I use a development subdomain too (staging.example.com). The SSL was obtained for the main domain, and everytime I use staging in https, my browser gives me an alert. So the transmission is encrypted, but it appears to be from an untrusted source - perhaps even one that is hijacking your communication.

This scares some customers that have access to the dev server, but if it that's no big deal, there's no need to install a "wildcard" SSL.

SSL certificates are unique to the www.domainname.com and adding a subdomain will require a seperate certificate. The SSL key is partially generated by the domain name of the site which is why, if the domain names aren't the same, the certificate won't match. A subdomain is, for most purposes, considered a completely unique site from the www.domainname.com site. Your browser will alert you that the certificate does not match the site.

You don't *need* two certificates- the mismatch will not affect the encryption of the link. But you will get an authentication mismatch warning on the dev site, which will annoy everyone who has to work it. There's two parts to an SSL connection- encryption and trust, and the mismatch only affects the trust.

You can generate and self-sign your own SSL certificate for use on the dev site. This is pretty simple to do with the OpenSSL tools on Unix or Windows, and there are plenty of how-tos out there.

The self-signed certificate differs from one you pay for only in the level of trust- not encryption- it provides. When you pay for one, you're paying for a so-called "trusted authority" to vouch for your legitimacy as a business or site operator, and they cryptographicaly sign your certificate to attest this. A browser can verify this and present warm fuzzies to the user when they connect. If you're running your dev site, you don't need to prove to the world at large that you are legit- you already know you're legit, you just want the crypto. So you can save some scratch and self-sign.