We have multiple servers and a load-balancer. When a server is first configured, a self-signed certificate is created. The server then registers its fixed IP with the load balancer.
When our own Android app wants to access the server, the load balancer tells it the IP. As we can trust our own certificate by installing it in SSLContext, the Android app can communicate with the server using SSL.
Problem: We want to extend the system so that arbitrary browsers can access our servers, but these won't trust our self-signed certificate and show an ugly message to users.
Ergo, we will have to use a certificate from a trusted CA. But here we have the problem, that the load balancer uses IPs, not a domain (can be changed). If we wanted to use a domain based certificate, we would have to manually install the cert on each server, and/or we would have to configure DNS for the domain.
How are ssl certificates verified? explains the steps during authentication, but what I don't clearly see is how does the browser know that the IP it contacts belongs to a given domain? Does it look at the reverse entry? Can I trick this system somehow in order to work around manual installation and/or configuring DNS? Also, I thought even a domain cert is typically issued to an IP, so I would have to re-issue it for every server. Can anybody connect the dots? What would be the best way to configure servers automatically as we currently do, but with certs from a CA instead of self-signed certs? Is anybody aware of a CA with API which I could use?
