SSL setup for multisite with subdomains, Prosites, domain mapping

I'm looking into setting up Prosites soon. I typically set up multisite using subdomains, then use domain mapping when clients want to bring a custom domain into the mix. I'm open to changing this approach if advisable.

I'd like to know how to address SSL on this new network. We'll have the majority of sites that don't really need SSL, but some will (stores, membership sites, etc). It makes sense to me to have a wildcard cert protect the entire network. But when a client has their own domain name (most do, of course), they'll still need to get their own SSL, correct?

Will running a SSL with a custom domain name on top of a subdomain that's already protected with a wildcard SSL cause any issues?

I'm not trying to overcomplicate this, just making sure I'm clear on how to set it up so it runs smoothly.