Issuing a certificate for the server means that all communications with the server will be done securely over HTTPS. Without a certificate usernames, passwords, and evidentiary data are all transmitted in the clear (unencrypted) over the network.
Does a certificate need to be purchased?
No. As long as the server is not going to be accessed from outside of the agency network then a certificate can be generated from an internal certificate authority. See this Microsoft page on how to install the free Windows Server Certificate Authority. This only takes a few minutes.
Is issuing a certificate difficult or time consuming?
Not only is the security of the certificate important and something that should be under the control of the agency but the root certificate for the certificate authority needs to be installed on every workstation. This can be automatically if setup as part of your domain infrastructure but would need to be done manually on each workstation if Foray were to issue the certificate directly from the ADAMS server. Additionally certificate auto-renewal can be setup as part of the domain but can not be done by Foray.
What happens when the certificate expires?
The easiest thing to do for long term management is to setup Certificate Auto-enrollment. This will automatically renew certificates so that you never have to worry about them expiring or re-issuing a new certificate.