Yeah, I wrote about the cert things to Dante yesterday; didn't feel like doing it in here..
As I wrote, we don't really need to pay for an approved cert, but could use a self-signed cert; I've made loads of those for private connections to mail- and web servers.
The negative with those is that users will get a warning about the certificate potentially being not trustworthy, which may not be good for us.
If we buy a cert, several places offers them cheaper than, say, Verisign.
The changes to the Apache server is mostly uncommenting the line about HTTPS, and adding a line about the cert.
Implementing this isn't related to rebuilding the site, but can be done with no other hassle.
(not that it may not be a good idea giving the site a preen'n'prune)