When talking to IT guys or CxO level discussing an RFP, a green lock is mandatory via any method.
If you have a requirement that the site be accessible, by IP address, using the current version of Chrome, and have a green lock, the person who wrote the requirement is an idiot. It simply can't be done. OK, it could if you use a self-signed cert, but that brings up its own set of warnings, or you need to install your (self-signed) root CA cert manually on every client computer.
You could probably simply refuse to serve pages at all where the request was made by (external, at least) IP address rather than by FQDN; I'd expect that would be a relatively straightforward Apache configuration change.