web.certificate.get was already a real enrichment, but still the handling of hosts which can't install/use a Zabbix agent is very difficult. The official recommendation at the moment is simply to use any remote Zabbix agent and monitor the remote host's certificate through it. However, this is very unattractive and impractical for several reasons.
For example, if you let any remote agent do it, items and triggers are logically only within the remote host. If you have customers who can only see their own hosts because of their permissions, they will not have access to the alerts. Of course, you can create empty dummy hosts with only certificate items to get around this a bit better, but I find this not clean. I also find this solution a bit unfortunate, because then not all items of a host are assigned to the same host object.
A logical step would be to have some kind of simple check available for Zabbix server and Zabbix proxy. Maybe the base and thoughts of web.certificate.get can be used again for this. Or you can go a completely different way as suggested in ZBXNEXT-1147.