Redirect apex domain HTTPS requests without manually provisioning a certificate
You could automate certificates for the apex using Let's Encrypt, making the cert part a little more easy to handle.
Other than that, you basically need to host a 301 redirect somewhere that talks both HTTP and HTTPS to get this to work, no shortcut I'm afraid, especially if you're going to be using HSTS. There are some DNS providers that actually support CNAMEs at the apex, but I'd be a bit hesitant trying those out.