I think I have formed a plan.

I bind a connection using HTTP to 8080, and allow an auth route and a certificate route (protected by auth token).

Each instance encrpyts the certificate using the hashed password

The hashed password is used on the auth root to get an access_token

The instnace can then use this access_token to send its encrypted certificate to the other server, which gets put into the other servers truststore, allowing https to be used going forward.

I think this solves the concerns with a) shipping the same RootCA and b) sending unencrypted certificates via http.

I will implement this over the next couple of days. If someone spots any security concerns I have potentially missed with this, please comment otherwise I will mark it as the answer when I have tested it works.