I have a system setup with a domain with unlimited subdomains. I can easily encrypt "secure" information by buying a wildcard SSL certificate. Secure information is just logging in and registering (no CC or SSN type stuff).

The problem becomes that each client can have upto 2 "vanity" URLs (in addition to the subdomain). So the following 2 domains are identical:

www.site1.com
site1.mydomain.com

One solution would be to require that each client that wants to encrypt a domain actually purchase their own SSL certificate. I could then buy a wildcard SSL for all of the subdomains.

Another thought would be to buy one SSL certificate (i.e. secure.mydomain.com) and post all forms to this domain. Process the data via PHP and then redirect back through a convoluted process to set cookies, etc.

For instance to login:

www.site1.com/foo/bar ->
secure.mydomain.com ->
www.site1.com/process.php?sid=SESSION ID ->
www.site1.com/foo/bar

process.php would initialize session and save cookies under this domain.

Am I missing something simpler? Would option number 2 even work?

There is only a couple of users that complain that their data is not "secure". Knowing the "cheapness" of the clients I can't imagine most of them actually wanting to spend upwards of $150 a year.

I would rather go with option #2 as that will "solve" it for all clients.