SSL certificates need to be maintained (renewed occasionally), so usually this would be something handled by your customers IT department. If you are your customers IT department, your first step is to acquire such a certificate, and wherever you do that, they will almost certainly have a detailed guide on how to install it in IIS.

There are free certificates available from letsencrypt.org. They have to be renewed every three months, but you will usually set that up as an automated process. One guide is here: https://www.snel.com/support/how-to-...s-server-2019/

Some people prefer commercial certificates, which last longer (usually 1 or 2 years). Those can be bought from a lot of certification authorities. Google will be your friend there.

This is 2021. Absolutely every single site on the internet today should run on HTTPS. Browsers are more and more aggressively restricting features on the outdated HTTP protocol. Modern (evergreen) browsers will default to HTTPS-first now, and only fall back to HTTP if that fails. So yes, get that set up!