A reverse proxy does not take up a lot of resources, so this should be fine.
Yes, sure a wildcard certificate could be installed on multiple servers. the only thing that matters is that the domain you try to access in in the list of domain names of the certificate.
Sorry, never had this challenge so I cannot say how this can be changed.
Its not Univention (the server) that will mark the website as secure or insecure, its just the browser. and for this the accessed domain needs to be included in the ssl certificate.
this will probably get you further along Using your own SSL certificates