Yes looks like it. They told developers on 11th May 2011 :
Today, we are announcing an update to our Developer Roadmap that
outlines a plan requiring all sites and apps to migrate to OAuth 2.0,
process the signed_request parameter, and obtain an SSL certificate by
October 1.
Migration to OAuth 2.0 + HTTPS timeline:
- July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0
and have new cookie format (without access token). September 1: All
apps must migrate to OAuth 2.0 and expect an encrypted access token.
- October 1: All Canvas apps must process signed_request (fb_sig will be
removed) and obtain an SSL certificate (unless you are in Sandbox
mode). This will ensure that users browsing Facebook over HTTPS will
have a great experience over a secure connection. We believe these
changes create better and more secure experiences for users of your
app. A migration plan below outlines the potential impact on your
apps.
From here:
Please Note: An SSL certificate is not required for user
authentication on your site, Likes, Comments or other things. It s
only used if you want to show your site (or parts of it) inside the
Facebook.com domain.
Once your SSL certificate is installed on your site, you ll simply
need to enter your new secure URL into the "Secure Canvas URL" and
"Secure Tab URL". To obtain and install an SSL Certificate, we ve
partnered with The SSL Store in order to make the process as smooth as
possible. SSL Certificates that work with Facebook can be purchased
for as little as $11/year (multi-year) or $18 for just one year.
Purchasing a certificate through The SSL Store takes about 10 minutes
and they have a 30-day money back guarantee.
Below are instructions on how to purchase a new SSL certificate for
your site so that you can use the Facebook Page features without any
issue.
It does seem that you need to have one, and not one per app.
