Does each subdomain need it's own SSL certificate?

I am creating a websocket server which will live on ws.mysite.example. I want the web socket server to be SSL encrypted as well as domain.example to be SSL encrypted. Do I need to purchase a new certificate for each subdomain I create? Do I need a dedicated IP address for each subdomain I create? I will likely have more than one subdomain.

I am using NGINX and Gunicorn running on Ubuntu.

I'll answer this in two steps...

Do You Need an SSL Cert for Each Subdomain ?

Yes and No, it depends. Your standard SSL certificate will be for single domain, say www.domain.example. There are different types of certs you can aside from the standard single domain cert: wildcard and multi domain certs.

• A wild card cert will be issued for something like *.domain.example and clients will treat this as valid for any domain that ends with domain.example, such as www.domain.example or ws.domain.example.

• A multi domain cert is valid for a predefined list of domain names. It does this by using the Subject Alternative Name field of the cert. For example, you could tell an CA that you want a multi domain cert for domain.example and ws.mysite.example. This would allow it to be used for both domain names.

If neither of these options work for you, then you would need to have two different SSL certs.

Do I Need a Dedicated IP for Each Subdomain ?

Again, this is a yes and no...it all depends on your web/application server. I am a Windows guy, so I will answer with IIS examples.

• If you are running IIS7 or older, then you are forced to bind SSL certs to an IP and you can not have multiple certs assigned to a single IP. This causes you to need to have a different IP for each subdomain if you are using a dedicated SSL cert for each subdomain. If you are using a multi domain cert or a wildcard cert, then you can get away with the single IP as you only have one SSL cert to begin with.

• If you are running IIS8 or later, then the same applies. However, IIS8+ includes support for something called Server Name Indication (SNI). SNI allows you to bind an SSL cert to a hostname, not to an IP. So the hostname (Server Name) that is used to make the request is used to indicate which SSL cert that IIS should use to for the request.

• If you use a single IP, then you can configure websites to respond to requests for specific hostnames.

I know that Apache and Tomcat also have support for SNI, but I am not familiar them enough to know what versions support it.

Bottom Line

Depending on your application/web server and what type of SSL certs you are able to obtain will dictate your options.

You can get a certificate for each subdomain, a multiple subdomain certificate or a wildcard certificate (for *.yoursite.example).

They typically cost quite a bit more than regular certificates though, and because you share a single certificate they are typically not the best option from a security point of view unless you host an anything.mydomain.example type of application where they are the only workable choice.

You also don't need multiple IP addresses if you have a SNI-capable web server. This said, SNI is only supported in modern browsers (IE6 and below won't work with it). Recent versions of Nginx and Apache support SNI transparently (just add SSL enabled virtual hosts).

I recommend "getssl" to create SSL Cert for subdomain hosted on another server.

Let't say: 
You have a primary domain (example.com) with SSL Cert on SERVER A. 
You have a subdomain (vm1.example.com) without SSL Cert on SERVER B.

You can use "getssl" to create SSL Cert for subdomain which uses letsencrypt.org

You will either need a separate cert for each subdomain, or you can purchase a wildcard cert (*.domain.example) - more expensive, but makes sense if you're hosting a lot of subdomains.

Regarding IPs, it depends on how you set your server up. You can use hostname rules to serve multiple sites from the same IP, or use unique IPs for each one. There are pros and cons to both methods.