I have a saas that sends out emails in the name of my customers and I am trying to set up https for the email tracking links (I'm using php and apache), but I have yet to come up with a practical solution. I know how to generate tracking links and do the redirects to the original urls after logging the link clicks, I just don't know how to implement https on those tracking links.
One possible solution could be, to do what a lot of email services providers do for tracking links: I would ask of every customer to create a CNAME record pointing from their domain to my domain (tracking.mycustomersdomain.com -> tracking.mysaasdomain.com). I could then use a php library to dynamically generate a letsencrypt certificate for their subdomain (tracking.mycustomersdomain.com) and would also be able to verify the subdomain for the certificate because the certificate would reside on my own server. The problem is, I'd still need to enable the certificate in the apache vhosts file and restart the apache service, so my server could start encrypting the tracking links with the appropriate certificate (but from what I've been able to research so far, this can't be done neither directly from php nor from .htaccess files, plus, frequent restarts would likely disrupt the operations on a live site).
So this brings me right to my two-part question...
Can I programatically enable a just-generated certificate for a given customer domain without (manually) restarting apache?
Is there a better / best practice alternative to what I've described above to secure the tracking links in the emails I send out?