JVB, websockets and SSL

I’ve started a totally fresh install of Jitsi-meet (using the latest guide here: https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart ) , and on a separate server, JVB2 (following this https://github.com/jitsi/jitsi-videobridge/blob/master/doc/web-sockets.md).
I’ve been struggling all day with websocket connection errors on the separate JVB machine, but now seem to have solved it by:
1 - setting the videobridge jvb.conf to include this:

videobridge {
    http-servers {
        public {
            tls-port = 443
            key-store-path=/etc/jitsi/videobridge/ssl.store
            key-store-password=<my_KEY_STORE_PASSWORD>
        }
    }
}

and 2 - creating a java-compatible keystore using certbot, openssl and keytool, and saving it in the above specified location ssl.store.

Now Websocket can connect successfully to the separate JVB machine. Yay.

So now…
a) Is this really the way I’m supposed to do it? If this is what’s needed on a dedicated JVB instance, then why is the default set to non-ssl port 9090?

b) Could someone please update the documentation to be clearer about this? It seems pretty important that the default setup will not work for a dedicated JVB machine, and you have to setup a DNS/SSL/keystore configuration to make it work…

c) how is this supposed to work with auto-scaling? If I have to generate a unique keystore/ssl config for each JVB, how can I dynamically add-remove machines conveniently?

Thanks for any help or ideas in this area.
Cheers,
David