Certificate isn't provided to IP address. It is issued for DNS name, and you need to verify domain ownership to get certificate (this is why you usually need public address with web server on it.
Anyway, you can get certificate for your public address and your domain, and than you just need clients to resolve ZD IP as this name.You need entry on your DNS server for it, and need clients using your DNS (as other DNS servers will not have this record.
For example, you get certificate for site name wispr.provider.com. Than you just configure network so than DHCP provides to clients your provider DNS address, and add there record that wispr.provider.com has 192.168.3.254 IP address.
This will make your ZD page trusted by browser, as certificate will match DNS entry for site.
Of cause, even better solution would be to have ZD accessible through public IP, in this case if this IP is properly mapped to the DNS name, client can use any DNS server to get to it. Many providers allow access to any DNS servers before WISPR authentication, to avoid issues with clients with static DNS settings, but there is an exploit for this to run runnel over DNS port and access Internet bypassing WISPR portal.
WISPE is old, outdated and insecure solution, there are now new and better methods, which are much more secure, but they require newer equipment and more knowledge to configure, so WISPR is still used extensively.