Managed to figure it out after looking at other configs and issues in the Zabbix forums. One can use this to generate certs from a Windows CA, the same principal should work for other CA's:

## Create certificate template
Open "Certificate Authority" --> Certificate Templates --> Manage --> Duplicate one template. You will need to find one that allows you to change these settings:
- Compatibility (Choose a server version that matches your DC's)
- General (Change the name, valid period and renewal period)
- Security (Give your admin user enroll rights)
- Request handling (Allow private key export)
- Cryptography (Should be "Determined by CSP" and 4096 key size)
- Subject Name (Change to Supply in request)
- Server (Change to do not include revocation information)
- Extensions:
- Add Client and Server Authentication
- For Key Usage. Tick Digital Signature, under encryption Allow key exchange only with key encryption

Back under Certificate Templates, wait for the template to show up from New --> Certificate Template to Issue. Add the new template when it's available.

## Get CA cert from Windows CA
Open "Certificate Authority" --> Right click on the organization --> Properties --> General --> View Certificate --> Details --> Copy to File --> Export in DER format -- > Save file as ca_cert.cer

## Change to a working directory
mkdir ~/certs

cd ~/certs

## Copy needed files
Copy the ca_cert.cer from the CA server to the working directory

## Convert Windows CA DER to PEM
openssl x509 -inform der -in ca_cert.cer -out ca_cert.pem

## Generate the csr request for the client. Complete all the information as needed
openssl req -new -newkey rsa:4096 -nodes -keyout client_csr.key -out client_csr.csr

## Generate the csr request for the server. Complete all the information as needed
openssl req -new -newkey rsa:4096 -nodes -keyout server_csr.key -out server_csr.csr

## Request cert from CA
Go to your CA's cert portal. Usually under https://ca-server.domain.com/certsrv

Go to Request a certificate --> Submit a certificate request --> Paste in the client cert and select the template created before. Do the same for the server cert. Download the certs (not chain) and save to the working directory as client_cert.cer for the client and server_cert.cer for the Server.

## Convert Windows DER to CRT
openssl x509 -inform der -in client_cert.cer -out client.crt

openssl x509 -inform der -in server_cert.cer -out server.crt

## Create new Zabbix certificates
### CA Cert
openssl x509 -text -noout -in ca_cert.pem | cat > zabbix_ca_file && cat ca_cert.pem >> zabbix_ca_file
### Client cert
openssl x509 -text -noout -in client.crt | cat > zabbix_client.crt && cat client.crt >> zabbix_client.crt
### Server cert
openssl x509 -text -noout -in server.crt | cat > zabbix_server.crt && cat server.crt >> zabbix_server.crt

## You should end up with these certs ready for Zabbix
zabbix_ca_file = Windows CA cert

zabbix_client.crt = Cert for Zabbix clients

zabbix_server.crt = Cert for Zabbix server

client_csr.key = The key for the client cert

server_csr.key = The key for the server cert

## Get Issuer and Subject in correct format
### Client
openssl x509 -noout -issuer -subject \
-nameopt esc_2253,esc_ctrl,utf8,dump_nostr,dump_unknown,dum p_der,sep_comma_plus,dn_rev,sname \
-in zabbix_client.crt
### Server
openssl x509 -noout -issuer -subject \
-nameopt esc_2253,esc_ctrl,utf8,dump_nostr,dump_unknown,dum p_der,sep_comma_plus,dn_rev,sname \
-in zabbix_server.crtl

From this output, you will see the correct format Zabbix needs for these fields. The Client output goes on the Zabbix server UI. The Server output goes in the Client config file.

## Copy files to servers
Copy zabbix_ca_file, zabbix_client.crt and client_csr.key to the Zabbix client / proxy. Place them under a directory like /home/zabbix/certs

Copy zabbix_ca_file, zabbix_server.crt and server_csr.key to the Zabbix server. Place them under a directory like /home/zabbix/certs

## Configure Zabbix client / proxy and server
### Client / proxy
Under /etc/zabbix/zabbix_proxy.conf, use this TLS config. The "TLSServerCertIssuer" and "TLSServerCertSubject" should be the output from the data we got before.

TLSConnect=cert

TLSAccept=cert

TLSCAFile=/home/zabbix/certs/zabbix_ca_file

TLSServerCertIssuer=CN=COMPANY,DC=DOMAIN,DC=com

TLSServerCertSubject=CN=ZABBIX.DOMAIN.COM,OU=DEPAR TMENT,O=COMPANY,L=CITY,ST=STATE,C=COUNTRYCODE

TLSCertFile=/home/zabbix/certs/zabbix_proxy.crt

TLSKeyFile=/home/zabbix/certs/zabbix_proxy.key

### Server config
Under /etc/zabbix/zabbix_server.conf, use this config:

TLSCAFile=/home/zabbix/certs/zabbix_ca_file

TLSCertFile=/home/zabbix/certs/zabbix_server.crt

TLSKeyFile=/home/zabbix/certs/zabbix_server.key

### Server UI config
In the Zabbix UI, under the client or proxy encryption config, update the Issuer or Subject with the data collected previously.

## Restart service's
### Client / proxy
sudo systemctl restart zabbix-agent or sudo systemctl restart zabbix-proxy
### Server
sudo systemctl restart zabbix-server

If you look in the respective log files under /var/log/zabbix. You should see the connection successful.