Do I need a certificate to redirect via CNAME?

Neverever's answer is correct. You do need an SSL certificate. I wanted to add that it is because there is no such thing as a CNAME redirect.

A CNAME is not a redirect. A CNAME instructs the DNS to resolve to the same domain as where the CNAME points. The CNAME does not cause a redirect. It only causes the HTTP request for a domain to be made to the same IP address as requests for another domain.

The process a browser and operating system actually uses for getting a redirect from https://site1.example/ to https://site2.example/ is:

  1. DNS lookup for site1.example. Discover it it is a CNAME for site2.example.
  2. DNS lookup for site2.example. Find an A record for its IP address (192.0.2.4, for example).
  3. Open a socket to the IP address 192.0.2.4 on port 443.
  4. Negotiate TLS (SSL) for the domain site1.example.
  5. Make the HTTPS request for https://site1.example/:

    GET / HTTP/1.1
    Host: site1.example
    
  6. Get the response back with the redirect:

    301 Moved Permanently
    Location: https://site2.example/
    
  7. Perform another DNS lookup for site2.example. Find an A record for its IP address (192.0.2.4, for example). The DNS response will come from DNS cache this time.
  8. Open a socket to the IP address 192.0.2.4 on port 443.
  9. Negotiate TLS (SSL) for the domain site2.example.
  10. Make the HTTPS request for https://site2.example/:

    GET / HTTP/1.1
    Host: site2.example
    
  11. Get the response back with the content:

    200 OK
    ...
    

Just to be able to redirect a HTTPS request you need DNS for that domain, a web server for that domain, and SSL for that domain. It doesn't actually matter if you use a CNAME record or an A record. A redirect can happen either way.

In fact, an A record is almost always more efficient. DNS lookups are faster with direct A records than with CNAME records. CNAME records require a second DNS lookup and don't make the rest of the redirection process easier.


Yes, you'll still need an SSL certificate for abc.example.com

Due to the nature of CNAME redirection, when you type abc.example.com in the browser, the URL stays abc.example.com, and this is where you need the SSL certificate.


SEO Tips

You might want to use 301 redirects instead of CNAME redirect, this will pass on the ranking power/juice from abc.example.com to xyz.example.com.

However, this would still require an SSL certificate.

Have you tried Let's Encrypt ? a certificate authority that provides free SSL certificate.