You are close. SSL uses x.509 certificates. x.509 is a certificate standard. This is what allows Firefox to understand the certificate provided by IIS. But x.509 certificates are used much more than just SSL. It is also used for signing documents, signing applications, secure key exchange and others.
SSL (Secure Sockets Layer) is a secure communications protocol that uses these certificates, in particular, to authenticate your service. When a client connects to your service, it presents an x.509 certificate bound to your domain, which is signed by a certification authority (CA) that the client trusts. Most often, it is bought from a third-party CA, for example Verisgn, GoDaddy, Entrust, or countless others.
Edited based on new comments:
If it is open to the public, you will definitely want to purchase a certificate from a third-party CA. Verisign is the largest, but they are also the most expensive.
It is also important to note that SSL and certificates do not really make the web service βsecureβ. It simply protects communication with the client and does not allow attackers to impersonate you. There may be other security issues.