I don't know if this will help but this is a simplified version of how Pl**k does it :
I have removed anything that doesn't concern SSL to make it easier to read.
With this CP you choose if a user has SSL and if the SSL docroot is the same as the non SSL.
Just by creating the SSL virtualhost seems to be enough for SSL to work with all browsers. Users just get an error saying that the cert does not correspond to the domain and are requested to accept the cert just like with a self generated cert.
I have tested this with all of the browsers I have found and havn't had any compatibiliy problems.