For the present product:
Are you using a certificate with a unique SAN entry for each customer? I can see where that would make for disaster, because every domain owner gets a veto over your certificate issuance at every renewal. If you were using anything other than LetsEncrypt, it would also be vey expensive.
With the current product, the workable designs are a single-name certificate for the server, or a wildcard certificate that allows you to configure <customer>.<yourhostingdomain> as the server name used by each client. Both of these designs have reasonable cost when using a paid certificate authority that can issue 13-month certificates.
To move away from the multi-SAN design, you will need to get a wildcard certificate with extra SANs. Then your new clients can use the wildcard and you can try to convince your existing clients to migrate to the new naming structure.
For your proposed redesign:
Having a unique certificate for each customer means that the customer has to manage the certificate renewal. The less sophisticated clients will mess it up and still call you when the certificate expires.
I managed Microsoft Exchange before managing SmarterMail. It could do lots of fancy things, but it also required a PhD in Exchange, or better a team of people with those PhDs, to manage it successfully. SmarterMail wins with a streamlined product, for those who want streamlined cost and complexity. Sometimes that means giving up some nice-to-haves.