Untested, but might solve your problem:

# Set Options
Options +FollowSymLinks
# Turn on mod_rewrite
RewriteEngine On

# If not a HTTPS request
RewriteCond %{THE_REQUEST} !^GET\ https [NC]

# Uncomment if on dedicated IP
# RewriteCond %{HTTP_HOST} .

# If not the www subdomain
RewriteCond %{HTTP_HOST} !^www\.example\.com [NC]
# Redirect to www subdomain
RewriteRule (.*) http://www.example.com/$1 [R=301,L]

...

Oops, you will probably want to allow submissions as well:

# If not a HTTPS request
RewriteCond %{THE_REQUEST} !^(GET¦POST)\ https [NC]

Replace the broken pipe symbol with a solid pipe (this forum doesn't allow them).

Hope this helps.

...

Okay, because I was running into problems with the cert as it is single root I had them reissue my cert for www.widgets.com.

I guess my NEW question is...

All https non-www requests go to https www
all http non-www requests go to http www

The question now becomes "will anyone ever request a non-www HTTPS URL"?

If your internal linking doesn't specify one it would seem unlikely.

But everything depends on everything else.

...

Really all I am worried now is not throwing errors for non secure content. My site is http... the order page will be https... now, when I get this new cert the www.widgets.com will be secure. I am quite sure that all my links are relative so no errors should show whether a customer is in either, however, I do link to the google analytics on all my pages, so being that the link is http for the script they will always receive the error on pages when in https - does that make sense?

Now that your cert is for "www", you can use something like this:

RewriteEngine On
Options +FollowSymLinks
#
# Redirect FQDN, appended-port-number, and non-www hostname requests to
# canonical www subdomain, preserving original http/https protocol
RewriteCond %{HTTP_HOST} ^www\.example\.com(\.¦\.?:[0-9]+)$ [OR]
RewriteCond %{HTTP_HOST} ^example\.com
RewriteCond %{SERVER_PORT}s ^(443(s)¦[0-9]+s)$
RewriteRule (.*) http%2://www.example.com/$1 [R=301,L]

Important: Replace the broken pipe "¦" character in the regex pattern with a solid pipe character before use; Posting on this forum modifies the pipe character.

This won't solve the "mixed secure/non-secure content warning" problem on your secure pages, though. What I would suggest is to clearly demarcate the secure and non-secure pages fo your site, link accordingly, and force http on non-secure pages and https on secure pages by using canonical links between them with mod_rewrite to enforce that as well.

For example, when linkinf from an http page to an https page, use <a href="https://secure-cart.html"> and when linking from a secure page back to a non-secure page, use <a href="http://non-secure-page.html">. Then add rules to .htaccess (or your serve config file) to force a redirect if someone directly types in or links to a page using the wrong "flavor" of http. The simplest way to do this is based on the fact that most shopping carts' checkout scripts go into a separate subdirectory, so it's usually a simple matter of forcing https for all URLs that resolve to that subdirectory, and forcing http for all other URLs. There may be a few exceptions to that simple rule, but most sites can use this approach and use a few RewriteConds on the RewriteRules to take care of the few exceptions.

You might then end up with only a very few 'secure' pages, and you could remove the GA code from those few pages, and infer the click-path through those pages from the fact that the order was received or that the "Thank You" page was loaded.

Jim