A web server may not serve the entire certificate chain to a client, as it may itself solely be configured to supply its own certificate and some intermediaries. Most browsers are capable of building the chain based off of the supplied certificate, by f.i. adding the root certificate that was not originally present and then correctly determing that the certificate as served is trustworthy according to the systems' certificate store.

The Zabbix Agent 2 key web.certificate.get is currently unable to build a chain based off of an incomplete chain, causing some certificates to be declared invalid, even though they should not be according to the systems' certificate store. Currently, there are two solutions to the problem presented:
 
1. Add the topmost certificate as supplied within the certificate chain from the server to the trusted certificate store
-> This may not be desirable as this would mean that other instances of an actually untrustworthy chain may suddenly be trusted

2. Configure the web server to supply the entire certificate chain
-> Whilst this may be more desirable than 1, this assumes that the user has access to the web server, which may not always be the case

Given the above mentioned explanations, I would like for web.certificate.get to receive an additional parameter like so:

web.certificate.get[hostname,<port>,<address>,<build>]

where <build> is a boolean that allows for the user to decide whether or not they wish for a received certificate to be used to build the chain and then check the validity of the chain. Naturally, this is solely an example and comparable solutions may also serve the original intent or might even be better suited for application within Zabbix.

Thanks.