I see now, thanks for the clarification.

You're right, there's no such thing as "SNI certificates": if a browser supports it, you'll get an indication of the hostname being requested along with the SSL connection request, and if a browser does not, you wont. So relying on it is not a good idea. The point of my post was to let people know that the SAN option is really the only way to go if you must virtualhost HTTPS, to provide a shell script that does the legwork of making *.domain.tld (and not necessarily *.*.domain.tld) self-signed certificates and/or certificate "requests" that can be signed by a paid authority, and to provide a way to configure a web server so that it -will- work with any number of virtualhosts and with any browser. (Note that, while my post has been slightly mangled, the shell script is intact and will work as intended.)

I'm not sure what's the point you're trying to make here. There's no such thing as "SNI certificates", SNI is an extension of the SSL protocol and yes, it should be widely supported by browsers these days. However, since I'm not a big fan of mod_gnutls (admittedly, because I haven't had the chance to play with it than anything else), I agree it would be nice if VirtualDocumentRoot could be used with SSL virtual hosts, perhaps using something like VirtualSSLCertificateFile and the like supporting template patterns.
As a side note, beware that a wildcard certificate for *.domain.tld only covers abc.domain.tld and not abc.def.domain.tld (that is, only one level below).

Here's what the VHOST + SSL situation boils down to: You can use "SNI" certificates which are not widely supported client-side, or use "SAN" certificates which are secure but you lose authenticity (to some degree), or hack your web server to dedicate a certain listening IP or port to a certain certificate. The shell script assumes you want that middle option.

There is currently no way to setup Apache to use VirtualDocumentRoot in conjunction with SSL certificates. The folks at http://www.outoforder.cc who make mod_gnutls also make a thing called mod_vhost_dbi. Here's a snippet from their documentation page, modified slightly to enable SSL stuff:

VhostDbiEnabled On
VhostDbiConnName Server1
[SSLEngine on]
VhostDbiQuery "SELECT ServerName, DocumentRoot, Username[, SSLCertificateFile, SSLCertificateKeyFile]" FROM vhost_info WHERE ServerName = "

Sexy trick, sure, but frankly I'd rather modify my s by hand than integrate some stinking SQL database. Nevertheless it seems to be an option.

The way I've got my server running, HTTP port 80 uses VirtualDocumentRoot and there's no site-specific configuration. HTTPS port 443 uses a container for each site, in the following way:

DocumentRoot /var/www/domain.tld
ServerName http://www.domain.tld
ServerAlias domain.tld *.domain.tld
SSLEngine On
SSLCertificateFile /var/www/domain.tld/turkishkitchenaz.com.crt
SSLCertificateKeyFile /var/www/domain.tld/turkishkitchenaz.com.key

As for the certificates themselves, you may want them self-signed and you may want to use a "trusted" certificate authority (so you can get one of those coveted green address bars perhaps). Because you have to use VirtualHost containers for each site you're serving, you can use domain-specific certificates, but I assume you will want the certificate to work with any sub-domain too (like my ServerAlias directive above might).

--- mkcert.sh ---

#!/bin/bash

clear

path="$HOME/Desktop"
days=""

echo -ne "Hello. You must be hoping to create a SSL/TLS security certificate (and key).\n\nBy default, this key will be self-signed. However, you can decide instead to\ncreate an un-signed certificate request (.pem) file to be signed by a\nrecognized certificate authority.\n\nPlease choose from the following options.\n\n s: create a self-signed certificate .crt file (default)\n u: create an un-signed certificate request .pem file\n q: quit\n> "
read go

if [ "$go" = "u" ]; then

echo -ne "What is your country code?\n> "
read c
echo -ne "What is your state/province?\n> "
read st
echo -ne "What is your city?\n> "
read l
echo -ne "What is your organization name?\n> "
read o

elif [ "$go" = "q" ]; then

echo -e "\nHave a nice day."
exit 0

fi

echo -ne "What is your domain name?\n> "
read domain

if [ -z "$domain" ]; then
echo "No domain was given."
exit 0
fi

echo -ne "What is the path where your certificate files should be saved?\n> "
read path
echo -ne "For how many days will your certificate be valid?\n> "
read days

if [ -z "$path" ]; then path="."; fi
if [ -z "$c" ]; then c="US"; fi
if [ -z "$st" ]; then st="Arizona"; fi
if [ -z "$l" ]; then l="Phoenix"; fi
if [ -z "$o" ]; then o="PLUG"; fi
if [ -z "$days" ]; then days="365"; fi

if [ -d "$path" ]; then
echo -ne "\nCreating your certificate ..."
if [ "$go" = "u" ]; then
(echo -e "oid_section = new_oids\n[ new_oids ]\n[ req ]\ndefault_days = $days\ndefault_keyfile = $path/$domain.key\ndistinguished_name = req_distinguished_name\nencrypt_key = no\nstring_mask = nombstr\nreq_extensions = v3_req\n[ req_distinguished_name ]\ncommonName = Common Name (eg, YOUR name)\ncommonName_default = $domain\ncommonName_max = 64\n[ v3_req ]\nsubjectAltName=DNS:$domain,DNS:*.$domain" > deleteme.cfg) &> /dev/null;
(openssl req -batch -config deleteme.cfg -newkey rsa:2048 -out $path/$domain.pem) &> /dev/null;
(rm deleteme.cfg) &> /dev/null;
else
(echo -e "subjectAltName=DNS:$domain,DNS:*.$domain" > deleteme.cfg) &> /dev/null;
(openssl genrsa -out $path/$domain.key 2048) &> /dev/null;
(openssl req -new -key $path/$domain.key -subj "/C=$c/ST=$st/L=$l/O=$o/CN=$domain" -out deleteme.csr) &> /dev/null;
(openssl x509 -req -in deleteme.csr -signkey $path/$domain.key -days $days -text -extfile deleteme.cfg -out $path/$domain.crt) &> /dev/null;
(rm deleteme.cfg deleteme.csr) &> /dev/null;
fi
(chmod 400 $path/$domain.key) &> /dev/null;
echo " done."
else
echo "No such directory exists."
fi

echo -e "\nHave a nice day."