Thanks for spending the time on this feedback, and also for documenting the solution as it might help other users in the same scenario - we appreciate your input.
There’s a documented approach to SSL that you’ve probably seen, but just in case other users come across this post I should share the link