You can either have a single certificate, and use a copy of that on each viirtual server, or you could have separate certificate for each subdomain. The choice is yours.
You will need to verify each domain - which you could probably most easily do via a DNS challenge, alternatively you would have to have a way to add the token to each virtual server ( although this is still possible ).