Mark,

There are a few simple steps:

1. Make sure you have fixed domain address (www.mydomain.com) or something like that, or setup a secure subdomain (secure.mydomain.com)

2. Request a SSL certificate. There are a couple of things you need to prepare:
a. Create a new website that will respond to the domain address (secure.mydomain.com). You do this under the IIS/Websites/right click/new/ Web Site. Then under the home directory click on advanced and add 80 secure.mydomain.com and 443 secure.mydomain.com
b. Have IIS generate a CSR (you do this under IIS/Web Site/the website created/Directory Security/Server Certificates) - save it to a file
c. Go to a SSL vendor (Thawte, godaddy, etc. shop around for the best price - VeriSign is the highest priced) and request a certificate (you will need to cut and paste the contents from step b)

3. Install the Certificate - just go to the 2.c area and tell it to install it.... Now you are ready to put it into practice...

4. On the web site you created in step 2, create a virtual directory and point it to the application you want to secure. At the root create a page that redirects to https://secure.mydoamin.com/appdirectory

5. Secure the application: Right click on the app directory from within IIS, ago to directory security, edit the secure communications and tell it ro require secure communications. You should be set.

So, you need to generate a CSR, buy a SSL cert, and install it. Ususally it is a straght forward thing, and the certificate authority might require some proof of who the owner of the certificate is going to be.