If you’re transitioning to HTTPS now and you’re getting a grey/yellow lock although you have no mixed content, it can be an issue with your SSL certificate. Modern browsers are presently phasing out support for certificates using “SHA1” as a hashing set of rules technical term for safety purposes Too the point where, sometime sooner or later, a SHA1 certificates will reveal a red “insecure” caution, so you’ll want to consult with your SSL service that your new certificate adding the entire “certificate chain” is using SHA2 or newer. This is a good check list. I’ve also done this a number of times and agree with your careful words on it being a little bit a pain to establish right.
My only remark is regarding Media Temple issued certificates. They aren’t issued from your own domain and could throw up warnings to the top user. This caution virtually asks if the user wants to trust your site. It makes your sites appear to be spam. I had to remove the certificates as a result of this, but despite many, many communications with MT, some sites were still getting random certificate warnings a couple of years on – to the huge detriment of site site visitors.
So, the one point I have to disagree on, is using the Media Temple supplied certificates I think they arrive from GoDaddy. Officially, MT provide no aid when things go catastrophically wrong, and there’s basically nothing in the handle panel or Account Centre that can fix it – it must be done in server command line.