When your web browser visits a secure website, the experience is seamless. Many in-home appliances also have web servers built in. If you were to point your browser to a WiFi-enabled lightbulb running its own web server at https://192.168.1.123, the browser would most likely give you a big scary warning.
What to do? This writeup explains most of the technical details of how plex did it. I think it’s a fascinating read. There are at least a couple of CAs that offer services to make this possible.
“… they partnered with Digicert to issue a wildcard certificate for *.HASH.plex.direct to each user…”
“the client, instead of connecting to http://18.104.22.168:32400, connects to https://1-2-3-4.625d406a00ac415b978ddb368c0d1289.plex.direct:32400 which resolves to the same IP, but with a domain name that matches the certificate that the server (and only that server, because of the hash) holds.”