SSL certificates serve two important functions. First, they permit communication with a web server to be encrypted. Web servers commonly use encryption to protect private data, such as passwords. Second, SSL certificates allow visitors to validate the website they're communicating with is authentic (and not, for instance, a malicious copy intended to trick visitors into disclosing passwords).
The following are the two recommended vendors for SSL certificates
- SSL Certificates from GoDaddy describes the IT division process to get an SSL certificate from GoDaddy, one of the low cost commercial vendors of SSL certificates.
- SSL Certificates from Let's Encrypt is on overview of the process to get a certificate from Let's Encrypt, a new certificate service but with limited use cases due to the renewal process requiring automation on the web server and Internet accessibility. Currently only recommended for Linux/UNIX computers using Apache and accessible from the Internet (e.g. Registered Web Servers).
It is also possible to create 'self-signed' certificates. A number of web sites describe the process of creating such certificates. Self-signed certificates are only recommended in certain situations, such as development, testing, or when web site access is restricted to a small population. The problems with self-signed certificates is they are not trusted by browsers. When a modern browser encounters a self-signed certificate, the browser tries to protect the end user. The browser presents the user with a number of prompts requiring him or her to recognize the risk of the unknown certificate, examine the certificate, and accept it. If a user frequently encounters self-signed certificates, however, it's almost inevitable that he or she will begin to accept them without examination. One day, the user may visit a malicious site, but he or she will probably ignore the warnings.
Valid CA signed certificates are required for some web servers, more details here.