Wildcard SSL Certificates for Subdomains on Amazon EC2

question is, what's the best way to go about applying SSL certificates for the a1.example.com subdomain and future subdomains?

The best way depends on how many subdomains you will have, if that's a lot, a wildcard cert will be cheaper.

Will a wildcard SSL certificate help in this situation where all subdomains are hosted on Amazon when the primary domain is not on Amazon?

Not particularly, the certificate does not care if it is in AWS or not. You can use the same wildcard certificate in separate domains in separate providers.

Do I need to use Amazon's ELB service to accomplish this?

No, but ELB makes it easier to manage the certificate. You can also use other services that supports SSL (such as CloudFront) or install it on your own server in an EC2 instance.

I just want to add my understanding for future readers:

The SSL certificate itself determines the domain(s) for which the certificate is valid. If you buy a $9 SSL certificate, ELB can attempt to apply it any way you specify through ELB, however, the domains themselves will not be validated by the SSL certificate because the SSL certificate may not be encrypted for use with the intended domain(s). Although ELB is used to apply the certificate, it is not used to authenticate the SSL certificate (only the domain does this), so the "blanket" idea in the original post will not work.