Should we have a certificate per DDI? or a certificate per service provider?

The framework intentionally supports both. You could get a certificate per service provider or per DID.