SSL certificates are a necessary component for using WebAuth and for serving any web pages using https. ITS provides some guidelines for getting SSL certs, with information on how to procure certs from Stanford's "certificate authority of choice" --essentially the third-party vendor with whom ITS works most often. There's even a nice web form to streamline the process. InstantSSL is fine, but they cost $83 per two-year certificate. This is the best choice if you have sensitive data and need that level of confidence.
But for other occasions, there are alternatives worth considering. You can use a self-signed certificate, but that might just annoy or confuse your users with browser warnings about untrusted certificates (and they don't enjoy a high degree of trust). Or, you can use ipsCA, which is a Spanish certificate authority that offers free two-year SSL certificates to educational institutions. Their root certificate (IPS SERVIDORES) is on just about every computer out there, too, so it works almost every browser. In other words, it's legit.
Here are some simplified instructions on how to implement SSL on your Leopard web server on a SUnet host. We'll start with generating the certificate signing request (CSR).