I was looking at configuring certificate support in the zabbix agent. Most of our servers are Windows, and we already have an internal CA in place, with certificates automatically delivered to those servers. But looking at Zabbix' support for certificate-based security, there is no support for using those certificates. I could, in theory, put in place a script that would export and convert those Windows certificate and use them for the Zabbix Agent, but this seems like a lot of work, and fairly insecure, the private key being available on the file system.

Has there been any effort in this sense to improve the Windows agent to be able to access the CNG Windows cryptographic provider and use those certificates? This would have to include support for a certificate-embedded CRL distribution point, obviously. The idea that I'd have to manually distribute a CRL to every system sounds like a bad idea.

I will probably switch to pre-shared keys for the moment, but I would prefer using certificates instead.