If you want the user to be able to browse your site by visiting https://username.domain.com and view it in the same domain (this means that they will always make https://username.domain.com requests), then you will need an SSL substitution certificate. If you only have the SSL certificate installed for the .com domain, then the request will not be able to be rewritten by your server. First, the browser throws a security exception, because the domain in the certificate does not match the domain being viewed.
Should you mind that your users browse your site at https : //domain.com? user = username, could you visit http : //username.domain.com first and then redirect them to https : //domain.com? user = username. Then all secure browsing would have to be done under https://domain.com , and that would eliminate the need for a wildcard certificate.
When you go to buy your SSL certificate, I would recommend asking for technical support and running your script. I found Digicert to be very useful in this regard (and no, I have no connection with them other than the client), but I am sure that they will confirm that you need a substitution certificate.