For DNS and SSL do I need a separate certificate for every (DNS RR) A record?
For each identity that one of your servers will assume (that is, each name a server will identify itself as), you'll need to have a certificate that matches that identity. An identity doesn't necessarily equal a DNS entry, but in cases when it does (such as web servers), it makes no difference whether the entries are CNAME or A (or even AAAA) records.
To make things a bit more complicated to understand, you don't necessarily need a different certificate for each identity. One single certificate may certify many identities (one primary and several alternate), and there are also the so-called wildcard certificates that can be used for any subdomain of a given domain (e.g. if you have a wildcard certificate for *.example.com, you can use it for www.example.com and anythingyouwant.example.com without having to have any of those two names explicitly listed in the certificate). However, wildcard certificates are more expensive than regular ones. While regular certs usually cost a couple tens of dollars, a wildcard cert typically goes for hundreds. Note that there are some certification authorities who will give you free regular certificates with certain limitations (for example, StartCom's basic StartSSL certificates are free, but can contain only two names, one of which has to be the root domain).
In your example, you have 3 identities (these are www.example.com
, test.example.com
, and dev.example.com
). For you, for now, I'd recommend getting 3 free certificates. If you ever get to the point where you need 20-30 different certs, you should consider buying a wildcard cert, as the costs (of the work hours) of having to renew 20-30 expiring certs manually each year would be higher than that of a wildcard cert.