Iframe from domain with SSLcertificate will be embedded on other site (foo.com).

1. Must foo.com have SSL cerificate?
2. If foo.com has SSL certificate, will it be an security error? foo.com has SSL certificate for foo.com, but iframe domain has other SSL certificate.
3. If foo.com hasn't got SSL certificate, will it be an security error?

1. No.
2. You will only get a security error if the embedding site uses SSL, but the iFramed one does not. Whether the sites use different certificates or not, that does not matter.
3. No. (Isn't this the same question as #1?)

Summary

Having different certificates between the main page and iframed pages is not a problem.

Embedding https:// pages with <iframe /> on a http:// page is not a problem.

However, if you are running a https:// secured page that embeds non-secure pages via http://, then you might get something like this (Internet Explorer):

It depends on the browser and its settings. For example, in IE you can turn this off:

The best way to look at an iFrame is to see it as almost a separate browser. In the case of foo.com not being SSL but the iFramed site being SSL you will not get any errors.

If you switch this around, where foo.com has SSL and the IFramed site doesn't, you can get a security warning about mixed-content from the browser.

It does not matter if the two websites use different SSL certificates. However, if the website that is being iframed is not SSL protected you will get a partially encrypted error message even if the website with the iframe embedded on it is SSL protected. I only know this because this is what I am dealing with right now. My web page was only secured after I took out the iframed website that did not have SSL protection.

While the main website (which contains the iframe) doesn't have to be using SSL, it really should, at least if security is a concern (which is the point of using SSL).

Not doing so prevents the user from checking that the iframe is indeed served securely and from which site it's from, which makes its usage of SSL useless. (Examples here.)