If someone is interested, here's what I finally did:
in google apps for my domain, in More controls / Security / SSL for Custom Domains, I activated my app engine app id.
I activated Virtual IP ($39/month) (but it also works with SNI)
As I use VIP, I changed the CNAME to redirect all my subdomains to the special CNAME for SSL with VIP (unnecessary with SNI I think)
I created a key + CSR with OpenSSL. I created a self signed certificate and tested it. It worked but of course, warning message.
I paid a signing authority for a valid certificate (wildcard for all my subdomains, about 100€/year)
I added that certificate + intermediate certificate and key in google apps for my domain.
It now works perfectly in both http and https. There wasn't any service disruption at any time for http.
I'll now add some url filter to my app to automatically redirect some http urls to https.