX_HOME/.pki/nssdb/

sudo -c "chmod 0644 /FULL_PATH_TO_ZABBIX_HOME/.pki/nssdb/*"

4. Verify you have either your private certificate loaded in or your root certificates and all chaining files loaded into the zabbix users nssdb certificate database. 

certutil -d sql:/FULL_PATH_TO_ZABBIX_HOME/.pki/nssdb/ -L
e.g. certutil -d sql:/var/lib/zabbix/.pki/nssdb/ -L

5. Testing that chrome works with your TLS certificates outside of the Zabbix user interface. (All flages are required) Look for the HTML of your main web page. 
sudo -u zabbix google-chrome --headless --disable-gpu --dump-dom https://FQDN_OF_ZABBIX_SERVER

(Maybee include some debugging tips here for common google-chrome errors and causes.) 

Rational spent the best part of 4 days working with zabbix support to get enough clues to figure out how to make this work and test it correctly.