You can "start rolling one subdomain at a time". But you can't restrict HTTPS port 443 to be open for just some of the Virtual Domains if you have one IP for all of them.
Name based virtual hosts serve different websites based on the Host HTTP header. Now you have HTTP, when you type "example.com" in your browser, it connects to your IP and adds a Host: example.com
in the request headers. That way webserver matches known virtual host or just handles as default virtual host if it's unknown (for example if you directly type an IP in your browser).
Now for the HTTPS part it's a bit different. As the TLS secure connecting has to be established before HTTP headers are sent. So the webserver actually couldn't knew which certificate to present. Be it example1.com or example2.com (for example). Back in the old times that meant that only one valid HTTPS website per IP was allowed (well, multi-domain certificate could work, but I don't remember any CA allowed those). I.e. no virtual hosts. But thankfully for the TLS SNI extension that works similarly to HTTP. Except that instead of HTTP headers the domain name are passed in the TLS session information.
Now considering this, once you enabled SSL for one website example1.com
, and generated a certificate for it, if you type https://example2.com
it would actually open example1.com
website (because it's the only virtual host for the HTTPS listener), but also the browser would complain that website presents certificate for wrong domain (because your webserver don't have both certificate for example2.com and virtual host for it).
To avoid that confusion I'd rather suggest you to test & prepare all the certificates and config for your sites first. And then enable them all at once. At least if you host all of them on the same IP. If you have different IPs for them, I assume you understand that you can enable HTTP for the separately based on the statements above.